oss-sec mailing list archives
KASAN: use-after-free in con_scroll
From: ???? <zhaowenjia () stu xjtu edu cn>
Date: Wed, 3 Feb 2021 15:04:55 +0800 (GMT+08:00)
Dear Linux kernel developers, I found a crash "KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641" when running the syzkaller, It is can be reproduced. I did not find a report about this problem. Hope it is useful. Linux version: Linux v5.9-rc8 (549738f15) The following is the crash report. ================================================================== BUG: KASAN: use-after-free in scr_memmovew include/linux/vt_buffer.h:68 [inline] BUG: KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641 Read of size 693770 at addr ffff8880000b894c by task syz-executor.2/7755 CPU: 0 PID: 7755 Comm: syz-executor.2 Not tainted 5.1.0 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x75/0xae lib/dump_stack.c:113 print_address_description+0x60/0x223 mm/kasan/report.c:187 kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317 memmove+0x20/0x50 mm/kasan/common.c:123 scr_memmovew include/linux/vt_buffer.h:68 [inline] con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641 csi_L drivers/tty/vt/vt.c:1967 [inline] do_con_trol+0x4ba4/0x5d80 drivers/tty/vt/vt.c:2366 do_con_write.part.0+0xd3d/0x1ac0 drivers/tty/vt/vt.c:2790 do_con_write drivers/tty/vt/vt.c:2558 [inline] con_write+0x33/0xc0 drivers/tty/vt/vt.c:3127 process_output_block drivers/tty/n_tty.c:595 [inline] n_tty_write+0x391/0xe50 drivers/tty/n_tty.c:2333 do_tty_write drivers/tty/tty_io.c:961 [inline] tty_write+0x3d4/0x6e0 drivers/tty/tty_io.c:1045 do_loop_readv_writev fs/read_write.c:704 [inline] do_loop_readv_writev fs/read_write.c:688 [inline] do_iter_write fs/read_write.c:959 [inline] do_iter_write+0x3eb/0x560 fs/read_write.c:938 vfs_writev+0x19a/0x2d0 fs/read_write.c:1002 do_writev+0x106/0x2d0 fs/read_write.c:1037 do_syscall_64+0x9a/0x2b0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45de59 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fae6e580c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000003b900 RCX: 000000000045de59 RDX: 0000000000000001 RSI: 0000000020001000 RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 00007fffd398ebcf R14: 00007fae6e5819c0 R15: 000000000118bf2c The buggy address belongs to the page: page:ffffea0000002e00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x1000(reserved) raw: 0000000000001000 ffffea0000002e08 ffffea0000002e08 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^ ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================
Current thread:
- KASAN: use-after-free in con_scroll ???? (Feb 02)
- Re: KASAN: use-after-free in con_scroll Greg KH (Feb 02)