From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: ** X-Spam-Status: No, score=2.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CD9BC10DCE for ; Sun, 15 Mar 2020 20:12:37 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EA4AB205ED for ; Sun, 15 Mar 2020 20:12:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E3OP71bu" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA4AB205ED Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6B6CC6B0003; Sun, 15 Mar 2020 16:12:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 640826B0006; Sun, 15 Mar 2020 16:12:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5079C6B0007; Sun, 15 Mar 2020 16:12:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0006.hostedemail.com [216.40.44.6]) by kanga.kvack.org (Postfix) with ESMTP id 35E306B0003 for ; Sun, 15 Mar 2020 16:12:36 -0400 (EDT) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 033EA87DA for ; Sun, 15 Mar 2020 20:12:36 +0000 (UTC) X-FDA: 76598694270.12.corn92_16aa96bba2304 X-HE-Tag: corn92_16aa96bba2304 X-Filterd-Recvd-Size: 8368 Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175]) by imf06.hostedemail.com (Postfix) with ESMTP for ; Sun, 15 Mar 2020 20:12:35 +0000 (UTC) Received: by mail-lj1-f175.google.com with SMTP id w4so1549266lji.11 for ; Sun, 15 Mar 2020 13:12:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=8aIaM/X7UehsX602E/R3B8ylK8TjcSJR+igB9Fu6aco=; b=E3OP71buw5mkdFMcdz+nVk+MlKCtp0x0dC59AsWuTbnGamDzYwvA5T8jJFoRK8dWWy iD7y73ZSNqgkBWUqB1VR+I0jVx1La1V8vfWex+gqLIy/ysQYfezYvlUHBIvYQMdrSKZ2 FWVBBrMlujVmauwtWpQDw6Tl2zNk3RDjYhCbbHL371/0JaN1j3UzP7ETaZtqfkENDFmX +9eWMb5FYcYifo8LBuFPJYI60IGhSAKT3+EPw3BGxeBPeB3U8uOMvhju29z0ja/UWYl7 M5IQtfSi6chpQXdK3+WB94Y+StiDEUc0osX8K5jtmqhDAMTSXMZ0AbHd/fFoHEXZKrTO xzDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8aIaM/X7UehsX602E/R3B8ylK8TjcSJR+igB9Fu6aco=; b=J0jVmdECC0vbehBBvGolaePF61hMAKkLjBBdGUDM6WZr8Izy4k7O5dhsglvRjCyQ+P ta74TOilPAu8Ut/d45/XI8MxuWYxwIHE2DR9/OeL1Zms3wtDAsHy+x6MYHlcuai/DQqB YcAB8NfR+nVY1kq/OPcC+2jeoHzKfj7oCWApOLbgiQJ0mwerCKVISzx/Fv5FC+O/fKtx p1WjsJtXz+4XGV5yKZaqWGsrhBwLQp1c/YiXtNebPr74e0CEy8BTxbvm7CyxQWnuH6eP xSEMBF63bYBblM8ubL7QZ7U77Z8v0n5oeu6Utk86/3Ts5/oTOlTV5XvMg8LoHRblaYJQ WEpQ== X-Gm-Message-State: ANhLgQ39puaMPGhADNz9aBe6EY3ez0tFJdXZCjijSHbMG78p5CECLseI zHxd5DhhhzKCksfJQ7/IZqWFprvPYoGkxhZwntSoycc91PFkow== X-Google-Smtp-Source: ADFU+vt2CZY3zVIarfDGPPusVyA9rw/UtSXTtwtVNZ1DY8etSPVGZRgioVet/jowe4B9SZ9/jb8ce/O23xXwiBqn0MA= X-Received: by 2002:a2e:b701:: with SMTP id j1mr14561666ljo.6.1584303153755; Sun, 15 Mar 2020 13:12:33 -0700 (PDT) MIME-Version: 1.0 From: Entropy Moe <3ntr0py1337@gmail.com> Date: Mon, 16 Mar 2020 00:12:23 +0400 Message-ID: Subject: UAF kernel bug on page_alloc.c To: linux-mm@kvack.org Content-Type: multipart/alternative; boundary="000000000000b23b0005a0ea5277" X-Bogosity: Ham, tests=bogofilter, spamicity=0.001943, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000b23b0005a0ea5277 Content-Type: text/plain; charset="UTF-8" Hello, I want to report a bug on linux kernel 5.6+ ================================================================== BUG: KASAN: wild-memory-access in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: wild-memory-access in page_ref_count include/linux/page_ref.h:67 [inline] BUG: KASAN: wild-memory-access in put_page_testzero include/linux/mm.h:587 [inline] BUG: KASAN: wild-memory-access in __free_pages+0x1b/0xa0 mm/page_alloc.c:4798 Read of size 4 at addr 0720072007200754 by task syz-executor.4/26529 CPU: 1 PID: 26529 Comm: syz-executor.4 Not tainted 5.6.0-rc3 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xc6/0x11e lib/dump_stack.c:118 __kasan_report+0x18f/0x1c0 mm/kasan/report.c:510 kasan_report+0xe/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:587 [inline] __free_pages+0x1b/0xa0 mm/page_alloc.c:4798 __vunmap+0x583/0x8d0 mm/vmalloc.c:2315 __vfree+0x2e/0xb0 mm/vmalloc.c:2363 vfree+0x41/0x70 mm/vmalloc.c:2393 kcov_put+0x26/0x40 kernel/kcov.c:396 kcov_close+0xc/0x10 kernel/kcov.c:495 __fput+0x27e/0x770 fs/file_table.c:280 task_work_run+0x129/0x1a0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa83/0x2b00 kernel/exit.c:801 do_group_exit+0xff/0x310 kernel/exit.c:899 get_signal+0x3c0/0x1f70 kernel/signal.c:2734 do_signal+0x8f/0x14d0 arch/x86/kernel/signal.c:813 exit_to_usermode_loop+0x13f/0x180 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline] syscall_return_slowpath arch/x86/entry/common.c:278 [inline] do_syscall_64+0x3eb/0x520 arch/x86/entry/common.c:304 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c679 Code: Bad RIP value. RSP: 002b:00007f8df74a5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000076bf08 RCX: 000000000045c679 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000076bf08 RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000076bf0c R13: 00007fff1295107f R14: 00007f8df74a69c0 R15: 000000000076bf0c ================================================================== --000000000000b23b0005a0ea5277 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,
I want to report a bug on linux= kernel 5.6+

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
BUG: KASAN: wild-memory-access in atomic_read include/asm-generic/atomic-in=
strumented.h:26 [inline]
BUG: KASAN: wild-memory-access in page_ref_count include/linux/page_ref.h:6=
7 [inline]
BUG: KASAN: wild-memory-access in put_page_testzero include/linux/mm.h:587 =
[inline]
BUG: KASAN: wild-memory-access in __free_pages+0x1b/0xa0 mm/page_alloc.c:47=
98
Read of size 4 at addr 0720072007200754 by task syz-executor.4/26529

CPU: 1 PID: 26529 Comm: syz-executor.4 Not tainted 5.6.0-rc3 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1u=
buntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xc6/0x11e lib/dump_stack.c:118
 __kasan_report+0x18f/0x1c0 mm/kasan/report.c:510
 kasan_report+0xe/0x20 mm/kasan/common.c:641
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x15d/0x1b0 mm/kasan/generic.c:192
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 page_ref_count include/linux/page_ref.h:67 [inline]
 put_page_testzero include/linux/mm.h:587 [inline]
 __free_pages+0x1b/0xa0 mm/page_alloc.c:4798
 __vunmap+0x583/0x8d0 mm/vmalloc.c:2315
 __vfree+0x2e/0xb0 mm/vmalloc.c:2363
 vfree+0x41/0x70 mm/vmalloc.c:2393
 kcov_put+0x26/0x40 kernel/kcov.c:396
 kcov_close+0xc/0x10 kernel/kcov.c:495
 __fput+0x27e/0x770 fs/file_table.c:280
 task_work_run+0x129/0x1a0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0xa83/0x2b00 kernel/exit.c:801
 do_group_exit+0xff/0x310 kernel/exit.c:899
 get_signal+0x3c0/0x1f70 kernel/signal.c:2734
 do_signal+0x8f/0x14d0 arch/x86/kernel/signal.c:813
 exit_to_usermode_loop+0x13f/0x180 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:278 [inline]
 do_syscall_64+0x3eb/0x520 arch/x86/entry/common.c:304
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c679
Code: Bad RIP value.
RSP: 002b:00007f8df74a5cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000076bf08 RCX: 000000000045c679
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000076bf08
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000076bf0c
R13: 00007fff1295107f R14: 00007f8df74a69c0 R15: 000000000076bf0c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--000000000000b23b0005a0ea5277--