/ 详情

KASAN: use-after-free Read in do_update_region

Fixing
Bug
Opened this issue  
2020-05-09 15:10

问题报告:

BUG: KASAN: use-after-free in do_update_region+0x5ba/0x640
Read of size 2 at addr ffff888000100000 by task syz-executor.7/14761

CPU: 0 PID: 14761 Comm: syz-executor.7 Not tainted 4.19.90 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x111/0x19e
print_address_description+0x60/0x223
kasan_report.cold+0xae/0x2d8
do_update_region+0x5ba/0x640
csi_J+0x5fb/0xb20
do_con_trol+0x1d16/0x61b0
do_con_write.part.0+0xf59/0x1dc0
con_write+0x41/0xe0
n_tty_write+0x3fd/0x1070
tty_write+0x458/0x7a0
__vfs_write+0xf9/0x690
vfs_write+0x203/0x560
ksys_write+0x12b/0x2a0
do_syscall_64+0xc3/0x520
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c479
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f2bafb6bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2bafb6c6d4 RCX: 000000000045c479
RDX: 0000000000001878 RSI: 0000000020000840 RDI: 0000000000000003
RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000cd9 R14: 00000000004cebd5 R15: 000000000076bf2c

The buggy address belongs to the page:
page:ffffea0000004000 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
flags: 0x0()
raw: 0000000000000000 ffff88807ffdc300 ffff88807ffdc300 0000000000000000
raw: 0000000000000000 0000000000000008 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
重现程序:

{Threaded:false Collide:false Repeat:false RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}

r0 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDSETMODE(r0, 0x4b3a, 0x1)
r1 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$VT_RESIZE(r1, 0x5609, &(0x7f0000000000)={0x4d, 0x1000, 0xf1})
r2 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDSETMODE(r2, 0x4b3a, 0x0)
r3 = syz_open_dev$tty1(0xc, 0x4, 0x1)
write$binfmt_elf32(r3, &(0x7f0000000840)={{0x7f, 0x45, 0x4c, 0x46, 0x5, 0x6, 0x5, 0x9, 0xfffffffffffffffa, 0x3, 0x3, 0x117, 0x45, 0x38, 0x1df, 0x5, 0x4, 0x20, 0x2, 0x1ff, 0x55, 0xfffb}, [{0x4, 0x4, 0x4, 0x1, 0x1, 0x3, 0x7, 0xfff}, {0x3, 0x5, 0x3, 0x1, 0x3f, 0x200, 0x4, 0x7}], "8b9fd8bb231117f4eba21908b0e4e5e998811b2448aafd8c0115eba2f62838d9a4d34ffc917c663eb0bfe01815d4e2335f2b09274c9c4694aecd3927d973f7fbb531e9ef671cd2350c0371caec86388af1ceb33dc60643b904e440910df3c997cfc2012b20a1906537ef89cade7bb15141c8e997689346e71c49997fcdb86a0e5b99e20aaf613c07ac5873c19e10da8925eb7762388cca509368725332b7eeb8532b3299ce87e4cf1f572aa98c1b0f0b48cd4600abadd895e8b671b0470586945c4f88351ee7f79ebc3f86a814bfe8be20b1d03105848dceea90ca8dd42ebb57dcb7ae182d07796a85a05701ff0f13fe9eebf18cc7d08e68e584fd390e1677ea006f71941bfcd598f7ea68bdd38dbd39489fd60a2f95042881f670b9e4de9092d298f10b3627657f59f3ef4373c5246905c0244131c593400013bf5f66fbf626d8b9df58f1c67d35cbbb8d285373b5c10e24ab76be1258fbd366a73bad899fb5495d8d3b29fd4ea2a8dae6f7b8245c6c5040db9e146ae30059ee55441f45cf3791ebc9c263ec183089850079af65c6a990045e685cf5c09fe2f185cdb3a783b385b0292427f4be72bde3078d256b6358b7ce71b876099dd0ec944c72a017828326ee81be0cff70163848f43edbe09f6b8895b2b6b77619eea09111d5b3c42e5e9ec4627bf72814f90af02b5c2341393f3812e2f1a170a66bc844d92b02646921444dd8500df701b2b06a43257478187230425e364c653dee51dac25593655bb4923bf9002c6e1804e81b409a577efb3fef89cee98ea4c15b63ec26e6102e6925847797b2fb870b1127dbd3d47f5e9e332ed3b29b22eb29eb3661c2d022af794061e7dfce88d606439dec6f5720927338376581d6e6278a50b8937cdc1ff0fe013f9f3c6c1b7aa893bf3a066a1802792f629b12165faa80c7fec2add9eca6617cda79f3c5852f2bcda253bc7154eb32758238edf02a6aadc256fe751481ee03321ab8f9925a066fd4c0765f2bee5168c44c0f86e95153e78d60d2c8c2f745eefa046ba06118f47dc5461352b0e68d4e534916269a07c178a8617d435e1412f98d6b6bacb178863fc6c2f2ee6547126fb2ef8a4d83fde68ce969221b8b2bfa0d75c1b9777d1e4403fa2ed882d7157b247b65626dff84ba3c0295b3a915c912d5d7f79da1fcf0080e47fbbbed26f5232d071176045e8289eff0952415e2ebf6499ea29f67ce97f88421d69f1f955de0e8c2e037f20f648cfe883a0da65436b02445d02970b8fd4ba6e344a8d7efa2435a04c164e16d32aebba9a67e9a6d660f2951e842f403dddce04c828beb004da1686fa085f0b2d7dd2afe33498f69faf3a07cd2107416ed790d569c3df52d39de5b5372f5570efc3d06c9c315ba7f70be89faaf16d1ead56a847112604b7728beee7eff62d4fc56d89360b7cbe105576941d304733a4e8fc534368b690a69ca776ab15bdc2422bb16562b5b0f658f7dc99596a170485a836efcc5325e61f66bca65960a736f2ff33833a48c40ae369c43dac340c8dd642799b347f3c10fcd5703520eead98f436c9773d68cd5e7f08a5f447155e9c61156833ba05ad949895b04697ae000d6b433d5e7d6fc99f5b2fbb9957afdd9371f7e7d91e7a47ba8fed232f014cf9f12ff5cbfa70ad06a8ee71d0b69df7b5817dcf43dc0e2847a5319cc044257249bdd16ef06c817ad445b0eafc6e2ca5780547888de21c8eba3a1affc6d2bd8e154e65a3e78c9c6e91919141e38df9af3ae627288a5d0c604ca80d382e9edec95c22c309556318234bf39381e893ac9f8f328592c82a536b3733c35f18adec30bf16365b83d878b34017d8b57cda98569556f7e292aeb16a1ba3a53e1e68ee2a527599aae6bfb5c97fa20583c5ac56a01aad4882371fd79b8def194c4ea9723d96763e426a04115c4371f24df5090bd79968b07c9ab5e36c97a3b2e02fa1234fba26dc4f7e36da4c27565758368792a33577ef5f937d016ae7e710a2e2034fbdc6ad9bcdabb80279a4d917210a809e7b1709b03076b06a3c5bd90840a4b137a5580b79965e42d5507995c3f1015a3e5f78c69740f73289eb7cddab9ee9888c2014a8fb90487675cd691f7d86021b3fc01520ce4a6e45c0d6ec108bc57783ca0ffd41c9421444e77459e37e7e2ab3bd62e89c5090d76a2b40e1fc087da87f9da4fe8a500375780d98043dd37289206b1d3800851dec69324c8292fb769b2211b7bc0636bbb2ff4ae2c5c3aab116ae03ef877122f0533dc0dbde37149162bd9c4cdd5a72b60b7d1b54599e449fd05be9b9714b5f2aa5bd6cd7ecfa0ea9b4a01ec9a9eb9461e1fd7b9462e0ab8f89890b4a444fdf032f4a89f02236cd13fe9fe839ea286712d2cdb5c565cb50d4d08e374c3bacf00558e0373e8a91ae87663b6f3c141b3089b7b429278acad1ae44fbc68641c910d1da184882f5123b743798f83e5ce419d4af6492538ac80d6728312869c39690d36966e0bd87f8fc90a5035829c145169a34dee2c78fda826c8c157b8f816b010d1e126d3f199b804ec24035f720ba0b510d58d50f96a2e704dbc51515aa4602edf591f6c7c21f2d9a4546ae705bada46c9a88d7d3de23e4def484d14cadd33ec118cf6f878ad2fbc95ff56760025a8a78536b610ccf71b90d250f5d1b8f52fd3ad06ed852982ced5d3dcc9ca8dfa7a6e3031e60bcefc5af7b744d06b41091ce270093679748182eb9e867a35dbfddeab5b2e514099237ca82b0554002d732aaae32ba5933b47f079f8e42cbddc269ff6a097a3c8aa08cefa390621308a4c497db3f9b20c0db3dab014f683b70bd1e189f18b4547fe95c6a720bca4c2db64c33ad41a0cf7a3a9b6aef6a67eeef175f643c9b6bd085869f1a0711338e7f2381859d5aaf0b3e90881b371db3bad38b0b016f5fe372e6d4ed8c91a8f09fbecdc80af283974451dd4231c08d67f529bea5d65b546b5f6fe73fa52fa58506c3a119f812b25b6fb3e459e96c62ce94ce8e671543060033b97b0941167d0d68500c62eb51d28ebc4308c7ef517cc2b44b95df6662a2ee06dc806b9f667d98d9d4a964c5934c356af34fdb3c4aad8604b2ca575d81265b763d5ae2c93567fc573adee2de3df383b0e240b6c92d404c921d5d59e8b61b5e1eb2d1f90ed7fb680c3d191194951776422974af269453bf3bccf4392679d8bb2f83a176cd348a4aa27fb09c2147d992a486b6a6605901f40436562d5f166af76635359b704b7da1b42a9c0764cd1cc2aa6b2735168042807fa28a640b3d5183d6860962366032d44a0c9cabecdb77987667f90051b42aa13efc92e79cba6715eadf19daa95a01a5c1c8c04f894fb23518d758d3d04a32fdaec818c7b43ce19512ef9e76c66571ee4e26299f743355733f5d54fb481366b304890a17b3f8bab79e42e5efcccb2681d86e9198cd5c04a9a5c8fbae05e4ad2c0925825dd1501c1409391734ba20df8ec2a295f918765085d3010056ac193acf6c6985595b21a95480805409b3fe3c9d6811705a84c924f3b0a6dfbf563ca48800dbe4cff497b3782331ef242aaae15a634c6eb260370d3042679bc030b5ac3da8625dab51d42cfdac46ce713920be41f6eb6900cb91d0c43b1aa43d2afe9e397f76948b717e37594d4af806d8b6f255992477124f4ac87244b1c3b46375c86e55071ab54af58fdc185fb453726d8e76dee538d684de5b3690257a84ca13c1f094d928248c14bb92caaf7672eaf18db16cd2499e551edbecd3a377b9bdd4293cb1d9213afec426c85a043ad18ce113f661c241151a47900f096b8527b05a232bbb970477f411b764098d0890ddbb69b3ffba4f7a6083bb8bd7fd9300912cff744d5119bb4c1e76944f4e0a517d2926932f78cc70bb3db055a78958336b30c0e0e8fdf0d6cd37a72bd031126f25d3c57e5caa30aa5340dd1e7b730d1b7ed830f61d2d93bc438682836dad5a650598a1f36877552be94557dddfecfd87ae796d406f543541c6e6efef870d13b31516669a769898391088e48972b1fa2e9b2c662e128d6dad8c17f5f7f5f62880e8fdc07aee15933bfd24983452cef624bc845182ad251297fcffd5c16bd5b0eac037b5862b20e08ce1a8d755fde1d49cf32d81fd63f74654dba692b272dd15ae19e0b873395e850e06666c9d3043149c95b79242f2f4a9ddcf716d7aee13463e81c1fff4e47be68db7a656c04b6260d8db00b9087c087203a74218ce6b76745976030b3d9a76e08dee9191a5e194495264d3dc2b1c3980806965f54ea88d79250e81c2a94f7a96be32c1d15cf4cbef1853d30fdea3def8020a6f64e64792a7c74c4e5703a8a326bc22a41c65847df3f68e40681e5cedd0b05d82a9e85e33f6b185eb16c561efaeca1aebea909656bc79efc9ae77665b589cc0c40117bb51d624d98c86c97a814fcde48948486f91b66936852b78ed4bc0f5101a12347b11403f456ad6486e0635ee39cdc400ec1002ebe95e71350cbfac520b290214a0f5e8bd43e5831b21db09859fa428d76436918923e25f1d7a5403cff3963274ecf4a6870a143e61383bdb3eac2ab7fda058a8104243b284de0ca062a27339116fb1d55bda68c215eac5a6d712833efc71d320323daf3fcd16cba1ef521569fbba2c75d64378da3dfd6d4e9ac7f974feba3db5297f21bd7e3053e28adfea25eae9fd6cccd3bd86ff88f3596895b5eb4cd3da9338e43bb2a454b25e62da99385bb38ecf611fa4d38787295e8bee0de84171b66751e246cbffc362c66bf1c207bad1a8c5e25db537fb21a705abdd9dd27c8ac87d54fd0a7293f71e3d9344771cb5f5b9f6cbf1e88883e04277aa3a77f7e22168a8eeb8b2bb35ac93580cd519ad4b0dffc327f24ff8e7cd94e8cceaffa274d6ab1483e9aa03a5a88f88859d959c1edd9cc78a86e46d3d331d8000e48bca9543e319530b5ba6db864ac3c83e71fc23c35133684807d9ddb5ce99821b89d936f3445ed8895c56261d211a728db535b1c997813a12f612791b9bc9b845bea29a3ecec90b8dd5cbcd32a73b1e1c25745312006c36eb6f1691fa16e1aa3126ba714d5ad647cd8cc603080b06f0aaae7456b35834194bef795d2b45404d046c4f29f00ce13444fbcfffb117a9c7f1e35c90deeadb75d3a4e01b7a5a10f93dd31efc86c0c119b55d83ebda29a9001b32842a0f228fc993540e1b472dca603750dc9133f9b0750c59f6e571b0f2c53cd4504616182a3ed9cf881d254b5d72e8bfba33a1ca79b2e190b75f431631b980ec075dd6bccffe1060737e26f84d6d1ee5de0ba083f5fe1fa25d4a88f402a01af6c035b684125ebdd1a404e1cc390d85f282d833d63d1cc6b93cd69d621094ab1dae7a3cebf192be1c77880116a6ba16a69c99f86b20a51c72038ccd2f5bcd5e88339f8ee555c32fbc36f4090de5e748d41314abba10be7a9df3f4ae9a89842d7a382a2312b6a0a08fa2a0d8aed22983e9aaf639d38a61b88bac9018dd2492626e57f94665d324bd1f39cd5d0fa261b166d206ce84044a979123207f6ce4e0d363be08f9e38d94d73c5d1cef23823eb6067f57f4a26b73f555f862dda59095097fbc9020036ad019efe18e0ec04ce0d32525d20c8d6a0c8595cf4b8febb75f34f07a9bec67bcc768299be8f648c20f57635882264401ccf882f47a9c649b81d42babc3b5a75fe7d698364d9cf09e4d1802e8f1ae6f72cb01691740a849c90e17234d90d8070e3f6cbfa0fa7b762efb845d927525516fdb4cc1b2200789ac444fb2c56a36bfe5a79979bf369a5", [[], [], [], [], [], [], [], []]}, 0x1878)

Attachments

Comments (2)

ccoder created缺陷
ccoder set related repository to openEuler/kernel
展开全部操作日志

Hey @ccoder , Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot .
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.

yanzh_h set assignee to XieXiuQi
yanzh_h changed assignee from XieXiuQi to wangxiongfeng
yanzh_h assigned collaborator XieXiuQi
YangYingliang changed issue state from 待办的 to 修复中

Sign in to comment

状态
Assignees
Projects
Milestones
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
Branches
Planed to start   -   Planed to end
-
Top level
Priority
Duration (hours)
确定
参与者(4)
5329419 openeuler ci bot 1578984659