"KASAN: slab-out-of-bounds Read in load_misc_binary" in Linux Kernel Version 4.9
From: cheung wall
Date: Sun Dec 01 2024 - 23:31:57 EST
Hello,
I am writing to report a potential vulnerability identified in the
Linux Kernel version 4.9
This issue was discovered using our custom vulnerability discovery
tool.
Affected File: fs/binfmt_misc.c
File: fs/binfmt_misc.c
Function: load_misc_binary
Detailed call trace:
BUG: KASAN: slab-out-of-bounds in check_file fs/binfmt_misc.c:118
[inline] at addr ffff88006a77bb00
BUG: KASAN: slab-out-of-bounds in load_misc_binary+0xe16/0xf90
fs/binfmt_misc.c:145 at addr ffff88006a77bb00
Read of size 1 by task udevd/5098
CPU: 1 PID: 5098 Comm: udevd Not tainted 4.9.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
ffff880060147b20 ffffffff81a9fc59 ffff88006cc013c0 ffff88006a77ba00
ffff88006a77bb00 dffffc0000000000 ffff880060147b48 ffffffff814a67ac
ffff880060147bd8 ffff88006a77ba00 ffff88006cc013c0 ffff880060147bc8
Call Trace:
[<ffffffff81a9fc59>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81a9fc59>] dump_stack+0x83/0xba lib/dump_stack.c:51
[<ffffffff814a67ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:159
[<ffffffff814a6a40>] print_address_description mm/kasan/report.c:197 [inline]
[<ffffffff814a6a40>] kasan_report_error+0x1f0/0x4f0 mm/kasan/report.c:286
[<ffffffff814a6d7e>] kasan_report mm/kasan/report.c:306 [inline]
[<ffffffff814a6d7e>] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:324
[<ffffffff815bc916>] check_file fs/binfmt_misc.c:118 [inline]
[<ffffffff815bc916>] load_misc_binary+0xe16/0xf90 fs/binfmt_misc.c:145
[<ffffffff814ccf1d>] search_binary_handler+0x16d/0x480 fs/exec.c:1582
[<ffffffff814d161b>] exec_binprm fs/exec.c:1624 [inline]
[<ffffffff814d161b>] do_execveat_common.isra.41+0x124b/0x1b20 fs/exec.c:1744
[<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline]
[<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline]
[<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864
[<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0 arch/x86/entry/common.c:280
[<ffffffff82f8f9eb>] entry_SYSCALL64_slow_path+0x25/0x25
Object at ffff88006a77ba00, in cache kmalloc-256 size: 256
Allocated:
PID = 5093
[ 55.023115] [<ffffffff810794e6>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
[ 55.023748] [<ffffffff814a5b06>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[ 55.024324] [<ffffffff814a5d8d>] set_track mm/kasan/kasan.c:507 [inline]
[ 55.024324] [<ffffffff814a5d8d>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
[ 55.024940] [<ffffffff814a1c7d>] kmem_cache_alloc_trace+0xcd/0x180
mm/slub.c:2735
[ 55.025623] [<ffffffff814d0676>] kmalloc include/linux/slab.h:490 [inline]
[ 55.025623] [<ffffffff814d0676>] kzalloc include/linux/slab.h:636 [inline]
[ 55.025623] [<ffffffff814d0676>]
do_execveat_common.isra.41+0x2a6/0x1b20 fs/exec.c:1673
[ 55.026362] [<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline]
[ 55.026362] [<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline]
[ 55.026362] [<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864
[ 55.026964] [<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0
arch/x86/entry/common.c:280
[ 55.027579] [<ffffffff82f8f9eb>] return_from_SYSCALL_64+0x0/0x6a
Freed:
PID = 5093
[ 55.028625] [<ffffffff810794e6>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
[ 55.029239] [<ffffffff814a5b06>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[ 55.029823] [<ffffffff814a6373>] set_track mm/kasan/kasan.c:507 [inline]
[ 55.029823] [<ffffffff814a6373>] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
[ 55.030437] [<ffffffff814a2fb0>] slab_free_hook mm/slub.c:1352 [inline]
[ 55.030437] [<ffffffff814a2fb0>] slab_free_freelist_hook
mm/slub.c:1374 [inline]
[ 55.030437] [<ffffffff814a2fb0>] slab_free mm/slub.c:2951 [inline]
[ 55.030437] [<ffffffff814a2fb0>] kfree+0x90/0x190 mm/slub.c:3871
[ 55.030995] [<ffffffff814cb92d>] free_bprm+0x19d/0x200 fs/exec.c:1355
[ 55.031589] [<ffffffff814d180c>]
do_execveat_common.isra.41+0x143c/0x1b20 fs/exec.c:1753
[ 55.032311] [<ffffffff814d28f2>] do_execve fs/exec.c:1788 [inline]
[ 55.032311] [<ffffffff814d28f2>] SYSC_execve fs/exec.c:1869 [inline]
[ 55.032311] [<ffffffff814d28f2>] SyS_execve+0x42/0x50 fs/exec.c:1864
[ 55.032891] [<ffffffff81005fea>] do_syscall_64+0x18a/0x3b0
arch/x86/entry/common.c:280
[ 55.033512] [<ffffffff82f8f9eb>] return_from_SYSCALL_64+0x0/0x6a
Memory state around the buggy address:
ffff88006a77ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88006a77ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88006a77bb00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff88006a77bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88006a77bc00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
==================================================================
Root Cause:
The root cause appears to be improper memory handling when processing
file structures in the binfmt_misc module. Specifically, the system is
attempting to read beyond the allocated memory for the binary file
structure, leading to a slab-out-of-bounds error. This could be caused
by invalid pointer dereferencing, incorrect bounds checking, or memory
corruption.
We would appreciate it if the kernel maintainers could investigate
this issue further and suggest potential fixes.
Please let us know if you need any additional information or if
further steps are required to reproduce or analyze the issue.
Thank you for your time and attention.
Best regards
Wall