Netdev Archive on lore.kernel.org
 help / color / Atom feed
* KASAN: use-after-free Read in hci_chan_del
@ 2020-08-02 20:45 syzbot
  2020-08-03 17:08 ` syzbot
  2021-05-04 21:50 ` ETenal
  0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2020-08-02 20:45 UTC (permalink / raw)
  To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
	marcel, netdev, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com

IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793

CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x5a0 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
 l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
 hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
 hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
 hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
 vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
 __fput+0x2f0/0x750 fs/file_table.c:281
 task_work_run+0x137/0x1c0 kernel/task_work.c:135
 exit_task_work include/linux/task_work.h:25 [inline]
 do_exit+0x601/0x1f80 kernel/exit.c:805
 do_group_exit+0x161/0x2d0 kernel/exit.c:903
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
 __se_sys_exit_group+0x10/0x10 kernel/exit.c:912
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
 do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x444fe8
Code: Bad RIP value.
RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8
RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6821:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 hci_chan_create+0x9a/0x270 net/bluetooth/hci_conn.c:1692
 l2cap_conn_add+0x66/0xb00 net/bluetooth/l2cap_core.c:7699
 l2cap_connect_cfm+0xdb/0x12b0 net/bluetooth/l2cap_core.c:8097
 hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
 hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
 hci_event_packet+0x1164c/0x18260 net/bluetooth/hci_event.c:6061
 hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Freed by task 1530:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
 hci_event_packet+0x304e/0x18260 net/bluetooth/hci_event.c:6188
 hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff8880a9591f00
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 24 bytes inside of
 128-byte region [ffff8880a9591f00, ffff8880a9591f80)
The buggy address belongs to the page:
page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700
raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: KASAN: use-after-free Read in hci_chan_del
  2020-08-02 20:45 KASAN: use-after-free Read in hci_chan_del syzbot
@ 2020-08-03 17:08 ` syzbot
  2021-05-04 21:50 ` ETenal
  1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2020-08-03 17:08 UTC (permalink / raw)
  To: coreteam, davem, devel, eric, gregkh, johan.hedberg, kaber,
	kadlec, kuba, linux-bluetooth, linux-kernel, marcel, netdev,
	netfilter-devel, pablo, syzkaller-bugs

syzbot has bisected this issue to:

commit 166beccd47e11e4d27477e8ca1d7eda47cf3b2da
Author: Eric Anholt <eric@anholt.net>
Date:   Mon Oct 3 18:52:06 2016 +0000

    staging/vchi: Convert to current get_user_pages() arguments.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=178321a4900000
start commit:   5a30a789 Merge tag 'x86-urgent-2020-08-02' of git://git.ke..
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=144321a4900000
console output: https://syzkaller.appspot.com/x/log.txt?x=104321a4900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=127dd914900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=122a94ec900000

Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
Fixes: 166beccd47e1 ("staging/vchi: Convert to current get_user_pages() arguments.")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: KASAN: use-after-free Read in hci_chan_del
  2020-08-02 20:45 KASAN: use-after-free Read in hci_chan_del syzbot
  2020-08-03 17:08 ` syzbot
@ 2021-05-04 21:50 ` ETenal
  2021-05-06  6:01   ` Dan Carpenter
  1 sibling, 1 reply; 5+ messages in thread
From: ETenal @ 2021-05-04 21:50 UTC (permalink / raw)
  To: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
	marcel, netdev, syzkaller-bugs

Hi,

This is SyzScope, a research project that aims to reveal high-risk 
primitives from a seemingly low-risk bug (UAF/OOB read, WARNING, BUG, etc.).

We are currently testing seemingly low-risk bugs on syzbot's open 
section(https://syzkaller.appspot.com/upstream), and try to reach out to 
kernel developers as long as SyzScope discovers any high-risk primitives.

Please let us know if SyzScope indeed helps, and any suggestions/feedback.

Regrading the bug "KASAN: use-after-free Read in hci_chan_del", SyzScope 
reports 3 memory write capability.

The detailed comments can be found at 
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_chan_del

On 8/2/2020 1:45 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
> dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
>
> IPVS: ftp: loaded support on port[0] = 21
> ==================================================================
> BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
> Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793
>
> CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x1f0/0x31e lib/dump_stack.c:118
>   print_address_description+0x66/0x5a0 mm/kasan/report.c:383
>   __kasan_report mm/kasan/report.c:513 [inline]
>   kasan_report+0x132/0x1d0 mm/kasan/report.c:530
>   hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
>   l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
>   hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
>   hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
>   hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
>   hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
>   vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
>   __fput+0x2f0/0x750 fs/file_table.c:281
>   task_work_run+0x137/0x1c0 kernel/task_work.c:135
>   exit_task_work include/linux/task_work.h:25 [inline]
>   do_exit+0x601/0x1f80 kernel/exit.c:805
>   do_group_exit+0x161/0x2d0 kernel/exit.c:903
>   __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
>   __se_sys_exit_group+0x10/0x10 kernel/exit.c:912
>   __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
>   do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
>   entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x444fe8
> Code: Bad RIP value.
> RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8
> RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
> RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0
> R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
>
> Allocated by task 6821:
>   save_stack mm/kasan/common.c:48 [inline]
>   set_track mm/kasan/common.c:56 [inline]
>   __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
>   kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
>   kmalloc include/linux/slab.h:555 [inline]
>   kzalloc include/linux/slab.h:669 [inline]
>   hci_chan_create+0x9a/0x270 net/bluetooth/hci_conn.c:1692
>   l2cap_conn_add+0x66/0xb00 net/bluetooth/l2cap_core.c:7699
>   l2cap_connect_cfm+0xdb/0x12b0 net/bluetooth/l2cap_core.c:8097
>   hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
>   hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
>   hci_event_packet+0x1164c/0x18260 net/bluetooth/hci_event.c:6061
>   hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
>   process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
>   worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
>   kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
>
> Freed by task 1530:
>   save_stack mm/kasan/common.c:48 [inline]
>   set_track mm/kasan/common.c:56 [inline]
>   kasan_set_free_info mm/kasan/common.c:316 [inline]
>   __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
>   __cache_free mm/slab.c:3426 [inline]
>   kfree+0x10a/0x220 mm/slab.c:3757
>   hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
>   hci_event_packet+0x304e/0x18260 net/bluetooth/hci_event.c:6188
>   hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
>   process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
>   worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
>   kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
>
> The buggy address belongs to the object at ffff8880a9591f00
>   which belongs to the cache kmalloc-128 of size 128
> The buggy address is located 24 bytes inside of
>   128-byte region [ffff8880a9591f00, ffff8880a9591f80)
> The buggy address belongs to the page:
> page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800
> flags: 0xfffe0000000200(slab)
> raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700
> raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>   ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>   ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                              ^
>   ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>   ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: KASAN: use-after-free Read in hci_chan_del
  2021-05-04 21:50 ` ETenal
@ 2021-05-06  6:01   ` Dan Carpenter
  2021-05-06  6:42     ` SyzScope
  0 siblings, 1 reply; 5+ messages in thread
From: Dan Carpenter @ 2021-05-06  6:01 UTC (permalink / raw)
  To: ETenal
  Cc: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
	marcel, netdev, syzkaller-bugs

On Tue, May 04, 2021 at 02:50:03PM -0700, ETenal wrote:
> Hi,
> 
> This is SyzScope, a research project that aims to reveal high-risk
> primitives from a seemingly low-risk bug (UAF/OOB read, WARNING, BUG, etc.).
> 
> We are currently testing seemingly low-risk bugs on syzbot's open
> section(https://syzkaller.appspot.com/upstream), and try to reach out to
> kernel developers as long as SyzScope discovers any high-risk primitives.
> 
> Please let us know if SyzScope indeed helps, and any suggestions/feedback.
> 
> Regrading the bug "KASAN: use-after-free Read in hci_chan_del", SyzScope
> reports 3 memory write capability.
> 
> The detailed comments can be found at https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_chan_del
> 

I don't understand what you are saying at all.  This looks like a normal
syzbot email.  Are you saying that part of it generated by SyzScope?
I don't think there is anyone who thinks a UAF/OOB read is low impact.

There are no comments at the "detailed comments" URL.

regards,
dan carpenter

> On 8/2/2020 1:45 PM, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
> > dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
> > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
> > 
> > IPVS: ftp: loaded support on port[0] = 21
> > ==================================================================
> > BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
> > Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793
> > 
> > CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >   __dump_stack lib/dump_stack.c:77 [inline]
> >   dump_stack+0x1f0/0x31e lib/dump_stack.c:118
> >   print_address_description+0x66/0x5a0 mm/kasan/report.c:383
> >   __kasan_report mm/kasan/report.c:513 [inline]
> >   kasan_report+0x132/0x1d0 mm/kasan/report.c:530
> >   hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
> >   l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
> >   hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
> >   hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
> >   hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
> >   hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
> >   vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
> >   __fput+0x2f0/0x750 fs/file_table.c:281
> >   task_work_run+0x137/0x1c0 kernel/task_work.c:135
> >   exit_task_work include/linux/task_work.h:25 [inline]
> >   do_exit+0x601/0x1f80 kernel/exit.c:805
> >   do_group_exit+0x161/0x2d0 kernel/exit.c:903
> >   __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
> >   __se_sys_exit_group+0x10/0x10 kernel/exit.c:912
> >   __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
> >   do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
> >   entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > RIP: 0033:0x444fe8
> > Code: Bad RIP value.
> > RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8
> > RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
> > RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0
> > R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001
> > R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
> > 
> > Allocated by task 6821:
> >   save_stack mm/kasan/common.c:48 [inline]
> >   set_track mm/kasan/common.c:56 [inline]
> >   __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
> >   kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
> >   kmalloc include/linux/slab.h:555 [inline]
> >   kzalloc include/linux/slab.h:669 [inline]
> >   hci_chan_create+0x9a/0x270 net/bluetooth/hci_conn.c:1692
> >   l2cap_conn_add+0x66/0xb00 net/bluetooth/l2cap_core.c:7699
> >   l2cap_connect_cfm+0xdb/0x12b0 net/bluetooth/l2cap_core.c:8097
> >   hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
> >   hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
> >   hci_event_packet+0x1164c/0x18260 net/bluetooth/hci_event.c:6061
> >   hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
> >   process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
> >   worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
> >   kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
> >   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> > 
> > Freed by task 1530:
> >   save_stack mm/kasan/common.c:48 [inline]
> >   set_track mm/kasan/common.c:56 [inline]
> >   kasan_set_free_info mm/kasan/common.c:316 [inline]
> >   __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
> >   __cache_free mm/slab.c:3426 [inline]
> >   kfree+0x10a/0x220 mm/slab.c:3757
> >   hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
> >   hci_event_packet+0x304e/0x18260 net/bluetooth/hci_event.c:6188
> >   hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
> >   process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
> >   worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
> >   kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
> >   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
> > 
> > The buggy address belongs to the object at ffff8880a9591f00
> >   which belongs to the cache kmalloc-128 of size 128
> > The buggy address is located 24 bytes inside of
> >   128-byte region [ffff8880a9591f00, ffff8880a9591f80)
> > The buggy address belongs to the page:
> > page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800
> > flags: 0xfffe0000000200(slab)
> > raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700
> > raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000
> > page dumped because: kasan: bad access detected
> > 
> > Memory state around the buggy address:
> >   ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >   ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > > ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >                              ^
> >   ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >   ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> > ==================================================================
> > 
> > 
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > 
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this issue, for details see:
> > https://goo.gl/tpsmEJ#testing-patches
> > 
> 
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/c2004663-e54a-7fbc-ee19-b2749549e2dd%40gmail.com.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: KASAN: use-after-free Read in hci_chan_del
  2021-05-06  6:01   ` Dan Carpenter
@ 2021-05-06  6:42     ` SyzScope
  0 siblings, 0 replies; 5+ messages in thread
From: SyzScope @ 2021-05-06  6:42 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: davem, johan.hedberg, kuba, linux-bluetooth, linux-kernel,
	marcel, netdev, syzkaller-bugs

Hi Dan,

Sorry for the confusing. This bug was reported by a normal syzbot email. 
What we are trying to do is discovering more primitives such as memory 
write or function pointer dereference hidden behind the primitive shown 
on syzbot(which is a memory read in hci_chan_del() in this case).

We realized that some primitives may not be found by fuzzing because of 
the heap layout. By symbolizing the UAF/OOB memory and perform a 
symbolic execution, we are able to go deeper in the buggy code instead 
of encountering kernel panic(NULL pointer dereference from UAF/OOB 
memory) or complicated constraints that prevent fuzzing from entering.

In our measurement, we found that memory write bugs are usually fixed 
faster than memory read bugs or non-security bugs(e.g., WARNING). Thus, 
we think evaluating the real impact of a bug helps people understand the 
how risky the bug really is and benefit the patching process.

Regarding this bug, syzbot originally reported a memory read primitive 
(KASAN read  in hci_chan_del()). In the detailed comments URL, we are 
showing that we find a memory write primitive using the same PoC on 
syzbot, we believe the memory write primitive makes the bug more risky.


On 05/05/2021 23:01, Dan Carpenter wrote:
> On Tue, May 04, 2021 at 02:50:03PM -0700, ETenal wrote:
>> Hi,
>>
>> This is SyzScope, a research project that aims to reveal high-risk
>> primitives from a seemingly low-risk bug (UAF/OOB read, WARNING, BUG, etc.).
>>
>> We are currently testing seemingly low-risk bugs on syzbot's open
>> section(https://syzkaller.appspot.com/upstream), and try to reach out to
>> kernel developers as long as SyzScope discovers any high-risk primitives.
>>
>> Please let us know if SyzScope indeed helps, and any suggestions/feedback.
>>
>> Regrading the bug "KASAN: use-after-free Read in hci_chan_del", SyzScope
>> reports 3 memory write capability.
>>
>> The detailed comments can be found at https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-hci_chan_del
>>
> I don't understand what you are saying at all.  This looks like a normal
> syzbot email.  Are you saying that part of it generated by SyzScope?
> I don't think there is anyone who thinks a UAF/OOB read is low impact.
>
> There are no comments at the "detailed comments" URL.
>
> regards,
> dan carpenter
>
>> On 8/2/2020 1:45 PM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    ac3a0c84 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
>>> git tree:       upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=11b8d570900000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=e59ee776d5aa8d55
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=305a91e025a73e4fd6ce
>>> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11f7ceea900000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e5de04900000
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+305a91e025a73e4fd6ce@syzkaller.appspotmail.com
>>>
>>> IPVS: ftp: loaded support on port[0] = 21
>>> ==================================================================
>>> BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
>>> Read of size 8 at addr ffff8880a9591f18 by task syz-executor081/6793
>>>
>>> CPU: 0 PID: 6793 Comm: syz-executor081 Not tainted 5.8.0-rc7-syzkaller #0
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>>> Call Trace:
>>>    __dump_stack lib/dump_stack.c:77 [inline]
>>>    dump_stack+0x1f0/0x31e lib/dump_stack.c:118
>>>    print_address_description+0x66/0x5a0 mm/kasan/report.c:383
>>>    __kasan_report mm/kasan/report.c:513 [inline]
>>>    kasan_report+0x132/0x1d0 mm/kasan/report.c:530
>>>    hci_chan_del+0x33/0x130 net/bluetooth/hci_conn.c:1707
>>>    l2cap_conn_del+0x4c2/0x650 net/bluetooth/l2cap_core.c:1900
>>>    hci_disconn_cfm include/net/bluetooth/hci_core.h:1355 [inline]
>>>    hci_conn_hash_flush+0x127/0x200 net/bluetooth/hci_conn.c:1536
>>>    hci_dev_do_close+0xb7b/0x1040 net/bluetooth/hci_core.c:1761
>>>    hci_unregister_dev+0x16d/0x1590 net/bluetooth/hci_core.c:3606
>>>    vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:340
>>>    __fput+0x2f0/0x750 fs/file_table.c:281
>>>    task_work_run+0x137/0x1c0 kernel/task_work.c:135
>>>    exit_task_work include/linux/task_work.h:25 [inline]
>>>    do_exit+0x601/0x1f80 kernel/exit.c:805
>>>    do_group_exit+0x161/0x2d0 kernel/exit.c:903
>>>    __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
>>>    __se_sys_exit_group+0x10/0x10 kernel/exit.c:912
>>>    __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
>>>    do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:384
>>>    entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>> RIP: 0033:0x444fe8
>>> Code: Bad RIP value.
>>> RSP: 002b:00007ffe96e46e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>>> RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8
>>> RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
>>> RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0
>>> R10: 00007f5ee25cd700 R11: 0000000000000246 R12: 0000000000000001
>>> R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
>>>
>>> Allocated by task 6821:
>>>    save_stack mm/kasan/common.c:48 [inline]
>>>    set_track mm/kasan/common.c:56 [inline]
>>>    __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
>>>    kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
>>>    kmalloc include/linux/slab.h:555 [inline]
>>>    kzalloc include/linux/slab.h:669 [inline]
>>>    hci_chan_create+0x9a/0x270 net/bluetooth/hci_conn.c:1692
>>>    l2cap_conn_add+0x66/0xb00 net/bluetooth/l2cap_core.c:7699
>>>    l2cap_connect_cfm+0xdb/0x12b0 net/bluetooth/l2cap_core.c:8097
>>>    hci_connect_cfm include/net/bluetooth/hci_core.h:1340 [inline]
>>>    hci_remote_features_evt net/bluetooth/hci_event.c:3210 [inline]
>>>    hci_event_packet+0x1164c/0x18260 net/bluetooth/hci_event.c:6061
>>>    hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
>>>    process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
>>>    worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
>>>    kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
>>>    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
>>>
>>> Freed by task 1530:
>>>    save_stack mm/kasan/common.c:48 [inline]
>>>    set_track mm/kasan/common.c:56 [inline]
>>>    kasan_set_free_info mm/kasan/common.c:316 [inline]
>>>    __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
>>>    __cache_free mm/slab.c:3426 [inline]
>>>    kfree+0x10a/0x220 mm/slab.c:3757
>>>    hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4999 [inline]
>>>    hci_event_packet+0x304e/0x18260 net/bluetooth/hci_event.c:6188
>>>    hci_rx_work+0x236/0x9c0 net/bluetooth/hci_core.c:4705
>>>    process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
>>>    worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
>>>    kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
>>>    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
>>>
>>> The buggy address belongs to the object at ffff8880a9591f00
>>>    which belongs to the cache kmalloc-128 of size 128
>>> The buggy address is located 24 bytes inside of
>>>    128-byte region [ffff8880a9591f00, ffff8880a9591f80)
>>> The buggy address belongs to the page:
>>> page:ffffea0002a56440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9591800
>>> flags: 0xfffe0000000200(slab)
>>> raw: 00fffe0000000200 ffffea0002a5a648 ffffea00028a4a08 ffff8880aa400700
>>> raw: ffff8880a9591800 ffff8880a9591000 000000010000000a 0000000000000000
>>> page dumped because: kasan: bad access detected
>>>
>>> Memory state around the buggy address:
>>>    ffff8880a9591e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>    ffff8880a9591e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>> ffff8880a9591f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>                               ^
>>>    ffff8880a9591f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>>    ffff8880a9592000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> ==================================================================
>>>
>>>
>>> ---
>>> This report is generated by a bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>>
>>> syzbot will keep track of this issue. See:
>>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>> syzbot can test patches for this issue, for details see:
>>> https://goo.gl/tpsmEJ#testing-patches
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/c2004663-e54a-7fbc-ee19-b2749549e2dd%40gmail.com.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-02 20:45 KASAN: use-after-free Read in hci_chan_del syzbot
2020-08-03 17:08 ` syzbot
2021-05-04 21:50 ` ETenal
2021-05-06  6:01   ` Dan Carpenter
2021-05-06  6:42     ` SyzScope

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git