Re: KASAN: use-after-free Read in do_get_mempolicy

From: Dmitry Vyukov
Date: Tue Oct 17 2017 - 11:56:19 EST


On Tue, Oct 17, 2017 at 5:38 PM, Chase Bertke <ceb2817@xxxxxxxxx> wrote:
> Hello,
>
> I would like to report a bug found via syzkaller on version 4.13.0-rc4. I
> have searched the syzkaller mailing list and did not see any other reports
> for this bug.
>
> Please see below:
>
> ==================================================================
> BUG: KASAN: use-after-free in do_get_mempolicy+0x1d4/0x740
> Read of size 8 at addr ffff88006d32fb28 by task syz-executor0/1422
>
> CPU: 0 PID: 1422 Comm: syz-executor0 Not tainted 4.13.0-rc4+ #0
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> Ubuntu-1.8.2-1ubuntu1 04/01/2014
> Call Trace:
> dump_stack+0x83/0xb7
> print_address_description+0x6b/0x280
> kasan_report+0x260/0x340
> __asan_load8+0x54/0x90
> do_get_mempolicy+0x1d4/0x740
> SyS_get_mempolicy+0xcf/0x180
> entry_SYSCALL_64_fastpath+0x1a/0xa5
> RIP: 0033:0x4512e9
> RSP: 002b:00007f17246b4c08 EFLAGS: 00000216 ORIG_RAX: 00000000000000ef
> RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 00000000004512e9
> RDX: 0000000049ee0985 RSI: 0000000020006ff8 RDI: 0000000020002ffc
> RBP: 0000000000ebaca0 R08: 0000000000000003 R09: 0000000000000000
> R10: 0000000020004000 R11: 0000000000000216 R12: 0000000000000012
> R13: 0000000000000001 R14: 00000000006f1340 R15: 0000000000000002
>
> Allocated by task 1421:
> save_stack_trace+0x16/0x20
> save_stack+0x46/0xd0
> kasan_kmalloc+0xad/0xe0
> kasan_slab_alloc+0x12/0x20
> kmem_cache_alloc+0xa8/0x170
> __mpol_dup+0x78/0x1e0
> do_mbind+0x591/0x7d0
> SyS_mbind+0x13d/0x150
> entry_SYSCALL_64_fastpath+0x1a/0xa5
>
> Freed by task 1421:
> save_stack_trace+0x16/0x20
> save_stack+0x46/0xd0
> kasan_slab_free+0x70/0xc0
> kmem_cache_free+0x69/0x1a0
> __mpol_put+0x33/0x40
> do_mbind+0x639/0x7d0
> SyS_mbind+0x13d/0x150
> entry_SYSCALL_64_fastpath+0x1a/0xa5
>
> The buggy address belongs to the object at ffff88006d32fb18
> which belongs to the cache numa_policy of size 24
> The buggy address is located 16 bytes inside of
> 24-byte region [ffff88006d32fb18, ffff88006d32fb30)
> The buggy address belongs to the page:
> page:ffffea0001b4cbc0 count:1 mapcount:0 mapping: (null)
> index:0xffff88006d32f1e0
> flags: 0x500000000000100(slab)
> raw: 0500000000000100 0000000000000000 ffff88006d32f1e0 000000018066005a
> raw: dead000000000100 dead000000000200 ffff88003e80ea00 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88006d32fa00: 00 00 00 fc fc fb fb fb fc fc fb fb fb fc fc 00
> ffff88006d32fa80: 00 00 fc fc 00 00 00 fc fc 00 00 00 fc fc fb fb
>>ffff88006d32fb00: fb fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb
> ^
> ffff88006d32fb80: fc fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc
> ffff88006d32fc00: fc fb fb fb fc fc fb fb fb fc fc fb fb fb fc fc
> ==================================================================
>
> Report and log attached.
>
> Thank you,
> Chase

+mm mailing list and maintainers

Chase, you can find some info on how to find right kernel maintainers here:
https://github.com/google/syzkaller/blob/master/docs/linux_kernel_reporting_bugs.md