Skip to content

[syzbot] KASAN: use-after-free Write in h4_recv_buf #3

New issue
New issue
Open
Open
[syzbot] KASAN: use-after-free Write in h4_recv_buf#3
@tedd-an

Description

@tedd-an
tedd-an
opened on Apr 12, 2021

Hello,

syzbot found the following issue on:

HEAD commit: 280d542 Merge tag 'drm-fixes-2021-03-05' of git://anongit..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14f818a2d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2d28ee81eb70698
dashboard link: https://syzkaller.appspot.com/bug?extid=1e678fbc60167d46f2a5
compiler: Debian clang version 11.0.1-2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1e678fbc60167d46f2a5@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in skb_put_data include/linux/skbuff.h:2293 [inline]
BUG: KASAN: use-after-free in h4_recv_buf+0x3d5/0xd00 drivers/bluetooth/hci_h4.c:200
Write of size 1 at addr ffff88806243d00c by task syz-executor.0/10259

CPU: 0 PID: 10259 Comm: syz-executor.0 Not tainted 5.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x176/0x24e lib/dump_stack.c:120
print_address_description+0x5f/0x3a0 mm/kasan/report.c:232
__kasan_report mm/kasan/report.c:399 [inline]
kasan_report+0x15e/0x210 mm/kasan/report.c:416
check_region_inline mm/kasan/generic.c:135 [inline]
kasan_check_range+0x2b5/0x2f0 mm/kasan/generic.c:186
memcpy+0x3c/0x60 mm/kasan/shadow.c:66
skb_put_data include/linux/skbuff.h:2293 [inline]
h4_recv_buf+0x3d5/0xd00 drivers/bluetooth/hci_h4.c:200
h4_recv+0xf4/0x1b0 drivers/bluetooth/hci_h4.c:115
hci_uart_tty_receive+0x157/0x490 drivers/bluetooth/hci_ldisc.c:613
tiocsti drivers/tty/tty_io.c:2317 [inline]
tty_ioctl+0xc64/0x15f0 drivers/tty/tty_io.c:2718
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:739
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x465f69
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb4a52aa188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465f69
RDX: 0000000020000000 RSI: 0000000000005412 RDI: 0000000000000003
RBP: 00000000004bfa67 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffc4fc6b23f R14: 00007fb4a52aa300 R15: 0000000000022000

Allocated by task 0:
(stack is not available)

Freed by task 9934:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x3d/0x70 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:357
____kasan_slab_free+0x100/0x140 mm/kasan/common.c:360
kasan_slab_free include/linux/kasan.h:199 [inline]
slab_free_hook mm/slub.c:1562 [inline]
slab_free_freelist_hook+0x171/0x270 mm/slub.c:1600
slab_free mm/slub.c:3161 [inline]
kfree+0xcf/0x2d0 mm/slub.c:4213
skb_release_all net/core/skbuff.c:725 [inline]
__kfree_skb+0x56/0x1d0 net/core/skbuff.c:739
h4_recv_buf+0xcdb/0xd00 include/net/bluetooth/bluetooth.h:390
h4_recv+0xf4/0x1b0 drivers/bluetooth/hci_h4.c:115
hci_uart_tty_receive+0x157/0x490 drivers/bluetooth/hci_ldisc.c:613
tty_ldisc_receive_buf+0x12b/0x170 drivers/tty/tty_buffer.c:465
tty_port_default_receive_buf+0x6a/0x90 drivers/tty/tty_port.c:38
receive_buf drivers/tty/tty_buffer.c:481 [inline]
flush_to_ldisc+0x2f2/0x510 drivers/tty/tty_buffer.c:533
process_one_work+0x789/0xfd0 kernel/workqueue.c:2275
worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
kthread+0x39a/0x3c0 kernel/kthread.c:292
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff88806243d000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 12 bytes inside of
2048-byte region [ffff88806243d000, ffff88806243d800)
The buggy address belongs to the page:
page:000000004c9987b8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62438
head:000000004c9987b8 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88806243cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806243cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806243d000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
ffff88806243d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806243d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions