kvm: use-after-free in irq_bypass_register_consumer

From: idaifish
Date: Tue Sep 05 2017 - 23:40:45 EST

Next message: Suravee Suthikulpanit: "[PATCH 3/3] KVM: SVM: Add irqchip_split() checks before enabling AVIC"
Previous message: Suravee Suthikulpanit: "[PATCH 2/3] KVM: Add struct kvm_vcpu pointer parameter to get_enable_apicv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Got the following report while fuzzing 4.9.47.

It seems that this bug has been reported by Dmitry Vyukov
[https://lkml.org/lkml/2017/1/27/828]
But I still can reproduce the bug on latest Ubuntu1604 (4.4.0-94-generic)

PoC: https://gist.githubusercontent.com/dvyukov/34114444518fa22baff19ae204cc46a6/raw/7826cbcd1cbc472dfa4972fe56371df3c94b70c7/gistfile1.txt

=======================================================================================

BUG: KASAN: use-after-free in __list_add include/linux/list.h:43
[inline] at addr ffff88007ab9dc80
BUG: KASAN: use-after-free in list_add include/linux/list.h:63
[inline] at addr ffff88007ab9dc80
BUG: KASAN: use-after-free in irq_bypass_register_consumer+0x3a3/0x420
virt/lib/irqbypass.c:217 at addr ffff88007ab9dc80
Write of size 8 by task syz-executor4/2970
CPU: 0 PID: 2970 Comm: syz-executor4 Tainted: G B 4.9.47 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffff8800760df9c0 ffffffff81ad97d9 ffff88007f803080 ffff88007ab9db80
ffff88007ab9dd80 ffff88007ab9da00 ffff8800760df9e8 ffffffff8153892c
ffff8800760dfa78 ffff88007f803080 ffff8800776f7d20 ffff8800760dfa68
Call Trace:
[<ffffffff81ad97d9>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81ad97d9>] dump_stack+0x83/0xba lib/dump_stack.c:51
[<ffffffff8153892c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
[<ffffffff81538bc0>] print_address_description mm/kasan/report.c:198 [inline]
[<ffffffff81538bc0>] kasan_report_error+0x1f0/0x4e0 mm/kasan/report.c:287
[<ffffffff815390ee>] kasan_report mm/kasan/report.c:309 [inline]
[<ffffffff815390ee>] __asan_report_store8_noabort+0x3e/0x40
mm/kasan/report.c:335
[<ffffffff82e70a43>] __list_add include/linux/list.h:43 [inline]
[<ffffffff82e70a43>] list_add include/linux/list.h:63 [inline]
[<ffffffff82e70a43>] irq_bypass_register_consumer+0x3a3/0x420
virt/lib/irqbypass.c:217
[<ffffffff81063d25>] kvm_irqfd_assign
arch/x86/kvm/../../../virt/kvm/eventfd.c:417 [inline]
[<ffffffff81063d25>] kvm_irqfd+0x1095/0x1840
arch/x86/kvm/../../../virt/kvm/eventfd.c:572
[<ffffffff8105b19c>] kvm_vm_ioctl+0x2bc/0x1580
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2999
[<ffffffff815a1f2c>] vfs_ioctl fs/ioctl.c:43 [inline]
[<ffffffff815a1f2c>] do_vfs_ioctl+0x18c/0xf80 fs/ioctl.c:679
[<ffffffff815a2daf>] SYSC_ioctl fs/ioctl.c:694 [inline]
[<ffffffff815a2daf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff82e85577>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Object at ffff88007ab9db80, in cache kmalloc-512 size: 512
Allocated:
PID = 2970
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x46/0xd0 mm/kasan/kasan.c:495
set_track mm/kasan/kasan.c:507 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
kmem_cache_alloc_trace include/linux/slab.h:391 [inline]
kmalloc include/linux/slab.h:490 [inline]
kzalloc include/linux/slab.h:636 [inline]
kvm_irqfd_assign arch/x86/kvm/../../../virt/kvm/eventfd.c:296 [inline]
kvm_irqfd+0xbd/0x1840 arch/x86/kvm/../../../virt/kvm/eventfd.c:572
kvm_vm_ioctl+0x2bc/0x1580 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2999
vfs_ioctl fs/ioctl.c:43 [inline]
do_vfs_ioctl+0x18c/0xf80 fs/ioctl.c:679
SYSC_ioctl fs/ioctl.c:694 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
entry_SYSCALL_64_fastpath+0x1a/0xa9
Freed:
PID = 1098
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x46/0xd0 mm/kasan/kasan.c:495
set_track mm/kasan/kasan.c:507 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kfree+0xa0/0x150 mm/slub.c:3878
irqfd_shutdown+0x137/0x1a0 arch/x86/kvm/../../../virt/kvm/eventfd.c:148
process_one_work+0x87c/0x1170 kernel/workqueue.c:2096
worker_thread+0xed/0x14e0 kernel/workqueue.c:2230
kthread+0x220/0x2a0 kernel/kthread.c:211
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:433
Memory state around the buggy address:
ffff88007ab9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88007ab9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88007ab9dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88007ab9dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88007ab9dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

--
Regards,
idaifish

Next message: Suravee Suthikulpanit: "[PATCH 3/3] KVM: SVM: Add irqchip_split() checks before enabling AVIC"
Previous message: Suravee Suthikulpanit: "[PATCH 2/3] KVM: Add struct kvm_vcpu pointer parameter to get_enable_apicv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]