Re: Type Confusion in Linux Kernel

[Kyle Zeng <zengyhkyle () gmail com>]

Hi John,

A crash report is attached to this email. I hope this helps evaluate
the security implication of the bug.
Best,
Kyle Zeng


==================================================================
BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x9d8/0x1fc0
Read of size 1 at addr ffff88806bfd40aa by task sd-resolve/250

CPU: 2 PID: 250 Comm: sd-resolve Not tainted 5.4.188 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 dump_stack+0x19d/0x1e7
 print_address_description+0xd7/0xca0
 __kasan_report+0x1e0/0x270
 kasan_report+0x30/0x60
 cbq_enqueue+0x9d8/0x1fc0
 __dev_queue_xmit+0x2238/0x49f0
 ip_finish_output2+0x1529/0x2430
 ip_output+0x358/0x3f0
 ip_send_skb+0xec/0x220
 udp_send_skb+0xd4f/0x1710
 udp_sendmsg+0x3889/0x4ee0
 ____sys_sendmsg+0x1083/0x1240
 __sys_sendmmsg+0x88d/0xe90
 __x64_sys_sendmmsg+0xa1/0xb0
 do_syscall_64+0x32f/0x3e0
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f188612135f
Code: 89 f5 55 53 89 cd 41 89 d4 89 fb 48 83 ec 18 e8 b7 b1 00 00 44
89 e2 41 89 c0 48 63 fb 4c 63 d5 4c 89 ee b8 33 01 00 00 0f 05 <48> 3d
00 f0 ff ff 77 1b 44 89 c7 89 44 24 0c e8 ed b1 00 00 8b 44
RSP: 002b:00007f1883b5fc10 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f188612135f
RDX: 0000000000000002 RSI: 00007f1883b5fdb0 RDI: 000000000000000d
RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000004000 R11: 0000000000000293 R12: 0000000000000002
R13: 00007f1883b5fdb0 R14: 0000000008ce68e8 R15: 00007f1883b67db8

Allocated by task 1285:
 __kasan_kmalloc+0x1d9/0xdf0
 tc_new_tfilter+0x1f2e/0x41f0
 rtnetlink_rcv_msg+0x777/0x12d0
 netlink_rcv_skb+0x39b/0x870
 netlink_unicast+0xb45/0xf90
 netlink_sendmsg+0x1477/0x1830
 ____sys_sendmsg+0x1206/0x1240
 __sys_sendmsg+0x48d/0x570
 do_syscall_64+0x32f/0x3e0
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 106:
 __kasan_slab_free+0x293/0xe30
 kfree+0x33e/0x1010
 process_one_work+0xea3/0x17b0
 worker_thread+0xecc/0x1a00
 kthread+0x33b/0x3a0
 ret_from_fork+0x35/0x40

The buggy address belongs to the object at ffff88806bfd4000
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 42 bytes to the right of
 128-byte region [ffff88806bfd4000, ffff88806bfd4080)
The buggy address belongs to the page:
page:ffffea0001aff500 refcount:1 mapcount:0 mapping:ffff88806bc03200 index:0x0
flags: 0x100000000000200(slab)
raw: 0100000000000200 ffffea0001a50b40 0000000400000004 ffff88806bc03200
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88806bfd3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806bfd4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
> ffff88806bfd4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff88806bfd4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88806bfd4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================