KASAN: use-after-free Read in corrupted (4)
55 views
Skip to first unread message
syzbot
Aug 11, 2020, 3:47:21 PM8/11/20
Hello,
syzbot found the following issue on:
HEAD commit: d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172b6976900000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff87594cecb7e666
dashboard link: https://syzkaller.appspot.com/bug?extid=48135e34de22e3a82c99
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1373613a900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41d0/0x5640 kernel/locking/lockdep.c:4296
Read of size 8 at addr ffff8880936320a0 by task syz-executor.0/6858
CPU: 1 PID: 6858 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
dump_sta
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172b6976900000
kernel config: https://syzkaller.appspot.com/x/.config?x=ff87594cecb7e666
dashboard link: https://syzkaller.appspot.com/bug?extid=48135e34de22e3a82c99
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1373613a900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x41d0/0x5640 kernel/locking/lockdep.c:4296
Read of size 8 at addr ffff8880936320a0 by task syz-executor.0/6858
CPU: 1 PID: 6858 Comm: syz-executor.0 Not tainted 5.8.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
dump_sta
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
May 23, 2022, 2:01:22 AM5/23/22
syzbot has found a reproducer for the following issue on:
HEAD commit: eaea45fc0e7b Merge tag 'perf-tools-fixes-for-v5.18-2022-05..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1315c161f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=902c5209311d387c
dashboard link: https://syzkaller.appspot.com/bug?extid=48135e34de22e3a82c99
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a076d6f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f76a3df00000
The issue was bisected to:
commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
Author: Linus Torvalds <[email protected]>
Date: Sun Feb 19 22:34:00 2017 +0000
Linux 4.10
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128bb53a900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=118bb53a900000
console output: https://syzkaller.appspot.com/x/log.txt?x=168bb53a900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
Fixes: c470abd4fde4 ("Linux 4.10")
traps: syz-executor229[3615] general protection fault ip:7feb96eb56a1 sp:20000fd0 error:0 in syz-executor2295634012[7feb96e75000+84000]
HEAD commit: eaea45fc0e7b Merge tag 'perf-tools-fixes-for-v5.18-2022-05..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1315c161f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=902c5209311d387c
dashboard link: https://syzkaller.appspot.com/bug?extid=48135e34de22e3a82c99
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a076d6f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12f76a3df00000
The issue was bisected to:
commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
Author: Linus Torvalds <[email protected]>
Date: Sun Feb 19 22:34:00 2017 +0000
Linux 4.10
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=128bb53a900000
final oops: https://syzkaller.appspot.com/x/report.txt?x=118bb53a900000
console output: https://syzkaller.appspot.com/x/log.txt?x=168bb53a900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
traps: syz-executor229[3615] general protection fault ip:7feb96eb56a1 sp:20000fd0 error:0 in syz-executor2295634012[7feb96e75000+84000]
Hillf Danton
May 23, 2022, 3:09:39 AM5/23/22
to syzbot, [email protected], [email protected]
On Sun, 22 May 2022 16:01:21 -0700
The console output attached is too scarce to debug the uaf, so ask syzbot to
produce one.
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
produce one.
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
syzbot
May 23, 2022, 3:27:08 AM5/23/22
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 4b0986a3 Linux 5.18
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=facb2be252153c68
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: [email protected]
Tested on:
commit: 4b0986a3 Linux 5.18
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=facb2be252153c68
dashboard link: https://syzkaller.appspot.com/bug?extid=48135e34de22e3a82c99
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: no patches were applied.
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Note: testing is done by a robot and is best-effort only.
Linus Torvalds
May 23, 2022, 6:56:38 AM5/23/22
to syzbot, [email protected], David Miller, [email protected], Johan Hedberg, linux-bluetooth, Linux Kbuild mailing list, Linux Kernel Mailing List, Marcel Holtmann, Ingo Molnar, Michal Marek, Netdev, Peter Zijlstra, syzkaller-bugs, Will Deacon
On Sun, May 22, 2022 at 4:01 PM syzbot
<[email protected]> wrote:
>
> The issue was bisected to:
>
> commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
> Author: Linus Torvalds <[email protected]>
> Date: Sun Feb 19 22:34:00 2017 +0000
>
> Linux 4.10
Heh. That looks very unlikely, so the bisection seems to sadly have
<[email protected]> wrote:
>
> The issue was bisected to:
>
> commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
> Author: Linus Torvalds <[email protected]>
> Date: Sun Feb 19 22:34:00 2017 +0000
>
> Linux 4.10
failed at some point.
At least one of the KASAN reports (that "final oops") does look very
much like the bug fixed by commit 1bff51ea59a9 ("Bluetooth: fix
use-after-free error in lock_sock_nested()"), so this may already be
fixed, but who knows...
But that "update Makefile to 4.10" is not the cause...
Linus
Aleksandr Nogikh
Jun 1, 2022, 4:51:28 PM6/1/22
to Linus Torvalds, syzbot, [email protected], David Miller, [email protected], Johan Hedberg, linux-bluetooth, Linux Kbuild mailing list, Linux Kernel Mailing List, Marcel Holtmann, Ingo Molnar, Michal Marek, Netdev, Peter Zijlstra, syzkaller-bugs, Will Deacon, Dmitry Vyukov, Aleksandr Nogikh
Hi Linus,
Thank you for looking at the syzbot's email!
The bisection info was indeed included in this case by mistake. We have fixed this, now the bot should not mention bisections that point to release commits and thefefore won't be pinging you as the commit author.
Best Regards,
Aleksandr
Thank you for looking at the syzbot's email!
The bisection info was indeed included in this case by mistake. We have fixed this, now the bot should not mention bisections that point to release commits and thefefore won't be pinging you as the commit author.
Best Regards,
Aleksandr
Reply all
Reply to author
Forward
0 new messages