Re: KASAN: use-after-free Read in set_page_dirty_lock

To: Ben Hutchings <ben@decadent.org.uk>
Cc: Kaipeng Zeng <kaipeng94@gmail.com>, syzkaller@googlegroups.com, debian-kernel@lists.debian.org, ceph-devel <ceph-devel@vger.kernel.org>
Subject: Re: KASAN: use-after-free Read in set_page_dirty_lock
From: "Yan, Zheng" <ukernel@gmail.com>
Date: Fri, 16 Mar 2018 11:33:45 +0800
Message-id: <[🔎] CAAM7YAnrfC03p7iQ8X+ayDu-1j44PeN1PAbT=TXi63twdMR9QQ@mail.gmail.com>
In-reply-to: <[🔎] 1521131935.2495.114.camel@decadent.org.uk>
References: <[🔎] CAHk8ZdsLV=mMRWw-Cf5PDhFAmLO0oQGoY9b2szbbsgi2W+Ow1A@mail.gmail.com> <[🔎] 1521131935.2495.114.camel@decadent.org.uk>

Thanks for reporting this. the issue should be fixed patch "[PATCH]
ceph: only dirty ITER_IOVEC pages for direct read"

Regards
Yan, Zheng


On Fri, Mar 16, 2018 at 12:38 AM, Ben Hutchings <ben@decadent.org.uk> wrote:
> Cc: ceph-devel@vger.kernel.org
>
> On Thu, 2018-03-15 at 23:10 +0800, Kaipeng Zeng wrote:
>> KASAN: use-after-free Read in set_page_dirty_lock found by syzkaller.
>> Kernel: debian package linux-source-4.14, build with KASAN enable
>> P.S. "/root/tmp" is the mount point of cephfs
>> Log & repro:
>> Syzkaller hit 'KASAN: use-after-free Read in set_page_dirty_lock' bug.
>>
>> ==================================================================
>> BUG: KASAN: use-after-free in __read_once_size
>> include/linux/compiler.h:178 [inline]
>> BUG: KASAN: use-after-free in compound_head
>> include/linux/page-flags.h:147 [inline]
>> BUG: KASAN: use-after-free in trylock_page include/linux/pagemap.h:468 [inline]
>> BUG: KASAN: use-after-free in lock_page include/linux/pagemap.h:478 [inline]
>> BUG: KASAN: use-after-free in set_page_dirty_lock+0x9c/0xa0
>> mm/page-writeback.c:2606
>> Read of size 8 at addr ffff88007bb63ae0 by task syzkaller929525/563
>>
>> CPU: 2 PID: 563 Comm: syzkaller929525 Not tainted 4.14.17 #3
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:17 [inline]
>>  dump_stack+0x7b/0xa4 lib/dump_stack.c:53
>>  print_address_description+0x73/0x270 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351 [inline]
>>  kasan_report+0x254/0x370 mm/kasan/report.c:409
>>  __read_once_size include/linux/compiler.h:178 [inline]
>>  compound_head include/linux/page-flags.h:147 [inline]
>>  trylock_page include/linux/pagemap.h:468 [inline]
>>  lock_page include/linux/pagemap.h:478 [inline]
>>  set_page_dirty_lock+0x9c/0xa0 mm/page-writeback.c:2606
>>  ceph_put_page_vector+0x10b/0x180 [libceph]
>>  ceph_direct_read_write+0x1126/0x1da0 [ceph]
>>  ceph_read_iter+0xc10/0x1280 [ceph]
>>  call_read_iter include/linux/fs.h:1767 [inline]
>>  generic_file_splice_read+0x396/0x610 fs/splice.c:307
>>  do_splice_to+0x104/0x150 fs/splice.c:881
>>  do_splice fs/splice.c:1175 [inline]
>>  SYSC_splice fs/splice.c:1404 [inline]
>>  SyS_splice+0xf58/0x12d0 fs/splice.c:1384
>>  system_call_fast_compare_end+0x12/0x75
>> RIP: 0033:0x4337a9
>> RSP: 002b:00007ffea3f98f78 EFLAGS: 00000216
>>
>> Allocated by task 459:
>>  save_stack+0x33/0xa0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:551
>>  __do_kmalloc mm/slab.c:3726 [inline]
>>  __kmalloc+0x11a/0x620 mm/slab.c:3735
>>  kmalloc include/linux/slab.h:499 [inline]
>>  load_elf_phdrs+0x16d/0x1d0 fs/binfmt_elf.c:431
>>  load_elf_binary+0x930/0x4540 fs/binfmt_elf.c:824
>>  search_binary_handler+0x176/0x4b0 fs/exec.c:1640
>>  exec_binprm fs/exec.c:1682 [inline]
>>  do_execveat_common.isra.30+0xffa/0x1890 fs/exec.c:1804
>>  do_execve fs/exec.c:1849 [inline]
>>  SYSC_execve fs/exec.c:1930 [inline]
>>  SyS_execve+0x39/0x50 fs/exec.c:1925
>>  do_syscall_64+0x1e8/0x4e0 arch/x86/entry/common.c:299
>>  return_from_SYSCALL_64+0x0/0x65
>>
>> Freed by task 459:
>>  save_stack+0x33/0xa0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>  __cache_free mm/slab.c:3504 [inline]
>>  kfree+0x88/0x110 mm/slab.c:3821
>>  load_elf_binary+0x1952/0x4540 fs/binfmt_elf.c:1096
>>  search_binary_handler+0x176/0x4b0 fs/exec.c:1640
>>  exec_binprm fs/exec.c:1682 [inline]
>>  do_execveat_common.isra.30+0xffa/0x1890 fs/exec.c:1804
>>  do_execve fs/exec.c:1849 [inline]
>>  SYSC_execve fs/exec.c:1930 [inline]
>>  SyS_execve+0x39/0x50 fs/exec.c:1925
>>  do_syscall_64+0x1e8/0x4e0 arch/x86/entry/common.c:299
>>  return_from_SYSCALL_64+0x0/0x65
>>
>> The buggy address belongs to the object at ffff88007bb63ac0
>>  which belongs to the cache kmalloc-512 of size 512
>> The buggy address is located 32 bytes inside of
>>  512-byte region [ffff88007bb63ac0, ffff88007bb63cc0)
>> The buggy address belongs to the page:
>> page:ffffea0001eed8c0 count:1 mapcount:0 mapping:ffff88007bb630c0 index:0x0
>> flags: 0x4ffffc000000100(slab)
>> raw: 04ffffc000000100 ffff88007bb630c0 0000000000000000 0000000100000006
>> raw: ffffea0001eec0e0 ffffea0001d0c220 ffff88002d4002c0 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffff88007bb63980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>  ffff88007bb63a00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>> > ffff88007bb63a80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>>
>>                                                        ^
>>  ffff88007bb63b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>  ffff88007bb63b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> Syzkaller reproducer:
>> # {Threaded:false Collide:false Repeat:false Procs:1 Sandbox:
>> Fault:false FaultCall:-1 FaultNth:0 EnableTun:false UseTmpDir:false
>> HandleSegv:false WaitRepeat:false Debug:false Repro:false}
>> mmap(&(0x7f0000000000/0x447000)=nil, 0x447000, 0x3, 0x32,
>> 0xffffffffffffffff, 0x0)
>> pipe$ceph_fops(&(0x7f00001c2000)={0x0, <r0=>0x0})
>> r1 = open$ceph_fops(&(0x7f000007e000)='/root/tmp/test\x00', 0x44000, 0x121)
>> splice$ceph_fops_in(r1, &(0x7f000009c000-0x8)=0x36, r0, 0x0, 0x5, 0x1)
>>
>>
>> C reproducer:
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>
>> #define _GNU_SOURCE
>> #include <endian.h>
>> #include <stdint.h>
>> #include <string.h>
>> #include <sys/syscall.h>
>> #include <unistd.h>
>>
>> long r[2];
>> void loop()
>> {
>>   memset(r, -1, sizeof(r));
>>   syscall(__NR_mmap, 0x20000000, 0x447000, 3, 0x32, -1, 0);
>>   if (syscall(__NR_pipe, 0x201c2000) != -1)
>>     r[0] = *(uint32_t*)0x201c2004;
>>   memcpy((void*)0x2007e000, "/root/tmp/test", 15);
>>   r[1] = syscall(__NR_open, 0x2007e000, 0x44000, 0x121);
>>   *(uint64_t*)0x2009bff8 = 0x36;
>>   syscall(__NR_splice, r[1], 0x2009bff8, r[0], 0, 5, 1);
>> }
>>
>> int main()
>> {
>>   loop();
>>   return 0;
>> }
>>
>>
>> Reproducing stats:
>> Extracting prog: 5h8m47.118307857s
>> Minimizing prog: 35m20.785719207s
>> Simplifying prog options: 0s
>> Extracting C: 35.310144578s
>> Simplifying C: 4m6.310642807s
>>
> --
> Ben Hutchings
> Quantity is no substitute for quality, but it's the only one we've got.

Reply to:

References:
- KASAN: use-after-free Read in set_page_dirty_lock
  - From: Kaipeng Zeng <kaipeng94@gmail.com>
- Re: KASAN: use-after-free Read in set_page_dirty_lock
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Bug#886693: linux: please reinstate ia64 for the linux kernel package
Next by Date: [PATCH] ceph: only dirty ITER_IOVEC pages for direct read
Previous by thread: Re: KASAN: use-after-free Read in set_page_dirty_lock
Next by thread: Bug#886858:
Index(es):
- Date
- Thread