/ 详情

【kernel fuzz】【syzkaller】20.03 LTS 内核fuzz use-after-free Bug

Backlog
Bug
Opened this issue  
2021-01-20 15:55

kernel fuzz测试出现 use-after-free Read in tasklet_action_common' bug.相应详细日志如下:

Syzkaller hit 'KASAN: use-after-free Read in tasklet_action_common' bug.

==================================================================
BUG: KASAN: use-after-free in tasklet_action_common.isra.0+0x88/0x1a8
Read of size 8 at addr ffffd649cd1ac6d0 by task ksoftirqd/0/9

CPU: 0 PID: 9 Comm: ksoftirqd/0 Kdump: loaded Not tainted 4.19.90 #1
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
dump_backtrace+0x0/0x2b8
show_stack+0x28/0x38
dump_stack+0xd4/0x12c
print_address_description+0x6c/0x264
kasan_report+0x198/0x330
__asan_load8+0x84/0xa8
tasklet_action_common.isra.0+0x88/0x1a8
tasklet_action+0x2c/0x38
__do_softirq+0x190/0x4b4
irq_exit+0x170/0x1a0
__handle_domain_irq+0xa0/0x110
gic_handle_irq+0x140/0x1e4
el1_irq+0xb8/0x140
__schedule+0x7c/0xab8
schedule+0x44/0xc8
smpboot_thread_fn+0x240/0x310
kthread+0x18c/0x1d8
ret_from_fork+0x10/0x18

Allocated by task 2855:
kasan_kmalloc.part.0+0x50/0x118
kasan_kmalloc+0xb0/0xc8
kmem_cache_alloc_trace+0x100/0x208
bcm_tx_setup+0x328/0x988 [can_bcm]
bcm_sendmsg+0x240/0x810 [can_bcm]
sock_sendmsg+0x80/0xb0
___sys_sendmsg+0x490/0x4e8
__sys_sendmsg+0xe4/0x170
__arm64_sys_sendmsg+0x54/0x68
el0_svc_common+0xb4/0x1d0
el0_svc_handler+0x50/0xa0
el0_svc+0x8/0x1b0

Freed by task 2855:
__kasan_slab_free+0x11c/0x230
kasan_slab_free+0x10/0x18
kfree+0x78/0x1d0
bcm_remove_op+0x168/0x178 [can_bcm]
bcm_release+0x9c/0x340 [can_bcm]
__sock_release+0x80/0x158
sock_close+0x28/0x38
__fput+0x13c/0x318
____fput+0x24/0x30
task_work_run+0x118/0x1b8
do_notify_resume+0x1a8/0x3d8
work_pending+0x8/0x10

The buggy address belongs to the object at ffffd649cd1ac600
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 208 bytes inside of
1024-byte region [ffffd649cd1ac600, ffffd649cd1aca00)
The buggy address belongs to the page:
page:ffff7ff592734680 count:1 mapcount:0 mapping:ffffd649c001f600 index:0x0
flags: 0x7ffff0000000100(slab)
raw: 07ffff0000000100 dead000000000100 dead000000000200 ffffd649c001f600
raw: 0000000000000000 0000000080380038 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffffd649cd1ac580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffffd649cd1ac600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

ffffd649cd1ac680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffffd649cd1ac700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffffd649cd1ac780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 0 PID: 9 at lib/refcount.c:156 refcount_inc_checked+0x64/0x70
Modules linked in: can_bcm can ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel geneve ip6_udp_tunnel udp_tunnel macsec macvtap tap ipvlan macvlan 8021q garp mrp veth nlmon dummy team bonding vcan ip6_gre ip6_tunnel tunnel6 gre ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat_ipv4 nf_nat iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rfkill ip_set nfnetlink ip6table_filter ip6_tables iptable_filter vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce sha256_arm64 sha1_ce sch_fq_codel ip_tables ext4 mbcache jbd2 virtio_gpu virtio_net net_failover
failover virtio_blk virtio_pci virtio_mmio dm_mirror dm_region_hash dm_log dm_mod virtio_rng virtio_ring virtio
CPU: 0 PID: 9 Comm: ksoftirqd/0 Kdump: loaded Tainted: G B 4.19.90 #1
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO)
pc : refcount_inc_checked+0x64/0x70
lr : refcount_inc_checked+0x64/0x70
sp : ffffd649f5b93bf0
x29: ffffd649f5b93bf0 x28: ffffd649dc9c0c80
x27: 0000000000000000 x26: ffffd649cd1ac768
x25: ffffd649cd1ac7f8 x24: ffffd649cd1ac750
x23: 0000000000000000 x22: ffffd649cd1acf00
x21: ffffd649c29f3800 x20: ffffd649c4edc080
x19: ffff2000387ce706 x18: 0000000000000000
x17: 0000000000000000 x16: ffff2000364f91d0
x15: 0000000000000000 x14: 1ffffac93eb72672
x13: 0000000041b58ab3 x12: 1ffffac93eb726cc
x11: ffff1ac93eb726cc x10: dfff200000000000
x9 : ffff1ac93eb726cd x8 : 0000e536c148d93d
x7 : 000000000000000a x6 : ffffd649f5b93667
x5 : 0000000000000001 x4 : 0000000000000000
x3 : 1ffffac93eb6eff9 x2 : ffff1ac93eb72746
x1 : cb355596ec367800 x0 : 0000000000000000
Call trace:
refcount_inc_checked+0x64/0x70
bcm_can_tx+0x1bc/0x290 [can_bcm]
bcm_tx_timeout_tsklet+0x124/0x188 [can_bcm]
tasklet_action_common.isra.0+0x100/0x1a8
tasklet_action+0x2c/0x38
__do_softirq+0x190/0x4b4
irq_exit+0x170/0x1a0
__handle_domain_irq+0xa0/0x110
gic_handle_irq+0x140/0x1e4
el1_irq+0xb8/0x140
__schedule+0x7c/0xab8
schedule+0x44/0xc8
smpboot_thread_fn+0x240/0x310
kthread+0x18c/0x1d8
ret_from_fork+0x10/0x18
---[ end trace c35f39ac438a9074 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 9 at lib/refcount.c:190 refcount_sub_and_test_checked+0xe4/0xf0
Modules linked in: can_bcm can ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel geneve ip6_udp_tunnel udp_tunnel macsec macvtap tap ipvlan macvlan 8021q garp mrp veth nlmon dummy team bonding vcan ip6_gre ip6_tunnel tunnel6 gre ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat_ipv4 nf_nat iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rfkill ip_set nfnetlink ip6table_filter ip6_tables iptable_filter vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce sha256_arm64 sha1_ce sch_fq_codel ip_tables ext4 mbcache jbd2 virtio_gpu virtio_net net_failover
failover virtio_blk virtio_pci virtio_mmio dm_mirror dm_region_hash dm_log dm_mod virtio_rng virtio_ring virtio
CPU: 0 PID: 9 Comm: ksoftirqd/0 Kdump: loaded Tainted: G B W 4.19.90 #1
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO)
pc : refcount_sub_and_test_checked+0xe4/0xf0
lr : refcount_sub_and_test_checked+0xe4/0xf0
sp : ffffd649f5b93890
x29: ffffd649f5b93890 x28: 0000000000000000
x27: 0000000000000000 x26: 0000000000000010
x25: ffff2000382f57f0 x24: 0000000000000000
x23: 0000000000000005 x22: 00000000ffffffff
x21: 0000000000000001 x20: ffff2000387ce706
x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: ffff2000364f91d0
x15: 0000000000000000 x14: 1ffffac93eb72606
x13: 0000000041b58ab3 x12: 1ffffac93eb72660
x11: ffff1ac93eb72660 x10: dfff200000000000
x9 : ffff1ac93eb72661 x8 : 0000e536c148d9a9
x7 : 000000000000000a x6 : ffffd649f5b93307
x5 : 0000000000000001 x4 : 0000000000000000
x3 : 1ffffac93eb6eff9 x2 : ffff1ac93eb726da
x1 : cb355596ec367800 x0 : 0000000000000000
Call trace:
refcount_sub_and_test_checked+0xe4/0xf0
refcount_dec_and_test_checked+0x20/0x30
sock_efree+0x30/0x68
skb_release_head_state+0xc4/0x1b0
skb_release_all+0x24/0x50
consume_skb+0x5c/0x148
vcan_tx+0x2c4/0x300 [vcan]
dev_hard_start_xmit+0xf4/0x368
__dev_queue_xmit+0xeec/0x10a0
dev_queue_xmit+0x28/0x38
can_send+0x170/0x358 [can]
bcm_can_tx+0x1ec/0x290 [can_bcm]
bcm_tx_timeout_tsklet+0x124/0x188 [can_bcm]
tasklet_action_common.isra.0+0x100/0x1a8
tasklet_action+0x2c/0x38
__do_softirq+0x190/0x4b4
irq_exit+0x170/0x1a0
__handle_domain_irq+0xa0/0x110
gic_handle_irq+0x140/0x1e4
el1_irq+0xb8/0x140
__schedule+0x7c/0xab8
schedule+0x44/0xc8
smpboot_thread_fn+0x240/0x310
kthread+0x18c/0x1d8
ret_from_fork+0x10/0x18
---[ end trace c35f39ac438a9075 ]---
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000128
Mem abort info:
ESR = 0x96000005
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
user pgtable: 64k pages, 48-bit VAs, pgdp = 00000000f33a1070
[0000000000000128] pgd=0000000000000000, pud=0000000000000000
Internal error: Oops: 96000005 [#1] SMP
Modules linked in: can_bcm can ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel geneve ip6_udp_tunnel udp_tunnel macsec macvtap tap ipvlan macvlan 8021q garp mrp veth nlmon dummy team bonding vcan ip6_gre ip6_tunnel tunnel6 gre ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge stp llc ebtables ip6table_nat nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat_ipv4 nf_nat iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rfkill ip_set nfnetlink ip6table_filter ip6_tables iptable_filter vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce sha256_arm64 sha1_ce sch_fq_codel ip_tables ext4 mbcache jbd2 virtio_gpu virtio_net net_failover
failover virtio_blk virtio_pci virtio_mmio dm_mirror dm_region_hash dm_log dm_mod virtio_rng virtio_ring virtio
Process ksoftirqd/0 (pid: 9, stack limit = 0x00000000b43f6b29)
CPU: 0 PID: 9 Comm: ksoftirqd/0 Kdump: loaded Tainted: G B W 4.19.90 #1
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40c00005 (nZcv daif +PAN +UAO)
pc : dev_get_by_index+0x2c/0xe0
lr : dev_get_by_index+0x2c/0xe0
sp : ffffd649c11e7b10
x29: ffffd649c11e7b10 x28: ffff2000382f3000
x27: 0000000000000000 x26: ffffd64984f59ee8
x25: ffffd64984f59f78 x24: ffffd64984f59ed0
x23: 0000000000000010 x22: ffffd64984f59ec4
x21: ffffd64984f59000 x20: 0000000000000006
x19: 0000000000000000 x18: 0000000000000000
x17: 0000000000000000 x16: ffff2000370a9400
x15: 0000000000000000 x14: ffff2000365b18e4
x13: ffff20003726bd74 x12: 1ffffac93bdbb642
x11: ffff1ac93bdbb642 x10: dfff200000000000
x9 : ffff1ac93bdbb643 x8 : 0000000041b58ab3
x7 : 000000000000000c x6 : 0000000041b58ab3
x5 : dfff200000000000 x4 : ffff1ac93823cf7c
x3 : ffff2000370a942c x2 : ffff200038abc000
x1 : cb355596ec367800 x0 : 0000000000000000
Call trace:
dev_get_by_index+0x2c/0xe0
bcm_can_tx+0xa0/0x290 [can_bcm]
bcm_tx_timeout_tsklet+0x124/0x188 [can_bcm]
tasklet_action_common.isra.0+0x100/0x1a8
tasklet_action+0x2c/0x38
__do_softirq+0x190/0x4b4
run_ksoftirqd+0x50/0x68
smpboot_thread_fn+0x1bc/0x310
kthread+0x18c/0x1d8
ret_from_fork+0x10/0x18
Code: d503201f 97d60d1e 9104a260 97dda5ae (f9409673)
SMP: stopping secondary CPUs
Starting crashdump kernel...
Bye!

Attachments

Comments (1)

heruxiao created缺陷
heruxiao set related repository to openEuler/kernel
展开全部操作日志

Hey KeyboardXia, Welcome to openEuler Community.
All of the projects in openEuler Community are maintained by @openeuler-ci-bot .
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md to find the details.

heruxiao set assignee to XieXiuQi

Sign in to comment

状态
Assignees
Labels
Projects
Milestones
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
5329419 openeuler ci bot 1578984659