KASAN: slab-use-after-free Read in skb_dequeue
From: Palash Oswal
Date: Sat Jun 03 2023 - 05:53:01 EST
Hello,
I found the following issue using syzkaller with enriched corpus[1] on:
HEAD commit : 0bcc4025550403ae28d2984bddacafbca0a2f112
git tree: linux
C Reproducer : I do not have a C reproducer yet. I will update this
thread when I get one.
Kernel .config :
https://gist.github.com/oswalpalash/d9580b0bfce202b37445fa5fd426e41f
Link:
1. https://github.com/cmu-pasta/linux-kernel-enriched-corpus
Console log :
==================================================================
BUG: KASAN: slab-use-after-free in skb_dequeue+0x163/0x180
Read of size 8 at addr ffff88803460d080 by task ksoftirqd/0/16
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted
6.3.0-rc6-pasta-00035-g0bcc40255504 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xd9/0x150
print_address_description.constprop.0+0x2c/0x3c0
kasan_report+0x11c/0x130
skb_dequeue+0x163/0x180
ieee80211_tasklet_handler+0x38/0x140
tasklet_action_common.constprop.0+0x201/0x2e0
__do_softirq+0x1d4/0x905
run_ksoftirqd+0x31/0x60
smpboot_thread_fn+0x659/0x9e0
kthread+0x2e8/0x3a0
ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 16:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x7f/0x90
kmem_cache_alloc_node+0x296/0x510
__alloc_skb+0x288/0x330
skb_copy+0x13d/0x3e0
mac80211_hwsim_tx_frame_no_nl.isra.0+0xb02/0x1290
mac80211_hwsim_tx_frame+0x1ee/0x2a0
mac80211_hwsim_beacon_tx+0x561/0xb10
__iterate_interfaces+0x2c8/0x570
ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
mac80211_hwsim_beacon+0x101/0x200
__hrtimer_run_queues+0x5fa/0xbe0
hrtimer_run_softirq+0x17f/0x360
__do_softirq+0x1d4/0x905
Freed by task 16:
kasan_save_stack+0x22/0x40
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2b/0x40
____kasan_slab_free+0x13b/0x1a0
kmem_cache_free+0x105/0x370
kfree_skbmem+0xef/0x1b0
consume_skb+0xdd/0x170
mac80211_hwsim_tx_frame+0x1f6/0x2a0
mac80211_hwsim_beacon_tx+0x561/0xb10
__iterate_interfaces+0x2c8/0x570
ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
mac80211_hwsim_beacon+0x101/0x200
__hrtimer_run_queues+0x5fa/0xbe0
hrtimer_run_softirq+0x17f/0x360
__do_softirq+0x1d4/0x905
Last potentially related work creation:
------------[ cut here ]------------
pool index 44248 out of bounds (719) for stack id 21b8acd8
WARNING: CPU: 0 PID: 16 at lib/stackdepot.c:472
stack_depot_print+0x6b/0x90
Modules linked in:
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted
6.3.0-rc6-pasta-00035-g0bcc40255504 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:stack_depot_print+0x6b/0x90
Code: f0 3f 00 00 48 01 c1 8b 71 0c 48 8d 79 18 85 f6 74 1a 48 83 c4
08 31 d2 5b e9 b1 9d 32 fd 48 c7 c7 f0 b8 f4 8b e8 25 03 0d fd <0f> 0b
48 83 c4 08 5b c3 c3 48 89 de 48 c7 c7 80 a4 12 8d 89 4c 24
RSP: 0018:ffffc9000055fca0 EFLAGS: 00010082
RAX: 0000000000000000 RBX: ffff88803460d170 RCX: 0000000000000100
RDX: ffff8880151d63c0 RSI: ffffffff814a8297 RDI: 0000000000000001
RBP: ffff88803460d080 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 646e69206c6f6f70 R12: ffffea0000d18340
R13: ffff88803460d080 R14: 0000000000000008 R15: ffff8880151d63c0
FS: 0000000000000000(0000) GS:ffff888063a00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055b2e7e9f39f CR3: 000000010fb6e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
kasan_print_aux_stacks+0x57/0x70
print_address_description.constprop.0+0x71/0x3c0
kasan_report+0x11c/0x130
skb_dequeue+0x163/0x180
ieee80211_tasklet_handler+0x38/0x140
tasklet_action_common.constprop.0+0x201/0x2e0
__do_softirq+0x1d4/0x905
run_ksoftirqd+0x31/0x60
smpboot_thread_fn+0x659/0x9e0
kthread+0x2e8/0x3a0
ret_from_fork+0x1f/0x30
</TASK>