Issue 630264 link

Starred by 2 users

Issue metadata

Status:	Untriaged
Owner:	----
Cc:	█ dvyukov@chromium.org drinkcat@chromium.org █ dtor@chromium.org smbar...@chromium.org █ dmitryg@google.com
Components:	OS>Kernel
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug
Kernel-3.18 Stability-Memory-KernelAddressSanitizer Stability-Syzkaller

KASAN reports a use-after-free in snd_timer_resolution

Project Member Reported by glider@chromium.org, Jul 21 2016

Issue description

The bug has been reported by KASAN while fuzzing the 3.18 amd64-generic kernel with syzkaller. No repro so far.

==================================================================
BUG: KASAN: use-after-free in snd_timer_resolution+0x2e/0x8c at addr ffff880050428a40
Read of size 8 by task syz-executor/9568
CPU: 0 PID: 9568 Comm: syz-executor Tainted: G        W      3.18.0 #27
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff880050428b40 00000000bc809fdb ffff8800304cf928 ffffffff81b5aedc
 0000000000002560 ffffffffffff0006 ffff880051800500 ffffed000a085148
 ffff8800304cf9a8 ffffffff811c848e 0000000000000296 1ffff1000a085148
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b5aedc>] dump_stack+0x74/0xb3 lib/dump_stack.c:50
 [<     inline     >] object_err mm/kasan/report.c:139
 [<     inline     >] print_address_description mm/kasan/report.c:180
 [<     inline     >] kasan_report_error mm/kasan/report.c:277
 [<ffffffff811c848e>] kasan_report+0x30f/0x565 mm/kasan/report.c:300
 [<     inline     >] ? constant_test_bit arch/x86/include/asm/bitops.h:311
 [<     inline     >] ? test_ti_thread_flag include/linux/thread_info.h:91
 [<     inline     >] ? need_resched include/linux/sched.h:2940
 [<ffffffff81b5e6c5>] ? __schedule+0x645/0x847 kernel/sched/core.c:3082
 [<     inline     >] check_memory_region_inline mm/kasan/kasan.c:292
 [<ffffffff811c737f>] __asan_load8+0x64/0x66 mm/kasan/kasan.c:730
 [<ffffffff8194ea99>] snd_timer_resolution+0x2e/0x8c sound/core/timer.c:381
 [<ffffffff8194f270>] snd_timer_notify1+0x85/0x1e7 sound/core/timer.c:406
 [<ffffffff813bbe36>] ? ___preempt_schedule+0x35/0x67 arch/x86/lib/thunk_64.S:42
 [<ffffffff81950cc4>] snd_timer_start+0xdb/0xee sound/core/timer.c:483
 [<ffffffffa0052607>] ? snd_seq_timer_continue+0x6c/0xc0 [snd_seq]
 [<ffffffffa0052616>] snd_seq_timer_continue+0x7b/0xc0 [snd_seq]
 [<ffffffffa004ff54>] snd_seq_control_queue+0x146/0x283 [snd_seq]
 [<ffffffffa0053048>] ? snd_seq_port_use_ptr+0xa3/0x46f [snd_seq]
 [<ffffffffa00528e2>] ? snd_seq_info_timer_read+0x144/0x17a [snd_seq]
 [<ffffffffa0052911>] snd_seq_info_timer_read+0x173/0x17a [snd_seq]
 [<ffffffffa004c4d2>] snd_seq_client_use_ptr+0x13c6/0x1b38 [snd_seq]
 [<ffffffffa004c5c5>] snd_seq_client_use_ptr+0x14b9/0x1b38 [snd_seq]
 [<     inline     >] ? debug_spin_unlock kernel/locking/spinlock_debug.c:103
 [<ffffffff810bfebe>] ? do_raw_spin_unlock+0xbb/0xcd kernel/locking/spinlock_debug.c:158
 [<ffffffffa004b301>] ? snd_seq_client_use_ptr+0x1f5/0x1b38 [snd_seq]
 [<ffffffffa004b301>] ? snd_seq_client_use_ptr+0x1f5/0x1b38 [snd_seq]
 [<ffffffffa004cf26>] ? snd_seq_dispatch_event+0x50/0x21d [snd_seq]
 [<ffffffffa004d0af>] snd_seq_dispatch_event+0x1d9/0x21d [snd_seq]
 [<ffffffffa00510af>] ? snd_seq_prioq_cell_out+0xbf/0xe2 [snd_seq]
 [<ffffffffa00510c0>] ? snd_seq_prioq_cell_out+0xd0/0xe2 [snd_seq]
 [<ffffffffa004ef92>] snd_seq_check_queue+0x114/0x241 [snd_seq]
 [<ffffffffa004f2a3>] snd_seq_enqueue_event+0x1e4/0x202 [snd_seq]
 [<ffffffffa004c96f>] snd_seq_client_use_ptr+0x1863/0x1b38 [snd_seq]
 [<ffffffffa004cb81>] snd_seq_client_use_ptr+0x1a75/0x1b38 [snd_seq]
 [<ffffffff811cf1f3>] vfs_write+0x10d/0x190 fs/read_write.c:534
 [<ffffffffa004c9b1>] ? snd_seq_client_use_ptr+0x18a5/0x1b38 [snd_seq]
 [<     inline     >] SYSC_write fs/read_write.c:585
 [<ffffffff811cfbf2>] SyS_write+0x82/0xdd fs/read_write.c:577
 [<ffffffff81b62b5c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436
Object at ffff880050428a40, in cache kmalloc-256
Object freed, allocated with size 200 bytes
Allocation:
PID = 9569
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c7293>] save_stack+0x46/0xce mm/kasan/kasan.c:476
 [<     inline     >] set_track mm/kasan/kasan.c:488
 [<ffffffff811c7a0a>] kasan_kmalloc+0xae/0xc0 mm/kasan/kasan.c:586
 [<ffffffff811c5c4e>] kmem_cache_alloc_trace+0x93/0xc6 mm/slab.c:3409
 [<     inline     >] kmalloc include/linux/slab.h:437
 [<     inline     >] kzalloc include/linux/slab.h:595
 [<ffffffff8195165c>] snd_timer_instance_new+0x40/0x1ae sound/core/timer.c:105
 [<ffffffff81951bef>] snd_timer_open+0x425/0x6fa sound/core/timer.c:288
 [<ffffffffa005227a>] snd_seq_timer_open+0xf7/0x21d [snd_seq]
 [<ffffffffa004f764>] snd_seq_queue_use+0xe4/0x140 [snd_seq]
 [<ffffffffa004f9e1>] snd_seq_queue_alloc+0x221/0x27a [snd_seq]
 [<ffffffffa0049500>] snd_seq_delete_kernel_client+0x105d/0x25b4 [snd_seq]
 [<ffffffffa004a324>] snd_seq_delete_kernel_client+0x1e81/0x25b4 [snd_seq]
 [<ffffffffa004a3a0>] snd_seq_delete_kernel_client+0x1efd/0x25b4 [snd_seq]
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff811e8f80>] do_vfs_ioctl+0x6e5/0x71e fs/ioctl.c:598
 [<     inline     >] SYSC_ioctl fs/ioctl.c:613
 [<ffffffff811e902d>] SyS_ioctl+0x74/0xb3 fs/ioctl.c:604
 [<ffffffff81b62b5c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436
Deallocation:
PID = 9569
 [<ffffffff810159f0>] save_stack_trace+0x2c/0x48 arch/x86/kernel/stacktrace.c:64
 [<ffffffff811c7293>] save_stack+0x46/0xce mm/kasan/kasan.c:476
 [<     inline     >] set_track mm/kasan/kasan.c:488
 [<ffffffff811c7e6b>] kasan_slab_free+0x94/0xca mm/kasan/kasan.c:540
 [<     inline     >] __cache_free mm/slab.c:3344
 [<ffffffff811c5fcf>] kfree+0x4c/0x95 mm/slab.c:3576
 [<ffffffff819528be>] snd_timer_close+0x3b5/0x3e8 sound/core/timer.c:369
 [<ffffffffa005240b>] snd_seq_timer_close+0x6b/0x8c [snd_seq]
 [<ffffffffa004eab3>] snd_seq_info_pool+0x130/0x39f [snd_seq]
 [<ffffffffa004ed80>] snd_seq_queue_delete+0x48/0x54 [snd_seq]
 [<ffffffffa0049459>] snd_seq_delete_kernel_client+0xfb6/0x25b4 [snd_seq]
 [<ffffffffa004a324>] snd_seq_delete_kernel_client+0x1e81/0x25b4 [snd_seq]
 [<ffffffffa004a3a0>] snd_seq_delete_kernel_client+0x1efd/0x25b4 [snd_seq]
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff811e8f80>] do_vfs_ioctl+0x6e5/0x71e fs/ioctl.c:598
 [<     inline     >] SYSC_ioctl fs/ioctl.c:613
 [<ffffffff811e902d>] SyS_ioctl+0x74/0xb3 fs/ioctl.c:604
 [<ffffffff81b62b5c>] system_call_fastpath+0x1c/0x21 arch/x86/kernel/entry_64.S:436
Memory state around the buggy address:
 ffff880050428900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880050428980: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff880050428a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff880050428a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880050428b00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

Comment 1 by glider@chromium.org, Jul 21 2016

Labels: Stability-Memory-KernelAddressSanitizer Stability-Syzkaller Kernel-3.18 OS-Chrome

Comment 2 by zalcorn@chromium.org, Dec 27 2017

Components: OS>Kernel

►

Issue 630264 link

Issue metadata

KASAN reports a use-after-free in snd_timer_resolution

Issue description

Comment 1 by glider@chromium.org, Jul 21 2016

Comment 1 Deleted

Comment 2 by zalcorn@chromium.org, Dec 27 2017

Comment 2 Deleted

Sign in to add a comment