Re: KASAN: slab-use-after-free Read in hci_conn_hash_flush

From: Luiz Augusto von Dentz
Date: Tue Sep 12 2023 - 20:04:27 EST

Next message: Dmitry Osipenko: "Re: [PATCH v16 09/20] drm/shmem-helper: Remove obsoleted is_iomem test"
Previous message: Haitao Shan: "[PATCH v3] KVM: x86: Fix lapic timer interrupt lost after loading a snapshot."
In reply to: Sanan Hasanov: "KASAN: slab-use-after-free Read in hci_conn_hash_flush"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Sanan,

On Tue, Sep 12, 2023 at 4:02 PM Sanan Hasanov <Sanan.Hasanov@xxxxxxx> wrote:
>
> Good day, dear maintainers,
>
> We found a bug using a modified kernel configuration file used by syzbot.
>
> We enhanced the coverage of the configuration file using our tool, klocalizer.
>
> Kernel Branch: 6.3.0-next-20230426
> Kernel Config: https://drive.google.com/file/d/19nzVDVMtaTo8fv7RMtXDGYQzeRnNpp-r/view?usp=sharing
> Reproducer: https://drive.google.com/file/d/1vzoYO_aW6XQqR6NAaJqvacOcJy9J6R-0/view?usp=sharing
>
> Thank you!
>
> Best regards,
> Sanan Hasanov
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in hci_conn_hash_flush+0x1fa/0x230
> Read of size 8 at addr ffff8880780da000 by task syz-executor.7/5990
>
> CPU: 3 PID: 5990 Comm: syz-executor.7 Not tainted 6.3.0-next-20230426 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x178/0x260
> print_report+0xc1/0x5e0
> kasan_report+0xc0/0xf0
> hci_conn_hash_flush+0x1fa/0x230
> hci_dev_close_sync+0x5c2/0x1060
> hci_unregister_dev+0x1ce/0x4a0
> vhci_release+0x80/0xf0
> __fput+0x27c/0xa90
> task_work_run+0x168/0x260
> do_exit+0xbd9/0x2b20
> do_group_exit+0xd4/0x2a0
> __x64_sys_exit_group+0x3e/0x50
> do_syscall_64+0x39/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7ff463e8edcd
> Code: Unable to access opcode bytes at 0x7ff463e8eda3.
> RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043
> RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480
> R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0
> </TASK>
>
> Allocated by task 24391:
> kasan_save_stack+0x22/0x40
> kasan_set_track+0x25/0x30
> __kasan_kmalloc+0x7c/0x90
> hci_conn_add+0xa5/0x1570
> hci_connect_sco+0x3e4/0xf50
> sco_sock_connect+0x2c0/0x9c0
> __sys_connect_file+0x153/0x1a0
> __sys_connect+0x165/0x1a0
> __x64_sys_connect+0x72/0xb0
> do_syscall_64+0x39/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Freed by task 5990:
> kasan_save_stack+0x22/0x40
> kasan_set_track+0x25/0x30
> kasan_save_free_info+0x2b/0x40
> ____kasan_slab_free+0x120/0x180
> __kmem_cache_free+0xcf/0x280
> device_release+0xa3/0x240
> kobject_put+0x175/0x270
> put_device+0x1f/0x30
> hci_conn_del+0x2df/0x860
> hci_conn_unlink+0x25b/0x3e0
> hci_conn_unlink+0x2ef/0x3e0
> hci_conn_hash_flush+0x18d/0x230
> hci_dev_close_sync+0x5c2/0x1060
> hci_unregister_dev+0x1ce/0x4a0
> vhci_release+0x80/0xf0
> __fput+0x27c/0xa90
> task_work_run+0x168/0x260
> do_exit+0xbd9/0x2b20
> do_group_exit+0xd4/0x2a0
> __x64_sys_exit_group+0x3e/0x50
> do_syscall_64+0x39/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> Last potentially related work creation:
> kasan_save_stack+0x22/0x40
> __kasan_record_aux_stack+0x60/0x70
> insert_work+0x48/0x360
> __queue_work+0x5bc/0xfe0
> __queue_delayed_work+0x1c8/0x270
> queue_delayed_work_on+0x162/0x1c0
> sco_chan_del+0x1db/0x430
> __sco_sock_close+0x11f/0x640
> sco_sock_release+0x9f/0x2d0
> __sock_release+0xcd/0x290
> sock_close+0x1c/0x20
> __fput+0x27c/0xa90
> task_work_run+0x168/0x260
> get_signal+0x1cb/0x2460
> arch_do_signal_or_restart+0x79/0x5a0
> exit_to_user_mode_prepare+0x128/0x1e0
> syscall_exit_to_user_mode+0x1a/0x40
> do_syscall_64+0x46/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> The buggy address belongs to the object at ffff8880780da000
> which belongs to the cache kmalloc-4k of size 4096
> The buggy address is located 0 bytes inside of
> freed 4096-byte region [ffff8880780da000, ffff8880780db000)
>
> The buggy address belongs to the physical page:
> page:00000000fca63b13 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x780da
> head:00000000fca63b13 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfffe0000010200(slab|head|node=0|zone=1|lastcpupid=0x3fff)
> page_type: 0x1()
> raw: 00fffe0000010200 ffff888100040900 ffffea000438c110 ffffea0001323210
> raw: 0000000000000000 ffff8880780da000 0000000100000001 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff8880780d9f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff8880780d9f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> >ffff8880780da000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff8880780da080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880780da100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
> general protection fault, probably for non-canonical address 0xe0b5dc4c800002ec: 0000 [#1] PREEMPT SMP KASAN
> KASAN: maybe wild-memory-access in range [0x05af026400001760-0x05af026400001767]
> CPU: 3 PID: 5990 Comm: syz-executor.7 Tainted: G B 6.3.0-next-20230426 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:__list_del_entry_valid+0x91/0x1b0
> Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08
> RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213
> RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766
> RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec
> RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008
> R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000
> FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> hci_conn_cleanup+0x15d/0x7e0
> hci_conn_del+0x2df/0x860
> hci_conn_hash_flush+0x195/0x230
> hci_dev_close_sync+0x5c2/0x1060
> hci_unregister_dev+0x1ce/0x4a0
> vhci_release+0x80/0xf0
> __fput+0x27c/0xa90
> task_work_run+0x168/0x260
> do_exit+0xbd9/0x2b20
> do_group_exit+0xd4/0x2a0
> __x64_sys_exit_group+0x3e/0x50
> do_syscall_64+0x39/0x80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7ff463e8edcd
> Code: Unable to access opcode bytes at 0x7ff463e8eda3.
> RSP: 002b:00007ffde1873c18 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 00007ffde1874480 RCX: 00007ff463e8edcd
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043
> RBP: 0000000000000003 R08: 0000000000000026 R09: 00007ffde1874480
> R10: 0000000000000026 R11: 0000000000000202 R12: 0000000000000000
> R13: 00007ff463eeba70 R14: 0000000000000002 R15: 00007ffde18744c0
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:__list_del_entry_valid+0x91/0x1b0
> Code: de 48 39 c2 0f 84 80 00 00 00 48 b8 22 01 00 00 00 00 ad de 48 39 c1 74 7f 48 b8 00 00 00 00 00 fc ff df 48 89 cf 48 c1 ef 03 <80> 3c 07 00 0f 85 e7 00 00 00 4c 8b 01 49 39 f0 75 6d 48 8d 7a 08
> RSP: 0018:ffffc9000d81fae0 EFLAGS: 00010213
> RAX: dffffc0000000000 RBX: ffff8880780da000 RCX: 05af026400001766
> RDX: ffff888046d06800 RSI: ffff8880780da000 RDI: 00b5e04c800002ec
> RBP: ffff8880780da260 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: ffffffff88e0008b R12: ffff8880780da008
> R13: ffff8880780da260 R14: dffffc0000000000 R15: ffff88805f51c000
> FS: 0000000000000000(0000) GS:ffff88811a180000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055d74eb5c6a0 CR3: 000000010e5b2000 CR4: 0000000000350ee0
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
> 0: 48 39 c2 cmp %rax,%rdx
> 3: 0f 84 80 00 00 00 je 0x89
> 9: 48 b8 22 01 00 00 00 movabs $0xdead000000000122,%rax
> 10: 00 ad de
> 13: 48 39 c1 cmp %rax,%rcx
> 16: 74 7f je 0x97
> 18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> 1f: fc ff df
> 22: 48 89 cf mov %rcx,%rdi
> 25: 48 c1 ef 03 shr $0x3,%rdi
> * 29: 80 3c 07 00 cmpb $0x0,(%rdi,%rax,1) <-- trapping instruction
> 2d: 0f 85 e7 00 00 00 jne 0x11a
> 33: 4c 8b 01 mov (%rcx),%r8
> 36: 49 39 f0 cmp %rsi,%r8
> 39: 75 6d jne 0xa8
> 3b: 48 8d 7a 08 lea 0x8(%rdx),%rdi

Are you guys checking if these bugs have not been fixed already, for
example this one I suspect has been fixed by:

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=a2ac591cb4d83e1f2d4b4adb3c14b2c79764650a

--
Luiz Augusto von Dentz

Next message: Dmitry Osipenko: "Re: [PATCH v16 09/20] drm/shmem-helper: Remove obsoleted is_iomem test"
Previous message: Haitao Shan: "[PATCH v3] KVM: x86: Fix lapic timer interrupt lost after loading a snapshot."
In reply to: Sanan Hasanov: "KASAN: slab-use-after-free Read in hci_conn_hash_flush"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]