KASAN: slab-use-after-free Write in sco_sock_timeout

From: Sanan Hasanov
Date: Thu Sep 07 2023 - 17:21:49 EST

Next message: Robert Kueffner: "Memory protection keys: Signal handlers crash if pkey0 is write-disabled"
Previous message: Sanan Hasanov: "WARNING in __floppy_read_block_0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good day, dear maintainers,

We found a bug using a modified kernel configuration file used by syzbot.

We enhanced the coverage of the configuration file using our tool, klocalizer.

Kernel Branch: 6.3.0-next-20230426
Kernel Config: https://drive.google.com/file/d/1hdxgrCVVhxsp3XFWi046VSKx14Y-QCR7/view?usp=sharing
Reproducer: https://drive.google.com/file/d/1Pm-DN-CF7AeFnocccO1lg8Qa5JIkeCaA/view?usp=sharing

Thank you!

Best regards,
Sanan Hasanov

==================================================================
BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x6e/0x240
Write of size 4 at addr ffff88801df87080 by task kworker/4:8/14653

CPU: 4 PID: 14653 Comm: kworker/4:8 Not tainted 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events sco_sock_timeout
Call Trace:
<TASK>
dump_stack_lvl+0x17f/0x260
print_report+0xc5/0x5e0
kasan_report+0xd7/0x110
kasan_check_range+0x153/0x1a0
__kasan_check_write+0x18/0x20
sco_sock_timeout+0x6e/0x240
process_one_work+0x9f0/0x16c0
worker_thread+0x68e/0x10f0
kthread+0x356/0x460
ret_from_fork+0x1f/0x30
</TASK>

Allocated by task 10149:
kasan_save_stack+0x2a/0x50
kasan_set_track+0x29/0x40
kasan_save_alloc_info+0x1f/0x30
__kasan_kmalloc+0x84/0x90
__kmalloc+0x61/0x190
sk_prot_alloc+0x163/0x2b0
sk_alloc+0x3d/0x7c0
sco_sock_alloc.constprop.0+0x37/0x330
sco_sock_create+0xd5/0x160
bt_sock_create+0x16d/0x2d0
__sock_create+0x354/0x7e0
__sys_socket+0x152/0x270
__x64_sys_socket+0x76/0xb0
do_syscall_64+0x39/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Last potentially related work creation:
kasan_save_stack+0x2a/0x50
__kasan_record_aux_stack+0x66/0x70
kasan_record_aux_stack_noalloc+0xf/0x20
__call_rcu_common.constprop.0+0x9e/0x820
call_rcu+0xd/0x10
netlink_release+0xcd0/0x1e90
__sock_release+0xce/0x290
sock_close+0x22/0x30
__fput+0x279/0xa40
____fput+0x1a/0x20
task_work_run+0x196/0x2b0
do_exit+0xbf6/0x2d00
do_group_exit+0xe0/0x2c0
get_signal+0x2562/0x2610
arch_do_signal_or_restart+0x84/0x600
exit_to_user_mode_prepare+0x130/0x1f0
syscall_exit_to_user_mode+0x1f/0x50
do_syscall_64+0x46/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Second to last potentially related work creation:
kasan_save_stack+0x2a/0x50
__kasan_record_aux_stack+0x66/0x70
kasan_record_aux_stack_noalloc+0xf/0x20
__call_rcu_common.constprop.0+0x9e/0x820
call_rcu+0xd/0x10
netlink_release+0xcd0/0x1e90
__sock_release+0xce/0x290
sock_close+0x22/0x30
__fput+0x279/0xa40
____fput+0x1a/0x20
task_work_run+0x196/0x2b0
exit_to_user_mode_prepare+0x1e3/0x1f0
syscall_exit_to_user_mode+0x1f/0x50
do_syscall_64+0x46/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88801df87000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
freed 2048-byte region [ffff88801df87000, ffff88801df87800)

The buggy address belongs to the physical page:
page:00000000f6d79403 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1df87
flags: 0xfffe0000000200(slab|node=0|zone=1|lastcpupid=0x3fff)
page_type: 0x1()
raw: 00fffe0000000200 ffff888100040800 ffffea000127c210 ffffea00045ad310
raw: 0000000000000000 ffff88801df87000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88801df86f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88801df87000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801df87080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801df87100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801df87180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 4 PID: 14653 at lib/refcount.c:25 refcount_warn_saturate+0x185/0x200
Modules linked in:
CPU: 4 PID: 14653 Comm: kworker/4:8 Tainted: G B 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x185/0x200
Code: 07 31 ff 89 de e8 6b 98 92 fd 84 db 0f 85 2b ff ff ff e8 9e 9c 92 fd 48 c7 c7 40 73 7b 89 c6 05 b6 95 eb 07 01 e8 4b 1c 5b fd <0f> 0b e9 0c ff ff ff e8 7f 9c 92 fd 0f b6 1d a0 95 eb 07 31 ff 89
RSP: 0018:ffffc90009e97cb8 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880465de1c0 RSI: ffffffff814f0e8b RDI: ffffffff814f0e7e
RBP: ffffc90009e97cc8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000c2550 R12: ffff88801df87080
R13: ffff888044fddc08 R14: ffff88801df87080 R15: ffff88811a43d100
FS: 0000000000000000(0000) GS:ffff88811a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000ab45000 CR4: 0000000000350ee0
Call Trace:
<TASK>
sco_sock_timeout+0x1e1/0x240
process_one_work+0x9f0/0x16c0
worker_thread+0x68e/0x10f0
kthread+0x356/0x460
ret_from_fork+0x1f/0x30
</TASK>
irq event stamp: 821585
hardirqs last enabled at (821585): [<ffffffff88f8f95e>] irqentry_exit+0x3e/0x90
hardirqs last disabled at (821584): [<ffffffff88f8e534>] sysvec_apic_timer_interrupt+0x14/0xc0
softirqs last enabled at (821420): [<ffffffff8554fefd>] wg_packet_tx_worker+0x33d/0x780
softirqs last disabled at (821416): [<ffffffff8554fdf5>] wg_packet_tx_worker+0x235/0x780
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 4 PID: 14653 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x200
Modules linked in:
CPU: 4 PID: 14653 Comm: kworker/4:8 Tainted: G B W 6.3.0-next-20230426 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x110/0x200
Code: 1d 4a 96 eb 07 31 ff 89 de e8 dc 98 92 fd 84 db 75 a0 e8 13 9d 92 fd 48 c7 c7 a0 73 7b 89 c6 05 2a 96 eb 07 01 e8 c0 1c 5b fd <0f> 0b eb 84 e8 f7 9c 92 fd 0f b6 1d 13 96 eb 07 31 ff 89 de e8 a7
RSP: 0018:ffffc90009e97cb8 EFLAGS: 00010292
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880465de1c0 RSI: ffffffff814f0e8b RDI: ffffffff814f0e7e
RBP: ffffc90009e97cc8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000c2e38 R12: ffff88801df87080
R13: ffff888044fddc08 R14: ffff88801df87080 R15: ffff88811a43d100
FS: 0000000000000000(0000) GS:ffff88811a400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000ab45000 CR4: 0000000000350ee0
Call Trace:
<TASK>
sco_sock_timeout+0x1f8/0x240
process_one_work+0x9f0/0x16c0
worker_thread+0x68e/0x10f0
kthread+0x356/0x460
ret_from_fork+0x1f/0x30
</TASK>
irq event stamp: 821585
hardirqs last enabled at (821585): [<ffffffff88f8f95e>] irqentry_exit+0x3e/0x90
hardirqs last disabled at (821584): [<ffffffff88f8e534>] sysvec_apic_timer_interrupt+0x14/0xc0
softirqs last enabled at (821420): [<ffffffff8554fefd>] wg_packet_tx_worker+0x33d/0x780
softirqs last disabled at (821416): [<ffffffff8554fdf5>] wg_packet_tx_worker+0x235/0x780
---[ end trace 0000000000000000 ]---

Next message: Robert Kueffner: "Memory protection keys: Signal handlers crash if pkey0 is write-disabled"
Previous message: Sanan Hasanov: "WARNING in __floppy_read_block_0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]