syzbot
2017-11-24 07:36:00 UTC
Hello,
syzkaller hit the following crash on
97530111c84b3a64d91289d4592b50618bfc1f4e
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
------------[ cut here ]------------
==================================================================
BUG: KASAN: use-after-free in file_has_perm+0x451/0x5d0
security/selinux/hooks.c:1843
Read of size 4 at addr ffff8801ce9fbb60 by task syz-executor1/27609
CPU: 0 PID: 27609 Comm: syz-executor1 Not tainted 4.14.0-rc8-mm1+ #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
file_has_perm+0x451/0x5d0 security/selinux/hooks.c:1843
selinux_file_fcntl+0xe7/0x150 security/selinux/hooks.c:3693
security_file_fcntl+0x7d/0xb0 security/security.c:948
SYSC_fcntl fs/fcntl.c:461 [inline]
SyS_fcntl+0x8e/0x120 fs/fcntl.c:448
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452879
RSP: 002b:00007f7cc8dfabe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879
RDX: 0000000000042000 RSI: 0000000000000004 RDI: 0000000000000014
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f7cc8dfb9c0 R15: 0000000000000000
Allocated by task 30292:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3548
kmem_cache_zalloc include/linux/slab.h:693 [inline]
file_alloc_security security/selinux/hooks.c:369 [inline]
selinux_file_alloc_security+0xae/0x190 security/selinux/hooks.c:3455
security_file_alloc+0x6d/0xa0 security/security.c:873
get_empty_filp+0x189/0x4f0 fs/file_table.c:129
path_openat+0xed/0x3530 fs/namei.c:3505
do_filp_open+0x25b/0x3b0 fs/namei.c:3563
do_sys_open+0x502/0x6d0 fs/open.c:1059
SYSC_open fs/open.c:1077 [inline]
SyS_open+0x2d/0x40 fs/open.c:1072
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 30292:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
kmem_cache_free+0x77/0x280 mm/slab.c:3750
file_free_security security/selinux/hooks.c:384 [inline]
selinux_file_free_security+0x49/0x60 security/selinux/hooks.c:3460
security_file_free+0x48/0x80 security/security.c:878
__fput+0x340/0x7f0 fs/file_table.c:211
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801ce9fbb60
which belongs to the cache selinux_file_security of size 16
The buggy address is located 0 bytes inside of
16-byte region [ffff8801ce9fbb60, ffff8801ce9fbb70)
The buggy address belongs to the page:
page:ffffea00073a7ec0 count:1 mapcount:0 mapping:ffff8801ce9fb000
index:0xffff8801ce9fbf84
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801ce9fb000 ffff8801ce9fbf84 000000010000005d
raw: ffff8801db214840 ffffea0007342860 ffff8801db213240 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801ce9fba00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fba80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fbb80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fbc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to ***@googlegroups.com.
Please credit me with: Reported-by: syzbot <***@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
97530111c84b3a64d91289d4592b50618bfc1f4e
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
------------[ cut here ]------------
==================================================================
BUG: KASAN: use-after-free in file_has_perm+0x451/0x5d0
security/selinux/hooks.c:1843
Read of size 4 at addr ffff8801ce9fbb60 by task syz-executor1/27609
CPU: 0 PID: 27609 Comm: syz-executor1 Not tainted 4.14.0-rc8-mm1+ #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
file_has_perm+0x451/0x5d0 security/selinux/hooks.c:1843
selinux_file_fcntl+0xe7/0x150 security/selinux/hooks.c:3693
security_file_fcntl+0x7d/0xb0 security/security.c:948
SYSC_fcntl fs/fcntl.c:461 [inline]
SyS_fcntl+0x8e/0x120 fs/fcntl.c:448
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452879
RSP: 002b:00007f7cc8dfabe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000048
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879
RDX: 0000000000042000 RSI: 0000000000000004 RDI: 0000000000000014
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007f7cc8dfb9c0 R15: 0000000000000000
Allocated by task 30292:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3548
kmem_cache_zalloc include/linux/slab.h:693 [inline]
file_alloc_security security/selinux/hooks.c:369 [inline]
selinux_file_alloc_security+0xae/0x190 security/selinux/hooks.c:3455
security_file_alloc+0x6d/0xa0 security/security.c:873
get_empty_filp+0x189/0x4f0 fs/file_table.c:129
path_openat+0xed/0x3530 fs/namei.c:3505
do_filp_open+0x25b/0x3b0 fs/namei.c:3563
do_sys_open+0x502/0x6d0 fs/open.c:1059
SYSC_open fs/open.c:1077 [inline]
SyS_open+0x2d/0x40 fs/open.c:1072
entry_SYSCALL_64_fastpath+0x1f/0x96
Freed by task 30292:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3492 [inline]
kmem_cache_free+0x77/0x280 mm/slab.c:3750
file_free_security security/selinux/hooks.c:384 [inline]
selinux_file_free_security+0x49/0x60 security/selinux/hooks.c:3460
security_file_free+0x48/0x80 security/security.c:878
__fput+0x340/0x7f0 fs/file_table.c:211
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801ce9fbb60
which belongs to the cache selinux_file_security of size 16
The buggy address is located 0 bytes inside of
16-byte region [ffff8801ce9fbb60, ffff8801ce9fbb70)
The buggy address belongs to the page:
page:ffffea00073a7ec0 count:1 mapcount:0 mapping:ffff8801ce9fb000
index:0xffff8801ce9fbf84
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801ce9fb000 ffff8801ce9fbf84 000000010000005d
raw: ffff8801db214840 ffffea0007342860 ffff8801db213240 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801ce9fba00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fba80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fbb00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
^ffff8801ce9fbb80: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
ffff8801ce9fbc00: fb fb fc fc fb fb fc fc fb fb fc fc fb fb fc fc
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to ***@googlegroups.com.
Please credit me with: Reported-by: syzbot <***@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.