[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <573a638c.960f.17766b555b8.Coremail.zhaowenjia@stu.xjtu.edu.cn>
Date: Wed, 3 Feb 2021 15:04:55 +0800 (GMT+08:00)
From: ???? <zhaowenjia@....xjtu.edu.cn>
To: security@...nel.org, oss-security@...ts.openwall.com,
gregkh@...uxfoundation.org, jirislaby@...nel.org, nico@...xnic.net
Subject: KASAN: use-after-free in con_scroll​
Dear Linux kernel developers,
I found a crash "KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641" when running the syzkaller,
It is can be reproduced. I did not find a report about this problem. Hope it is useful.
Linux version: Linux v5.9-rc8 (549738f15)
The following is the crash report.
==================================================================
BUG: KASAN: use-after-free in scr_memmovew include/linux/vt_buffer.h:68 [inline]
BUG: KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641
Read of size 693770 at addr ffff8880000b894c by task syz-executor.2/7755
CPU: 0 PID: 7755 Comm: syz-executor.2 Not tainted 5.1.0 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x75/0xae lib/dump_stack.c:113
print_address_description+0x60/0x223 mm/kasan/report.c:187
kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
memmove+0x20/0x50 mm/kasan/common.c:123
scr_memmovew include/linux/vt_buffer.h:68 [inline]
con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641
csi_L drivers/tty/vt/vt.c:1967 [inline]
do_con_trol+0x4ba4/0x5d80 drivers/tty/vt/vt.c:2366
do_con_write.part.0+0xd3d/0x1ac0 drivers/tty/vt/vt.c:2790
do_con_write drivers/tty/vt/vt.c:2558 [inline]
con_write+0x33/0xc0 drivers/tty/vt/vt.c:3127
process_output_block drivers/tty/n_tty.c:595 [inline]
n_tty_write+0x391/0xe50 drivers/tty/n_tty.c:2333
do_tty_write drivers/tty/tty_io.c:961 [inline]
tty_write+0x3d4/0x6e0 drivers/tty/tty_io.c:1045
do_loop_readv_writev fs/read_write.c:704 [inline]
do_loop_readv_writev fs/read_write.c:688 [inline]
do_iter_write fs/read_write.c:959 [inline]
do_iter_write+0x3eb/0x560 fs/read_write.c:938
vfs_writev+0x19a/0x2d0 fs/read_write.c:1002
do_writev+0x106/0x2d0 fs/read_write.c:1037
do_syscall_64+0x9a/0x2b0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de59
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fae6e580c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000003b900 RCX: 000000000045de59
RDX: 0000000000000001 RSI: 0000000020001000 RDI: 0000000000000003
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007fffd398ebcf R14: 00007fae6e5819c0 R15: 000000000118bf2c
The buggy address belongs to the page:
page:ffffea0000002e00 count:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1000(reserved)
raw: 0000000000001000 ffffea0000002e08 ffffea0000002e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
