* 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
@ 2019-04-16 20:29 Zubin Mithra
2019-04-17 16:00 ` Sasha Levin
0 siblings, 1 reply; 3+ messages in thread
From: Zubin Mithra @ 2019-04-16 20:29 UTC (permalink / raw)
To: stable; +Cc: gregkh, groeck, daniel, ast, kafai, songliubraving, yhs
Hello,
Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc8/0x129 lib/dump_stack.c:113
print_address_description+0x67/0x230 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x24e/0x28c mm/kasan/report.c:412
get_link fs/namei.c:1152 [inline]
trailing_symlink+0x593/0x677 fs/namei.c:2326
path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
filename_lookup fs/namei.c:2405 [inline]
user_path_at_empty+0x59/0x6c fs/namei.c:2677
user_path include/linux/namei.h:62 [inline]
do_mount+0x15c/0x17a4 fs/namespace.c:2773
ksys_mount+0x98/0xcc fs/namespace.c:3052
__do_sys_mount fs/namespace.c:3066 [inline]
__se_sys_mount fs/namespace.c:3063 [inline]
__x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Allocated by task 8112:
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
slab_alloc_node mm/slub.c:2706 [inline]
slab_alloc mm/slub.c:2714 [inline]
__kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
kstrdup+0x39/0x63 mm/util.c:56
bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
vfs_symlink2+0xfc/0x12b fs/namei.c:4238
do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8116:
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
slab_free_hook mm/slub.c:1371 [inline]
slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
slab_free mm/slub.c:2953 [inline]
kfree+0x177/0x212 mm/slub.c:3906
bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
evict+0x30b/0x4ce fs/inode.c:558
iput_final fs/inode.c:1550 [inline]
iput+0x541/0x551 fs/inode.c:1576
do_unlinkat+0x2fc/0x403 fs/namei.c:4180
do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Could the following patch be applied to 4.19.y?
1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
Tests run:
* Chrome OS tryjobs
* Syzkaller reproducer
Thanks,
- Zubin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
2019-04-16 20:29 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Zubin Mithra
@ 2019-04-17 16:00 ` Sasha Levin
2019-04-17 18:03 ` Daniel Borkmann
0 siblings, 1 reply; 3+ messages in thread
From: Sasha Levin @ 2019-04-17 16:00 UTC (permalink / raw)
To: Zubin Mithra
Cc: stable, gregkh, groeck, daniel, ast, kafai, songliubraving, yhs
On Tue, Apr 16, 2019 at 01:29:59PM -0700, Zubin Mithra wrote:
>Hello,
>
>Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.
>
>Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0xc8/0x129 lib/dump_stack.c:113
> print_address_description+0x67/0x230 mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report+0x24e/0x28c mm/kasan/report.c:412
> get_link fs/namei.c:1152 [inline]
> trailing_symlink+0x593/0x677 fs/namei.c:2326
> path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
> filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
> filename_lookup fs/namei.c:2405 [inline]
> user_path_at_empty+0x59/0x6c fs/namei.c:2677
> user_path include/linux/namei.h:62 [inline]
> do_mount+0x15c/0x17a4 fs/namespace.c:2773
> ksys_mount+0x98/0xcc fs/namespace.c:3052
> __do_sys_mount fs/namespace.c:3066 [inline]
> __se_sys_mount fs/namespace.c:3063 [inline]
> __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Allocated by task 8112:
> set_track mm/kasan/kasan.c:460 [inline]
> kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
> slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
> slab_alloc_node mm/slub.c:2706 [inline]
> slab_alloc mm/slub.c:2714 [inline]
> __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
> kstrdup+0x39/0x63 mm/util.c:56
> bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
> vfs_symlink2+0xfc/0x12b fs/namei.c:4238
> do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Freed by task 8116:
> set_track mm/kasan/kasan.c:460 [inline]
> __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
> slab_free_hook mm/slub.c:1371 [inline]
> slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
> slab_free mm/slub.c:2953 [inline]
> kfree+0x177/0x212 mm/slub.c:3906
> bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
> evict+0x30b/0x4ce fs/inode.c:558
> iput_final fs/inode.c:1550 [inline]
> iput+0x541/0x551 fs/inode.c:1576
> do_unlinkat+0x2fc/0x403 fs/namei.c:4180
> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
>Could the following patch be applied to 4.19.y?
>1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
>
>Tests run:
>* Chrome OS tryjobs
>* Syzkaller reproducer
I've queued it up, thanks again for all these tests!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
2019-04-17 16:00 ` Sasha Levin
@ 2019-04-17 18:03 ` Daniel Borkmann
0 siblings, 0 replies; 3+ messages in thread
From: Daniel Borkmann @ 2019-04-17 18:03 UTC (permalink / raw)
To: Sasha Levin, Zubin Mithra
Cc: stable, gregkh, groeck, ast, kafai, songliubraving, yhs
On 04/17/2019 06:00 PM, Sasha Levin wrote:
> On Tue, Apr 16, 2019 at 01:29:59PM -0700, Zubin Mithra wrote:
>> Hello,
>>
>> Syzkaller has triggered a UAF when fuzzing a 4.19 kernel with the following stacktrace.
>>
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0xc8/0x129 lib/dump_stack.c:113
>> print_address_description+0x67/0x230 mm/kasan/report.c:256
>> kasan_report_error mm/kasan/report.c:354 [inline]
>> kasan_report+0x24e/0x28c mm/kasan/report.c:412
>> get_link fs/namei.c:1152 [inline]
>> trailing_symlink+0x593/0x677 fs/namei.c:2326
>> path_lookupat.isra.35+0x413/0x5d1 fs/namei.c:2382
>> filename_lookup.part.50+0xe1/0x1b7 fs/namei.c:2411
>> filename_lookup fs/namei.c:2405 [inline]
>> user_path_at_empty+0x59/0x6c fs/namei.c:2677
>> user_path include/linux/namei.h:62 [inline]
>> do_mount+0x15c/0x17a4 fs/namespace.c:2773
>> ksys_mount+0x98/0xcc fs/namespace.c:3052
>> __do_sys_mount fs/namespace.c:3066 [inline]
>> __se_sys_mount fs/namespace.c:3063 [inline]
>> __x64_sys_mount+0xd0/0xdb fs/namespace.c:3063
>> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Allocated by task 8112:
>> set_track mm/kasan/kasan.c:460 [inline]
>> kasan_kmalloc+0x85/0x93 mm/kasan/kasan.c:553
>> slab_post_alloc_hook+0x31/0x55 mm/slab.h:444
>> slab_alloc_node mm/slub.c:2706 [inline]
>> slab_alloc mm/slub.c:2714 [inline]
>> __kmalloc_track_caller+0x100/0x148 mm/slub.c:4290
>> kstrdup+0x39/0x63 mm/util.c:56
>> bpf_symlink+0x26/0xf4 kernel/bpf/inode.c:356
>> vfs_symlink2+0xfc/0x12b fs/namei.c:4238
>> do_symlinkat+0x14a/0x1d5 fs/namei.c:4271
>> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Freed by task 8116:
>> set_track mm/kasan/kasan.c:460 [inline]
>> __kasan_slab_free+0x100/0x122 mm/kasan/kasan.c:521
>> slab_free_hook mm/slub.c:1371 [inline]
>> slab_free_freelist_hook+0x9a/0xed mm/slub.c:1398
>> slab_free mm/slub.c:2953 [inline]
>> kfree+0x177/0x212 mm/slub.c:3906
>> bpf_evict_inode+0x80/0x107 kernel/bpf/inode.c:565
>> evict+0x30b/0x4ce fs/inode.c:558
>> iput_final fs/inode.c:1550 [inline]
>> iput+0x541/0x551 fs/inode.c:1576
>> do_unlinkat+0x2fc/0x403 fs/namei.c:4180
>> do_syscall_64+0xf8/0x133 arch/x86/entry/common.c:291
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> Could the following patch be applied to 4.19.y?
>> 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode")
>>
>> Tests run:
>> * Chrome OS tryjobs
>> * Syzkaller reproducer
>
> I've queued it up, thanks again for all these tests!
Yep, please do. Thanks a lot!
Daniel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-04-17 18:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-16 20:29 1da6c4d9140c ("bpf: fix use after free in bpf_evict_inode") Zubin Mithra
2019-04-17 16:00 ` Sasha Levin
2019-04-17 18:03 ` Daniel Borkmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).