[Linux kernel bug] KASAN: slab-use-after-free Read in pressure_write
From: Sam Sun
Date: Fri May 17 2024 - 03:14:47 EST
Dear developers and maintainers,
We encountered a slab-use-after-free bug while using our modified
syzkaller. It was tested against the latest upstream kernel (6.9).
Kernel crash log is listed below.
==================================================================
BUG: KASAN: slab-use-after-free in pressure_write+0x21e/0x500
kernel/cgroup/cgroup.c:3789
Read of size 8 at addr ffff888014beec08 by task syz-executor.2/9495
CPU: 0 PID: 9495 Comm: syz-executor.2 Not tainted 6.9.0-05151-g1b294a1f3561 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
print_address_description+0x7b/0x360 mm/kasan/report.c:377
print_report+0xfd/0x1e0 mm/kasan/report.c:488
kasan_report+0xce/0x100 mm/kasan/report.c:601
pressure_write+0x21e/0x500 kernel/cgroup/cgroup.c:3789
cgroup_file_write+0x2cc/0x690 kernel/cgroup/cgroup.c:4092
kernfs_fop_write_iter+0x3ab/0x500 fs/kernfs/file.c:334
call_write_iter include/linux/fs.h:2120 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xa46/0xcb0 fs/read_write.c:590
ksys_write+0x17b/0x2a0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7fb7d3044caf
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54
24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 2d 44 89 c7 48 89 44 24 08 e8 cc fd ff ff 48
RSP: 002b:00007fb7d3d65f60 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007fb7d3044caf
RDX: 0000000000000003 RSI: 00007fb7d3d667c0 RDI: 0000000000000008
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000200004c0 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffeac4a58bf R14: 00007ffeac4a5a60 R15: 00007fb7d3d66d80
</TASK>
Allocated by task 9495:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387
kasan_kmalloc include/linux/kasan.h:211 [inline]
kmalloc_trace+0x1d9/0x370 mm/slub.c:4070
kmalloc include/linux/slab.h:628 [inline]
kzalloc include/linux/slab.h:749 [inline]
cgroup_file_open+0x8e/0x2a0 kernel/cgroup/cgroup.c:4038
kernfs_fop_open+0xa4b/0xd00 fs/kernfs/file.c:706
do_dentry_open+0x8e7/0x1560 fs/open.c:955
do_open fs/namei.c:3650 [inline]
path_openat+0x285b/0x3200 fs/namei.c:3807
do_filp_open+0x268/0x4f0 fs/namei.c:3834
do_sys_openat2+0x12f/0x1c0 fs/open.c:1406
do_sys_open fs/open.c:1421 [inline]
__do_sys_openat fs/open.c:1437 [inline]
__se_sys_openat fs/open.c:1432 [inline]
__x64_sys_openat+0x247/0x290 fs/open.c:1432
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
Freed by task 9496:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x30/0x70 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4353 [inline]
kfree+0x137/0x310 mm/slub.c:4463
kernfs_release_file+0x12b/0x2d0 fs/kernfs/file.c:746
kernfs_drain_open_files+0x2a0/0x480 fs/kernfs/file.c:815
kernfs_drain+0x4f8/0x6b0 fs/kernfs/dir.c:514
kernfs_show+0x267/0x370 fs/kernfs/dir.c:1441
cgroup_file_show kernel/cgroup/cgroup.c:4503 [inline]
cgroup_pressure_write+0x458/0x770 kernel/cgroup/cgroup.c:3881
cgroup_file_write+0x2cc/0x690 kernel/cgroup/cgroup.c:4092
kernfs_fop_write_iter+0x3ab/0x500 fs/kernfs/file.c:334
call_write_iter include/linux/fs.h:2120 [inline]
new_sync_write fs/read_write.c:497 [inline]
vfs_write+0xa46/0xcb0 fs/read_write.c:590
ksys_write+0x17b/0x2a0 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
The buggy address belongs to the object at ffff888014beec00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
freed 192-byte region [ffff888014beec00, ffff888014beecc0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14bee
anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000800 ffff8880134413c0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 8145,
tgid 8145 (syz-executor.3), ts 154392465805, free_ts 77458148506
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1e6/0x210 mm/page_alloc.c:1534
prep_new_page mm/page_alloc.c:1541 [inline]
get_page_from_freelist+0x7d2/0x850 mm/page_alloc.c:3317
__alloc_pages+0x25e/0x580 mm/page_alloc.c:4575
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page+0x6b/0x1a0 mm/slub.c:2190
allocate_slab+0x5d/0x200 mm/slub.c:2353
new_slab mm/slub.c:2406 [inline]
___slab_alloc+0xa95/0xf20 mm/slub.c:3592
__slab_alloc mm/slub.c:3682 [inline]
__slab_alloc_node mm/slub.c:3735 [inline]
slab_alloc_node mm/slub.c:3908 [inline]
__do_kmalloc_node mm/slub.c:4038 [inline]
__kmalloc_node_track_caller+0x2d8/0x4f0 mm/slub.c:4059
kmemdup+0x2a/0x70 mm/util.c:131
_Z7kmemdupPKvU25pass_dynamic_object_size0mj
include/linux/fortify-string.h:743 [inline]
neigh_parms_alloc+0x7d/0x4d0 net/core/neighbour.c:1718
ipv6_add_dev+0x321/0x1290 net/ipv6/addrconf.c:399
addrconf_notify+0x6a0/0x1010 net/ipv6/addrconf.c:3652
notifier_call_chain+0x13b/0x1f0 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
register_netdevice+0x15fd/0x1a90 net/core/dev.c:10407
bond_newlink+0x43/0x90 drivers/net/bonding/bond_netlink.c:577
rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
__rtnl_newlink net/core/rtnetlink.c:3730 [inline]
rtnl_newlink+0x1581/0x20c0 net/core/rtnetlink.c:3743
rtnetlink_rcv_msg+0x893/0x10e0 net/core/rtnetlink.c:6595
page last free pid 8084 tgid 8084 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
free_unref_page_prepare+0x72f/0x7c0 mm/page_alloc.c:2347
free_unref_page+0x37/0x3f0 mm/page_alloc.c:2487
__folio_put_small mm/swap.c:119 [inline]
__folio_put+0x20b/0x360 mm/swap.c:142
pipe_buf_release include/linux/pipe_fs_i.h:219 [inline]
pipe_update_tail fs/pipe.c:224 [inline]
pipe_read+0x714/0x1400 fs/pipe.c:344
call_read_iter include/linux/fs.h:2114 [inline]
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0x96c/0xbb0 fs/read_write.c:476
ksys_read+0x17b/0x2a0 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x67/0x6f
Memory state around the buggy address:
ffff888014beeb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888014beeb80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888014beec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888014beec80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888014beed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Currently, no C repro available. Only reproducer in syzlang is
available. However, since we modified syzkaller, the reproducer cannot
be executed directly by original syzkaller.
We analyzed the root cause of this problem. It happens when
concurrently accessing
"/sys/fs/cgroup/sys-fs-fuse-connections.mount/irq.pressure" and
"/sys/fs/cgroup/sys-fs-fuse-connections.mount/cgroup.pressure". If we
echo 0 to cgroup.pressure, kernel will invoke cgroup_pressure_write(),
and call kernfs_show(). It will set kn->flags to KERNFS_HIDDEN and
call kernfs_drain(), in which it frees kernfs_open_file *of. On the
other side, when accessing irq.pressure, kernel calls
pressure_write(), which will access of->priv. So that it triggers a
use-after-free.
If you have any questions, please contact us.
Reported by Yue Sun <samsun1006219@xxxxxxxxx>
Reported by xingwei lee <xrivendell7@xxxxxxxxx>
Best Regards,
Yue