From: Entropy Moe <3ntr0py1337@gmail.com>
To: linux-mm@kvack.org
Subject: UAF kernel bug on page_alloc.c
Date: Mon, 16 Mar 2020 00:12:23 +0400 [thread overview]
Message-ID: <CALzBtjKCfMXxuThfYTqzFKDU=TNepfBH-eeWdqkg7hUJp2zWKw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2528 bytes --]
Hello,
I want to report a bug on linux kernel 5.6+
==================================================================
BUG: KASAN: wild-memory-access in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: wild-memory-access in page_ref_count
include/linux/page_ref.h:67 [inline]
BUG: KASAN: wild-memory-access in put_page_testzero
include/linux/mm.h:587 [inline]
BUG: KASAN: wild-memory-access in __free_pages+0x1b/0xa0 mm/page_alloc.c:4798
Read of size 4 at addr 0720072007200754 by task syz-executor.4/26529
CPU: 1 PID: 26529 Comm: syz-executor.4 Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xc6/0x11e lib/dump_stack.c:118
__kasan_report+0x18f/0x1c0 mm/kasan/report.c:510
kasan_report+0xe/0x20 mm/kasan/common.c:641
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
put_page_testzero include/linux/mm.h:587 [inline]
__free_pages+0x1b/0xa0 mm/page_alloc.c:4798
__vunmap+0x583/0x8d0 mm/vmalloc.c:2315
__vfree+0x2e/0xb0 mm/vmalloc.c:2363
vfree+0x41/0x70 mm/vmalloc.c:2393
kcov_put+0x26/0x40 kernel/kcov.c:396
kcov_close+0xc/0x10 kernel/kcov.c:495
__fput+0x27e/0x770 fs/file_table.c:280
task_work_run+0x129/0x1a0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0xa83/0x2b00 kernel/exit.c:801
do_group_exit+0xff/0x310 kernel/exit.c:899
get_signal+0x3c0/0x1f70 kernel/signal.c:2734
do_signal+0x8f/0x14d0 arch/x86/kernel/signal.c:813
exit_to_usermode_loop+0x13f/0x180 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
do_syscall_64+0x3eb/0x520 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c679
Code: Bad RIP value.
RSP: 002b:00007f8df74a5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000076bf08 RCX: 000000000045c679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000076bf08
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000076bf0c
R13: 00007fff1295107f R14: 00007f8df74a69c0 R15: 000000000076bf0c
==================================================================
[-- Attachment #2: Type: text/html, Size: 2943 bytes --]
reply other threads:[~2020-03-15 20:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALzBtjKCfMXxuThfYTqzFKDU=TNepfBH-eeWdqkg7hUJp2zWKw@mail.gmail.com' \
--to=3ntr0py1337@gmail.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox