Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Feb 2021 15:04:55 +0800 (GMT+08:00)
From: ???? <zhaowenjia@....xjtu.edu.cn>
To: security@...nel.org, oss-security@...ts.openwall.com, 
	gregkh@...uxfoundation.org, jirislaby@...nel.org, nico@...xnic.net
Subject: KASAN: use-after-free in con_scroll​

Dear Linux kernel developers,

I found a crash "KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641"  when running the syzkaller,  

It is can be reproduced. I did not find a report about this problem. Hope it is useful.




Linux version: Linux v5.9-rc8 (549738f15)


The following is the crash report.

==================================================================

BUG: KASAN: use-after-free in scr_memmovew include/linux/vt_buffer.h:68 [inline]
BUG: KASAN: use-after-free in con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641
Read of size 693770 at addr ffff8880000b894c by task syz-executor.2/7755

CPU: 0 PID: 7755 Comm: syz-executor.2 Not tainted 5.1.0 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x75/0xae lib/dump_stack.c:113
 print_address_description+0x60/0x223 mm/kasan/report.c:187
 kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
 memmove+0x20/0x50 mm/kasan/common.c:123
 scr_memmovew include/linux/vt_buffer.h:68 [inline]
 con_scroll+0x45c/0x620 drivers/tty/vt/vt.c:641
 csi_L drivers/tty/vt/vt.c:1967 [inline]
 do_con_trol+0x4ba4/0x5d80 drivers/tty/vt/vt.c:2366
 do_con_write.part.0+0xd3d/0x1ac0 drivers/tty/vt/vt.c:2790
 do_con_write drivers/tty/vt/vt.c:2558 [inline]
 con_write+0x33/0xc0 drivers/tty/vt/vt.c:3127
 process_output_block drivers/tty/n_tty.c:595 [inline]
 n_tty_write+0x391/0xe50 drivers/tty/n_tty.c:2333
 do_tty_write drivers/tty/tty_io.c:961 [inline]
 tty_write+0x3d4/0x6e0 drivers/tty/tty_io.c:1045
 do_loop_readv_writev fs/read_write.c:704 [inline]
 do_loop_readv_writev fs/read_write.c:688 [inline]
 do_iter_write fs/read_write.c:959 [inline]
 do_iter_write+0x3eb/0x560 fs/read_write.c:938
 vfs_writev+0x19a/0x2d0 fs/read_write.c:1002
 do_writev+0x106/0x2d0 fs/read_write.c:1037
 do_syscall_64+0x9a/0x2b0 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de59
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fae6e580c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 000000000003b900 RCX: 000000000045de59
RDX: 0000000000000001 RSI: 0000000020001000 RDI: 0000000000000003
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007fffd398ebcf R14: 00007fae6e5819c0 R15: 000000000118bf2c

The buggy address belongs to the page:
page:ffffea0000002e00 count:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1000(reserved)
raw: 0000000000001000 ffffea0000002e08 ffffea0000002e08 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880000fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880000fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888000100000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff888000100080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888000100100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.