206073 – BUG: KASAN: use-after-free Read in do_update_region

Bug 206073 - BUG: KASAN: use-after-free Read in do_update_region

Summary: BUG: KASAN: use-after-free Read in do_update_region

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Console/Framebuffers (show other bugs)
Hardware:	x86-64 Linux

Importance:	P1 normal
Assignee:	James Simmons

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-04 11:05 UTC by donkeysnore
Modified:	2020-01-04 11:09 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	Linux 5.5.0-rc4+
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Linux config (128.63 KB, text/plain) 2020-01-04 11:08 UTC, donkeysnore	Details
C reproduce code (14.03 KB, text/plain) 2020-01-04 11:09 UTC, donkeysnore	Details
Add an attachment (proposed patch, testcase, etc.)

Description donkeysnore 2020-01-04 11:05:31 UTC

This bug is reproduced by syzkaller

==================================================================
BUG: KASAN: use-after-free in do_update_region+0x5ce/0x600
Read of size 2 at addr ffff888000100000 by task syz-executor.0/32237

CPU: 1 PID: 32237 Comm: syz-executor.0 Not tainted 5.5.0-rc4+ #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 dump_stack+0x94/0xce
 print_address_description.constprop.4+0x16/0x320
 __kasan_report+0x177/0x1db
 kasan_report+0xe/0x20
 do_update_region+0x5ce/0x600
 csi_J+0x2fa/0xa30
 do_con_trol+0x4025/0x58a0
 do_con_write.part.25+0x568/0x1c10
 con_write+0xa7/0xc0
 n_tty_write+0x907/0xdf0
 tty_write+0x3f4/0x910
 do_iter_write+0x3e7/0x560
 vfs_writev+0x164/0x2e0
 do_writev+0xff/0x290
 do_syscall_64+0x9c/0x390
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45a9e9
Code: bd b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b b1 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8872609c88 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000072bf00 RCX: 000000000045a9e9
RDX: 0000000000000001 RSI: 0000000020000740 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f887260a6d4
R13: 00000000004afce8 R14: 00000000006f9dd0 R15: 00000000ffffffff

The buggy address belongs to the page:
page:ffffea0000004000 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
raw: 0000000000000000 ffff88807ffdc300 ffff88807ffdc300 0000000000000000
raw: 0000000000000000 0000000000000008 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Comment 1 donkeysnore 2020-01-04 11:08:20 UTC

Created attachment 286613 [details]
Linux config

Comment 2 donkeysnore 2020-01-04 11:09:11 UTC

Created attachment 286617 [details]
C reproduce code

Note You need to log in before you can comment on or make changes to this bug.