Bug 205705 - Linux Kernel 5.3.10 - perf_trace_lock_acquire use-after-free
Summary: Linux Kernel 5.3.10 - perf_trace_lock_acquire use-after-free
Status: NEW
Alias: None
Product: Process Management
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: process_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-29 17:03 UTC by Tristan Madani
Modified: 2020-02-06 07:48 UTC (History)
3 users (show)

See Also:
Kernel Version: 5.3.10
Tree: Mainline
Regression: No


Attachments

Description Tristan Madani 2019-11-29 17:03:45 UTC
LINUX KERNEL 5.3.10 - perf_trace_lock_acquire use-after-free

0x01 - Introduction
===

# Product: Linux Kernel 
# Version: 5.3.10 (and probably other versions)
# Bug: UAF (Read)
# Tested on: GNU/Linux Debian 9 x86_64


0x02 - Crash report
===

BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x443/0x630 include/trace/events/lock.h:13
Read of size 8 at addr ffff88802245cc18 by task syz-executor.1/10285

CPU: 1 PID: 10285 Comm: syz-executor.1 Not tainted 5.3.10 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:											// <--- call trace that reach it
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e lib/dump_stack.c:113
 print_address_description+0x67/0x360 mm/kasan/report.c:351
 __kasan_report.cold.7+0x1a/0x3b mm/kasan/report.c:482
 kasan_report+0xe/0x12 mm/kasan/common.c:618
 perf_trace_lock_acquire+0x443/0x630 include/trace/events/lock.h:13
 trace_lock_acquire include/trace/events/lock.h:13 [inline]
 lock_acquire+0x234/0x330 kernel/locking/lockdep.c:4411
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x30/0x40 kernel/locking/spinlock.c:159
 __wake_up_common_lock+0xa8/0x120 kernel/sched/wait.c:122
 __locks_wake_up_blocks+0x18e/0x240 fs/locks.c:741
 locks_delete_block+0x7f/0x240 fs/locks.c:772
 flock_lock_inode_wait fs/locks.c:2081 [inline]
 locks_lock_inode_wait+0x14c/0x3b0 fs/locks.c:2100
 locks_lock_file_wait include/linux/fs.h:1310 [inline]
 __do_sys_flock fs/locks.c:2163 [inline]
 __se_sys_flock fs/locks.c:2126 [inline]
 __x64_sys_flock+0x2fb/0x350 fs/locks.c:2126
 do_syscall_64+0xbc/0x560 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x465b89
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5adacefc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000049
RAX: ffffffffffffffda RBX: 000000000051bfa8 RCX: 0000000000465b89
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000005
RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a6427
R13: 00000000004e4650 R14: 00000000004a6f99 R15: 00007f5adacf06bc

Allocated by task 10290:								// <--- where is it allocated
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc mm/kasan/common.c:493 [inline]
 __kasan_kmalloc.constprop.7+0xc1/0xd0 mm/kasan/common.c:466
 slab_post_alloc_hook mm/slab.h:520 [inline]
 slab_alloc_node mm/slub.c:2770 [inline]
 slab_alloc mm/slub.c:2778 [inline]
 kmem_cache_alloc+0xd9/0x2f0 mm/slub.c:2783
 kmem_cache_zalloc include/linux/slab.h:738 [inline]
 locks_alloc_lock+0x18/0x1c0 fs/locks.c:345
 flock_make_lock+0x245/0x2b0 fs/locks.c:486
 __do_sys_flock fs/locks.c:2145 [inline]
 __se_sys_flock fs/locks.c:2126 [inline]
 __x64_sys_flock+0x122/0x350 fs/locks.c:2126
 do_syscall_64+0xbc/0x560 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 10290:								// <--- where it has been freed
 save_stack+0x19/0x80 mm/kasan/common.c:69
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x12e/0x180 mm/kasan/common.c:455
 slab_free_hook mm/slub.c:1423 [inline]
 slab_free_freelist_hook+0x56/0x160 mm/slub.c:1474
 slab_free mm/slub.c:3016 [inline]
 kmem_cache_free+0xa0/0x330 mm/slub.c:3032
 locks_free_lock fs/locks.c:382 [inline]
 __do_sys_flock fs/locks.c:2166 [inline]
 __se_sys_flock fs/locks.c:2126 [inline]
 __x64_sys_flock+0x290/0x350 fs/locks.c:2126
 do_syscall_64+0xbc/0x560 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88802245cb88
 which belongs to the cache file_lock_cache of size 264			// <--- the object's cache
The buggy address is located 144 bytes inside of
 264-byte region [ffff88802245cb88, ffff88802245cc90)
The buggy address belongs to the page:
page:ffffea0000891700 refcount:1 mapcount:0 mapping:ffff88802e50ca00 index:0x0
flags: 0x100000000000200(slab)
raw: 0100000000000200 ffffea00008e4ec0 0000000300000003 ffff88802e50ca00
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802245cb00: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff88802245cb80: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802245cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88802245cc80: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb
 ffff88802245cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Comment 1 Tony Jones 2020-02-05 20:38:33 UTC
Do you have any of the reproducer info per https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md

Note You need to log in before you can comment on or make changes to this bug.