Re: KASAN: use-after-free Read in sctp_packet_transmit
On Fri, Jan 05, 2018 at 02:07:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 8a4816cad00bf14642f0ed6043b32d29a05006ce > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > Unfortunately, I don't have any reproducer for this bug yet. > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5adcca18fca253b4c...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > == > BUG: KASAN: use-after-free in sctp_packet_transmit+0x3505/0x3750 > net/sctp/output.c:643 > Read of size 8 at addr 8801bda9fb80 by task modprobe/23740 > > CPU: 1 PID: 23740 Comm: modprobe Not tainted 4.15.0-rc5+ #175 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > print_address_description+0x73/0x250 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 [inline] > kasan_report+0x25b/0x340 mm/kasan/report.c:409 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 > sctp_packet_transmit+0x3505/0x3750 net/sctp/output.c:643 > sctp_outq_flush+0x121b/0x4060 net/sctp/outqueue.c:1197 > sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] > sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] > sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 > sctp_generate_heartbeat_event+0x292/0x3f0 net/sctp/sm_sideeffect.c:406 > call_timer_fn+0x228/0x820 kernel/time/timer.c:1320 > expire_timers kernel/time/timer.c:1357 [inline] > __run_timers+0x7ee/0xb70 kernel/time/timer.c:1660 > run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686 > __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 > invoke_softirq kernel/softirq.c:365 [inline] > irq_exit+0x1cc/0x200 kernel/softirq.c:405 > exiting_irq arch/x86/include/asm/apic.h:540 [inline] > smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 > apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:904 > > RIP: 0010:__preempt_count_add arch/x86/include/asm/preempt.h:76 [inline] > RIP: 0010:__rcu_read_lock include/linux/rcupdate.h:83 [inline] > RIP: 0010:rcu_read_lock include/linux/rcupdate.h:629 [inline] > RIP: 0010:__is_insn_slot_addr+0x8f/0x330 kernel/kprobes.c:303 > RSP: 0018:8801d4937430 EFLAGS: 0283 ORIG_RAX: ff11 > RAX: 8801bf13c000 RBX: 8656dd00 RCX: 8170bd88 > RDX: RSI: RDI: 8656dd00 > RBP: 8801d4937518 R08: R09: 11003a926e67 > R10: 8801d4937300 R11: R12: > R13: R14: 8801d49374f0 R15: 8801dae230c0 > is_kprobe_insn_slot include/linux/kprobes.h:318 [inline] > kernel_text_address+0x132/0x140 kernel/extable.c:150 > __kernel_text_address+0xd/0x40 kernel/extable.c:107 > unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 > __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45 > save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 > kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 > kmem_cache_zalloc include/linux/slab.h:678 [inline] > file_alloc_security security/selinux/hooks.c:369 [inline] > selinux_file_alloc_security+0xae/0x190 security/selinux/hooks.c:3454 > security_file_alloc+0x6d/0xa0 security/security.c:873 > get_empty_filp+0x189/0x4f0 fs/file_table.c:129 > path_openat+0xed/0x3530 fs/namei.c:3496 > do_filp_open+0x25b/0x3b0 fs/namei.c:3554 > do_sys_open+0x502/0x6d0 fs/open.c:1059 > SYSC_open fs/open.c:1077 [inline] > SyS_open+0x2d/0x40 fs/open.c:1072 > entry_SYSCALL_64_fastpath+0x23/0x9a > RIP: 0033:0x7efdff1bb120 > RSP: 002b:7ffde6213c08 EFLAGS: 0246 ORIG_RAX: 0002 > RAX: ffda RBX: 55c34fab4090 RCX: 7efdff1bb120 > RDX: 01b6 RSI: 0008 RDI: 7ffde6213d20 > RBP: 7ffde6214d90 R08: 0008 R09: 0001 > R10: R11: 0246 R12: 55c34fab4090 > R13: 7ffde6215de0 R14: R15: > > Allocated by task 23739: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 > kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 > kmem_cache_zalloc include/linux/slab.h:678 [inline] > sctp_chunkify+0xce/0x3f0 net/
Re: KASAN: use-after-free Read in sctp_packet_transmit
On 1/5/18, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> 8a4816cad00bf14642f0ed6043b32d29a05006ce
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+5adcca18fca253b4c...@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> ==
> BUG: KASAN: use-after-free in sctp_packet_transmit+0x3505/0x3750
> net/sctp/output.c:643
> Read of size 8 at addr 8801bda9fb80 by task modprobe/23740
>
This can be related to the following corruption during send:
#6 [8805945ff940] invalid_op at 8100c15b
[exception RIP: sctp_chunk_put+91]
RIP: a039db3b RSP: 8805945ff9f8 RFLAGS: 00010212
RAX: 8808b025cb01 RBX: 880dbb1b0d80 RCX: 8805945ff818
RDX: 0020 RSI: 8809a84746d8 RDI: 880dbb1b0d80
RBP: 8805945ffa08 R8: 880dbb13a0c0 R9:
R10: 88023820 R11: R12: 880dbb1b0d80
R13: R14: 8808b025cb80 R15:
ORIG_RAX: CS: 0010 SS: 0018
#7 [8805945ffa10] sctp_datamsg_put at a039c543 [sctp]
#8 [8805945ffa60] sctp_datamsg_free at a039c9dd [sctp]
#9 [8805945ffa80] sctp_sendmsg at a03a9440 [sctp]
#10 [8805945ffb70] inet_sendmsg at 814ef0ba
#11 [8805945ffbb0] sock_sendmsg at 8146b4c7
#12 [8805945ffd60] __sys_sendmsg at 8146b976
#13 [8805945fff10] sys_sendmsg at 8146bb99
In this case we have the chunk with 0 refcounter:
struct sctp_chunk {
list = {
next = 0x8809a84746d8,
prev = 0x880dbb1b0e80
},
refcnt = {
counter = 0
},
transmitted_list = {
next = 0x880dbb1b0d98,
prev = 0x880dbb1b0d98
},
frag_list = {
next = 0x880dbb1b0da8,
prev = 0x880dbb1b0da8
},
skb = 0x880dbb1a4700,
param_hdr = {
v = 0x0,
p = 0x0,
life = 0x0,
dns = 0x0,
cookie = 0x0,
Previous chunk in the list has the refcounter set to 2:
struct sctp_chunk {
list = {
next = 0x880dbb1b0d80,
prev = 0x880c657160c0
},
refcnt = {
counter = 2
},
transmitted_list = {
next = 0x880dbb1b0e98,
prev = 0x880dbb1b0e98
},
frag_list = {
next = 0x8808b025c300,
prev = 0x8808b025c300
},
skb = 0x880dbb1a4840,
param_hdr = {
v = 0x0,
p = 0x0,
life = 0x0,
dns = 0x0,
cookie = 0x0,
...
Re: KASAN: use-after-free Read in sctp_packet_transmit
Em 6 de janeiro de 2018 15:09:45 BRST, Dmitry Vyukov escreveu: >On Sat, Jan 6, 2018 at 6:02 PM, Marcelo Ricardo Leitner > wrote: >> On Fri, Jan 05, 2018 at 02:07:01PM -0800, syzbot wrote: >>> Hello, >>> >>> syzkaller hit the following crash on >>> 8a4816cad00bf14642f0ed6043b32d29a05006ce >>> >git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached >>> Raw console output is attached. >>> Unfortunately, I don't have any reproducer for this bug yet. >> >> How can we tell if there wasn't any list corruption messages before >> the panic? > >Hi Marcelo, > >syzbot always gives reports on non-tainted kernels. So, no, there was >nothing bad before this. OK. Thanks -- Enviado de meu dispositivo Android com K-9 mail. Desculpe-me pela brevidade.
Re: KASAN: use-after-free Read in sctp_packet_transmit
On Sat, Jan 6, 2018 at 6:02 PM, Marcelo Ricardo Leitner wrote: > On Fri, Jan 05, 2018 at 02:07:01PM -0800, syzbot wrote: >> Hello, >> >> syzkaller hit the following crash on >> 8a4816cad00bf14642f0ed6043b32d29a05006ce >> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master >> compiler: gcc (GCC) 7.1.1 20170620 >> .config is attached >> Raw console output is attached. >> Unfortunately, I don't have any reproducer for this bug yet. > > How can we tell if there wasn't any list corruption messages before > the panic? Hi Marcelo, syzbot always gives reports on non-tainted kernels. So, no, there was nothing bad before this.
Re: KASAN: use-after-free Read in sctp_packet_transmit
On Fri, Jan 05, 2018 at 02:07:01PM -0800, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 8a4816cad00bf14642f0ed6043b32d29a05006ce > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > Unfortunately, I don't have any reproducer for this bug yet. How can we tell if there wasn't any list corruption messages before the panic? Marcelo
Re: KASAN: use-after-free Read in sctp_packet_transmit
On Sat, Jan 6, 2018 at 6:07 AM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 8a4816cad00bf14642f0ed6043b32d29a05006ce > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is attached. > Unfortunately, I don't have any reproducer for this bug yet. > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+5adcca18fca253b4c...@syzkaller.appspotmail.com > It will help syzbot understand when the bug is fixed. See footer for > details. > If you forward the report, please keep this part and the footer. > > == > BUG: KASAN: use-after-free in sctp_packet_transmit+0x3505/0x3750 > net/sctp/output.c:643 > Read of size 8 at addr 8801bda9fb80 by task modprobe/23740 > > CPU: 1 PID: 23740 Comm: modprobe Not tainted 4.15.0-rc5+ #175 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > > __dump_stack lib/dump_stack.c:17 [inline] > dump_stack+0x194/0x257 lib/dump_stack.c:53 > print_address_description+0x73/0x250 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 [inline] > kasan_report+0x25b/0x340 mm/kasan/report.c:409 > __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 > sctp_packet_transmit+0x3505/0x3750 net/sctp/output.c:643 > sctp_outq_flush+0x121b/0x4060 net/sctp/outqueue.c:1197 > sctp_outq_uncork+0x5a/0x70 net/sctp/outqueue.c:776 > sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1807 [inline] > sctp_side_effects net/sctp/sm_sideeffect.c:1210 [inline] > sctp_do_sm+0x4e0/0x6ed0 net/sctp/sm_sideeffect.c:1181 > sctp_generate_heartbeat_event+0x292/0x3f0 net/sctp/sm_sideeffect.c:406 > call_timer_fn+0x228/0x820 kernel/time/timer.c:1320 > expire_timers kernel/time/timer.c:1357 [inline] > __run_timers+0x7ee/0xb70 kernel/time/timer.c:1660 > run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686 > __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 > invoke_softirq kernel/softirq.c:365 [inline] > irq_exit+0x1cc/0x200 kernel/softirq.c:405 > exiting_irq arch/x86/include/asm/apic.h:540 [inline] > smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 > apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:904 > > RIP: 0010:__preempt_count_add arch/x86/include/asm/preempt.h:76 [inline] > RIP: 0010:__rcu_read_lock include/linux/rcupdate.h:83 [inline] > RIP: 0010:rcu_read_lock include/linux/rcupdate.h:629 [inline] > RIP: 0010:__is_insn_slot_addr+0x8f/0x330 kernel/kprobes.c:303 > RSP: 0018:8801d4937430 EFLAGS: 0283 ORIG_RAX: ff11 > RAX: 8801bf13c000 RBX: 8656dd00 RCX: 8170bd88 > RDX: RSI: RDI: 8656dd00 > RBP: 8801d4937518 R08: R09: 11003a926e67 > R10: 8801d4937300 R11: R12: > R13: R14: 8801d49374f0 R15: 8801dae230c0 > is_kprobe_insn_slot include/linux/kprobes.h:318 [inline] > kernel_text_address+0x132/0x140 kernel/extable.c:150 > __kernel_text_address+0xd/0x40 kernel/extable.c:107 > unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 > __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45 > save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 > kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 > kmem_cache_zalloc include/linux/slab.h:678 [inline] > file_alloc_security security/selinux/hooks.c:369 [inline] > selinux_file_alloc_security+0xae/0x190 security/selinux/hooks.c:3454 > security_file_alloc+0x6d/0xa0 security/security.c:873 > get_empty_filp+0x189/0x4f0 fs/file_table.c:129 > path_openat+0xed/0x3530 fs/namei.c:3496 > do_filp_open+0x25b/0x3b0 fs/namei.c:3554 > do_sys_open+0x502/0x6d0 fs/open.c:1059 > SYSC_open fs/open.c:1077 [inline] > SyS_open+0x2d/0x40 fs/open.c:1072 > entry_SYSCALL_64_fastpath+0x23/0x9a > RIP: 0033:0x7efdff1bb120 > RSP: 002b:7ffde6213c08 EFLAGS: 0246 ORIG_RAX: 0002 > RAX: ffda RBX: 55c34fab4090 RCX: 7efdff1bb120 > RDX: 01b6 RSI: 0008 RDI: 7ffde6213d20 > RBP: 7ffde6214d90 R08: 0008 R09: 0001 > R10: R11: 0246 R12: 55c34fab4090 > R13: 7ffde6215de0 R14: R15: > > Allocated by task 23739: > save_stack+0x43/0xd0 mm/kasan/kasan.c:447 > set_track mm/kasan/kasan.c:459 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 > kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 > kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 > kmem_cache_zalloc include/linux/slab.h:678 [inline] > sctp_chunkify+0xce/0x3f0 net/sctp/sm_make_ch
