Re: 4.7-rc7: use-after-free in proc_map_files_readdir

From: Dave Jones
Date: Tue Jul 19 2016 - 14:33:40 EST


On Tue, Jul 19, 2016 at 05:20:36PM +0100, Al Viro wrote:
> On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote:
> > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
> > >
> > > Just in case can you addr2line this address or post disassembly?
> >
> > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
> >
> > Which by my math, looks to be..
> >
> > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
> > info.len = snprintf(info.name,
>
> The entire expression is
> info.len = snprintf(info.name,
> sizeof(info.name), "%lx-%lx",
> vma->vm_start, vma->vm_end);
> and we have
> * address of array field in local structure.
> * constant
> * string literal
> * two longs fetched from *vma, that being done under ->mmap_sem
> * call of snprintf
> * store into a field of local structure.
> The only ways to get use-after-free in that would be to have *vma freed
> under you or have the same happen to your stack frame.
>
> Could you dump the relevant part of vmlinux objdump, rather than whatever
> you've used on base.o? Having relocations resolved makes it much easier
> to figure out... Or just dump that vmlinux on anonftp somewhere...

http://codemonkey.org.uk/junk/vmlinux.gz

Dave