Careena: use-after-free in wireless |
||||||||
Issue descriptionChrome OS Version: 11075.0 Chrome OS Platform: Careena Please specify Cr-* of the system to which this bug/feature applies (add the label below). Steps To Reproduce: (1) enable KASAN (2) powerd_dbus_suspend (3) Expected Result: no KASAN error Actual Result: [ 398.326567] ================================================================== [ 398.333868] BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211] [ 398.341386] Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89 [ 398.348279] [ 398.349801] CPU: 1 PID: 89 Comm: kworker/1:3 Tainted: G W 4.14.70 #22 [ 398.357393] Hardware name: Google Grunt/Grunt, BIOS Google_Grunt.11075.0.2018_09_18_1300 09/17/2018 [ 398.366506] Workqueue: events reg_todo [cfg80211] [ 398.371236] Call Trace: [ 398.373718] dump_stack+0xc1/0x10c [ 398.377153] ? _atomic_dec_and_lock+0x1ad/0x1ad [ 398.381711] ? _raw_spin_lock_irqsave+0xa0/0xd2 [ 398.386277] print_address_description+0x86/0x26f [ 398.391053] ? reg_process_hint+0x839/0x8aa [cfg80211] [ 398.396229] kasan_report+0x241/0x29b [ 398.399966] reg_process_hint+0x839/0x8aa [cfg80211] [ 398.405002] reg_todo+0x204/0x5b9 [cfg80211] [ 398.409313] process_one_work+0x55f/0x8d0 [ 398.413360] ? worker_detach_from_pool+0x1b5/0x1b5 [ 398.418173] ? _raw_spin_unlock_irq+0x65/0xdd [ 398.421554] usb 2-3.1: New USB device found, idVendor=0424, idProduct=ec00, bcdDevice= 2.00 [ 398.421559] usb 2-3.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 398.438238] ? _raw_spin_unlock_irqrestore+0xf3/0xf3 [ 398.443232] worker_thread+0x5dd/0x841 [ 398.447018] ? kthread_parkme+0x1d/0x1d [ 398.450884] kthread+0x270/0x285 [ 398.454147] ? pr_cont_work+0xe3/0xe3 [ 398.457843] ? rcu_read_unlock_sched_notrace+0xca/0xca [ 398.463011] ret_from_fork+0x22/0x40 [ 398.466606] [ 398.468124] Allocated by task 2718: [ 398.471638] set_track+0x63/0xfa [ 398.474903] __kmalloc+0x119/0x1ac [ 398.478367] regulatory_hint_country_ie+0x38/0x329 [cfg80211] [ 398.484166] __cfg80211_connect_result+0x854/0xadd [cfg80211] [ 398.489964] cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211] [ 398.491332] smsc95xx v1.0.6 [ 398.498315] ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211] [ 398.504586] ieee80211_iface_work+0x411/0x696 [mac80211] [ 398.509923] process_one_work+0x55f/0x8d0 [ 398.513942] worker_thread+0x5dd/0x841 [ 398.517696] kthread+0x270/0x285 [ 398.520931] ret_from_fork+0x22/0x40 [ 398.524510] [ 398.526006] Freed by task 89: [ 398.528979] set_track+0x63/0xfa [ 398.532213] kasan_slab_free+0x6a/0x87 [ 398.535967] kfree+0xdc/0x470 [ 398.538962] reg_process_hint+0x31e/0x8aa [cfg80211] [ 398.543949] reg_todo+0x204/0x5b9 [cfg80211] [ 398.548224] process_one_work+0x55f/0x8d0 [ 398.552239] worker_thread+0x5dd/0x841 [ 398.555991] kthread+0x270/0x285 [ 398.559223] ret_from_fork+0x22/0x40 [ 398.562799] [ 398.564293] The buggy address belongs to the object at ffff8800c430d420 [ 398.564293] which belongs to the cache kmalloc-64 of size 64 [ 398.576643] The buggy address is located 20 bytes inside of [ 398.576643] 64-byte region [ffff8800c430d420, ffff8800c430d460) [ 398.588210] The buggy address belongs to the page: [ 398.593007] page:ffffea000310c340 count:1 mapcount:0 mapping: (null) index:0x0 [ 398.601016] flags: 0x4000000000000100(slab) [ 398.605206] raw: 4000000000000100 0000000000000000 0000000000000000 00000001002a002a [ 398.612955] raw: ffffea0004076000 0000000300000003 ffff88010a0018c0 0000000000000000 [ 398.620701] page dumped because: kasan: bad access detected [ 398.626278] [ 398.627771] Memory state around the buggy address: [ 398.632569] ffff8800c430d300: 00 00 00 00 00 fc fc fc fc fc fc fc 00 00 00 00 [ 398.639794] ffff8800c430d380: 00 fc fc fc fc fc fc fc 00 00 00 00 00 fc fc fc [ 398.647020] >ffff8800c430d400: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 398.654246] ^ [ 398.659041] ffff8800c430d480: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 398.666266] ffff8800c430d500: 00 fc fc fc fc fc fc fc 00 00 00 00 00 fc fc fc [ 398.673490] ================================================================== How frequently does this problem reproduce? (Always, sometimes, hard to reproduce?) ~20 suspend/resume runs What is the impact to the user, and is there a workaround? If so, what is it? Please provide any additional information below. Attach a screen shot or log if possible. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Sep 21
,
Sep 21
,
Sep 21
,
Sep 21
,
Sep 28
crrev.com/c/1250145 posted for review.
,
Oct 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f7f5708161ab9ec64de9932cb9c82a481e5ac093 commit f7f5708161ab9ec64de9932cb9c82a481e5ac093 Author: Yu Zhao <yuzhao@google.com> Date: Thu Oct 04 21:27:26 2018 FROMGIT: cfg80211: fix use-after-free in reg_process_hint() reg_process_hint_country_ie() can free regulatory_request and return REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's called. KASAN error was observed when this happens. BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211] Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89 <snipped> Workqueue: events reg_todo [cfg80211] Call Trace: dump_stack+0xc1/0x10c ? _atomic_dec_and_lock+0x1ad/0x1ad ? _raw_spin_lock_irqsave+0xa0/0xd2 print_address_description+0x86/0x26f ? reg_process_hint+0x839/0x8aa [cfg80211] kasan_report+0x241/0x29b reg_process_hint+0x839/0x8aa [cfg80211] reg_todo+0x204/0x5b9 [cfg80211] process_one_work+0x55f/0x8d0 ? worker_detach_from_pool+0x1b5/0x1b5 ? _raw_spin_unlock_irq+0x65/0xdd ? _raw_spin_unlock_irqrestore+0xf3/0xf3 worker_thread+0x5dd/0x841 ? kthread_parkme+0x1d/0x1d kthread+0x270/0x285 ? pr_cont_work+0xe3/0xe3 ? rcu_read_unlock_sched_notrace+0xca/0xca ret_from_fork+0x22/0x40 Allocated by task 2718: set_track+0x63/0xfa __kmalloc+0x119/0x1ac regulatory_hint_country_ie+0x38/0x329 [cfg80211] __cfg80211_connect_result+0x854/0xadd [cfg80211] cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211] smsc95xx v1.0.6 ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211] ieee80211_iface_work+0x411/0x696 [mac80211] process_one_work+0x55f/0x8d0 worker_thread+0x5dd/0x841 kthread+0x270/0x285 ret_from_fork+0x22/0x40 Freed by task 89: set_track+0x63/0xfa kasan_slab_free+0x6a/0x87 kfree+0xdc/0x470 reg_process_hint+0x31e/0x8aa [cfg80211] reg_todo+0x204/0x5b9 [cfg80211] process_one_work+0x55f/0x8d0 worker_thread+0x5dd/0x841 kthread+0x270/0x285 ret_from_fork+0x22/0x40 <snipped> Signed-off-by: Yu Zhao <yuzhao@google.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 1db58529454742f67ebd96e3588315e880b72837 git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git master) BUG= chromium:887788 TEST=Suspend and resume 200x using KASAN kernel. Change-Id: I42580bda9b73edd7ec066d47791e55e4e70c7e6d Reviewed-on: https://chromium-review.googlesource.com/c/1250145 Reviewed-by: Yu Zhao <yuzhao@chromium.org> Commit-Queue: Yu Zhao <yuzhao@chromium.org> Tested-by: Yu Zhao <yuzhao@chromium.org> Trybot-Ready: Yu Zhao <yuzhao@chromium.org> [modify] https://crrev.com/f7f5708161ab9ec64de9932cb9c82a481e5ac093/net/wireless/reg.c
,
Oct 4
,
Oct 5
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/f53fd94c531e2a447fc25801482d1285ccfeb997 commit f53fd94c531e2a447fc25801482d1285ccfeb997 Author: Yu Zhao <yuzhao@google.com> Date: Fri Oct 05 17:17:55 2018 FROMGIT: cfg80211: fix use-after-free in reg_process_hint() reg_process_hint_country_ie() can free regulatory_request and return REG_REQ_ALREADY_SET. We shouldn't use regulatory_request after it's called. KASAN error was observed when this happens. BUG: KASAN: use-after-free in reg_process_hint+0x839/0x8aa [cfg80211] Read of size 4 at addr ffff8800c430d434 by task kworker/1:3/89 <snipped> Workqueue: events reg_todo [cfg80211] Call Trace: dump_stack+0xc1/0x10c ? _atomic_dec_and_lock+0x1ad/0x1ad ? _raw_spin_lock_irqsave+0xa0/0xd2 print_address_description+0x86/0x26f ? reg_process_hint+0x839/0x8aa [cfg80211] kasan_report+0x241/0x29b reg_process_hint+0x839/0x8aa [cfg80211] reg_todo+0x204/0x5b9 [cfg80211] process_one_work+0x55f/0x8d0 ? worker_detach_from_pool+0x1b5/0x1b5 ? _raw_spin_unlock_irq+0x65/0xdd ? _raw_spin_unlock_irqrestore+0xf3/0xf3 worker_thread+0x5dd/0x841 ? kthread_parkme+0x1d/0x1d kthread+0x270/0x285 ? pr_cont_work+0xe3/0xe3 ? rcu_read_unlock_sched_notrace+0xca/0xca ret_from_fork+0x22/0x40 Allocated by task 2718: set_track+0x63/0xfa __kmalloc+0x119/0x1ac regulatory_hint_country_ie+0x38/0x329 [cfg80211] __cfg80211_connect_result+0x854/0xadd [cfg80211] cfg80211_rx_assoc_resp+0x3bc/0x4f0 [cfg80211] smsc95xx v1.0.6 ieee80211_sta_rx_queued_mgmt+0x1803/0x7ed5 [mac80211] ieee80211_iface_work+0x411/0x696 [mac80211] process_one_work+0x55f/0x8d0 worker_thread+0x5dd/0x841 kthread+0x270/0x285 ret_from_fork+0x22/0x40 Freed by task 89: set_track+0x63/0xfa kasan_slab_free+0x6a/0x87 kfree+0xdc/0x470 reg_process_hint+0x31e/0x8aa [cfg80211] reg_todo+0x204/0x5b9 [cfg80211] process_one_work+0x55f/0x8d0 worker_thread+0x5dd/0x841 kthread+0x270/0x285 ret_from_fork+0x22/0x40 <snipped> Signed-off-by: Yu Zhao <yuzhao@google.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> (cherry picked from commit 1db58529454742f67ebd96e3588315e880b72837 git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git master) BUG= chromium:887788 TEST=Suspend and resume 200x using KASAN kernel. Change-Id: Iee235cbc0ef0f692f8a0293b184487a5f8151a4b Reviewed-on: https://chromium-review.googlesource.com/c/1263156 Tested-by: Yu Zhao <yuzhao@chromium.org> Commit-Queue: Yu Zhao <yuzhao@chromium.org> Trybot-Ready: Yu Zhao <yuzhao@chromium.org> Reviewed-by: Justin TerAvest <teravest@chromium.org> [modify] https://crrev.com/f53fd94c531e2a447fc25801482d1285ccfeb997/net/wireless/reg.c |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 Deleted