copyout - use after free Read

posted & found by zer0day

tl;dr

Got from syzkaller & Found in LK v4.16.0-rc7. Maybe, I think it’s not the one…, just happened by weird kernel options…

Call Trace (Dump)

Here’s a dump.

[   46.055481] BUG: KASAN: use-after-free in copyout+0x78/0xb0
[   46.056136] Read of size 10 at addr ffff88007acdefc8 by task syz-executor5/6348
[   46.056979] 
[   46.057163] CPU: 1 PID: 6348 Comm: syz-executor5 Not tainted 4.16.0-rc7+ #27
[   46.057999] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[   46.059080] Call Trace:
[   46.059411]  dump_stack+0x10a/0x1dd
[   46.059853]  ? _atomic_dec_and_lock+0x163/0x163
[   46.060422]  ? show_regs_print_info+0x12/0x12
[   46.060969]  print_address_description+0x60/0x224
[   46.061562]  kasan_report+0x196/0x2a0
[   46.062021]  ? copyout+0x78/0xb0
[   46.062452]  ? copyout+0x78/0xb0
[   46.062874]  ? _copy_to_iter+0x242/0x1220
[   46.063399]  ? futex_wake+0x528/0x630
[   46.063867]  ? check_stack_object+0x76/0x90
[   46.064402]  ? iov_iter_zero+0x1150/0x1150
[   46.064904]  ? __check_object_size+0x89/0x540
[   46.065452]  ? usercopy_warn+0xf0/0xf0
[   46.065912]  ? __skb_recv_datagram+0x1bf/0x270
[   46.066481]  ? rcu_pm_notify+0xc0/0xc0
[   46.066979]  ? skb_copy_datagram_iter+0x193/0x9c0
[   46.067591]  ? skb_recv_datagram+0xca/0x120
[   46.067951]  ? skb_kill_datagram+0x100/0x100
[   46.068356]  ? __might_fault+0x177/0x1b0
[   46.068715]  ? _copy_from_user+0x94/0x100
[   46.069059]  ? rw_copy_check_uvector+0x227/0x2f0
[   46.069522]  ? packet_recvmsg+0x252/0x14e0
[   46.069880]  ? packet_rcv_spkt+0x570/0x570
[   46.070243]  ? __might_fault+0x177/0x1b0
[   46.070679]  ? copy_msghdr_from_user+0x354/0x4f0
[   46.071181]  ? security_socket_recvmsg+0x8b/0xc0
[   46.071708]  ? packet_rcv_spkt+0x570/0x570
[   46.072153]  ? sock_recvmsg+0xc2/0x110
[   46.072573]  ? __sock_recv_wifi_status+0x1e0/0x1e0
[   46.073039]  ? ___sys_recvmsg+0x26c/0x5e0
[   46.073384]  ? SYSC_recvfrom+0x560/0x560
[   46.073751]  ? fput+0xa/0x130
[   46.074006]  ? SYSC_sendto+0x3ff/0x560
[   46.074331]  ? SYSC_connect+0x420/0x420
[   46.074691]  ? fget_raw+0x20/0x20
[   46.075055]  ? selinux_netlbl_socket_setsockopt+0xf1/0x430
[   46.075624]  ? __sys_recvmsg+0xc9/0x200
[   46.075955]  ? SyS_sendmmsg+0x50/0x50
[   46.076280]  ? SyS_futex+0x261/0x31e
[   46.076600]  ? SyS_futex+0x26a/0x31e
[   46.076927]  ? security_file_ioctl+0x76/0xb0
[   46.077299]  ? SyS_recvmsg+0x27/0x40
[   46.077618]  ? __sys_recvmsg+0x200/0x200
[   46.077957]  ? do_syscall_64+0x23e/0x7a0
[   46.078296]  ? _raw_spin_unlock_irq+0x24/0x40
[   46.078679]  ? finish_task_switch+0x1c2/0x740
[   46.079054]  ? syscall_return_slowpath+0x470/0x470
[   46.079469]  ? syscall_return_slowpath+0x2df/0x470
[   46.080003]  ? prepare_exit_to_usermode+0x330/0x330
[   46.080482]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   46.081024]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   46.081488]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   46.081947] 
[   46.082180] Allocated by task 6378:
[   46.082484]  kasan_kmalloc+0xbf/0xe0
[   46.082803]  __kmalloc_node_track_caller+0x11c/0x3b0
[   46.083287]  __kmalloc_reserve.isra.41+0x37/0xc0
[   46.083717]  __alloc_skb+0x119/0x6c0
[   46.084018]  alloc_skb_with_frags+0x102/0x640
[   46.084388]  sock_alloc_send_pskb+0x71a/0x920
[   46.084761]  packet_sendmsg+0x228e/0x59a0
[   46.085170]  sock_sendmsg+0xc0/0x100
[   46.085563]  SYSC_sendto+0x33c/0x560
[   46.085898]  do_syscall_64+0x23e/0x7a0
[   46.086216] 
[   46.086353] Freed by task 6378:
[   46.086702]  __kasan_slab_free+0x12c/0x170
[   46.087092]  kfree+0xf3/0x310
[   46.087352]  skb_free_head+0x83/0xa0
[   46.087685]  skb_release_data+0x553/0x720
[   46.087994]  skb_release_all+0x46/0x60
[   46.088284]  kfree_skb+0x150/0x490
[   46.088548]  sit_tunnel_xmit+0x15d/0x2e30
[   46.088984]  dev_hard_start_xmit+0x224/0xa30
[   46.089494]  __dev_queue_xmit+0xe1d/0x2660
[   46.089973] 
[   46.090160] The buggy address belongs to the object at ffff88007acdef48
[   46.090160]  which belongs to the cache kmalloc-512 of size 512
[   46.091284] The buggy address is located 128 bytes inside of
[   46.091284]  512-byte region [ffff88007acdef48, ffff88007acdf148)
[   46.092320] The buggy address belongs to the page:
[   46.092728] page:ffffea0001eb3700 count:1 mapcount:0 mapping:0000000000000000 index:0xffff88007acdd0e8 compound_mapcount: 0
[   46.093651] flags: 0x500000000008100(slab|head)
[   46.094049] raw: 0500000000008100 0000000000000000 ffff88007acdd0e8 0000000100120009
[   46.094689] raw: ffffea0001eb2120 ffff88007f8014c0 ffff88002dc0ce00 0000000000000000
[   46.095387] page dumped because: kasan: bad access detected
[   46.095914] 
[   46.096058] Memory state around the buggy address:
[   46.096461]  ffff88007acdee80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.097068]  ffff88007acdef00: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[   46.097663] >ffff88007acdef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.098274]                                               ^
[   46.098746]  ffff88007acdf000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.099374]  ffff88007acdf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   46.100056] ==================================================================

[   46.103377] Call Trace:
[   46.103632]  dump_stack+0x10a/0x1dd
[   46.103936]  ? _atomic_dec_and_lock+0x163/0x163
[   46.104325]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   46.104717]  panic+0x1b3/0x3a4
[   46.104991]  ? add_taint.cold.3+0x16/0x16
[   46.105351]  ? add_taint+0x15/0x40
[   46.105644]  ? add_taint+0x15/0x40
[   46.105938]  kasan_end_report+0x43/0x49
[   46.106358]  kasan_report.cold.5+0xb7/0xe3
[   46.106779]  copyout+0x78/0xb0
[   46.107104]  ? copyout+0x78/0xb0
[   46.107434]  ? _copy_to_iter+0x242/0x1220
...
[   46.107911]  ? futex_wake+0x528/0x630
[   46.108557]  ? check_stack_object+0x76/0x90
...
[   46.108945]  ? iov_iter_zero+0x1150/0x1150
[   46.109645]  ? __check_object_size+0x89/0x540
[   46.110092]  ? usercopy_warn+0xf0/0xf0
[   46.110549]  ? __skb_recv_datagram+0x1bf/0x270
[   46.111112]  ? rcu_pm_notify+0xc0/0xc0
[   46.111584]  ? skb_copy_datagram_iter+0x193/0x9c0
[   46.112141]  ? skb_recv_datagram+0xca/0x120
[   46.112535]  ? skb_kill_datagram+0x100/0x100
[   46.112985]  ? __might_fault+0x177/0x1b0
[   46.113499]  ? _copy_from_user+0x94/0x100
[   46.113994]  ? rw_copy_check_uvector+0x227/0x2f0
[   46.114456]  ? packet_recvmsg+0x252/0x14e0
[   46.114850]  ? packet_rcv_spkt+0x570/0x570
[   46.115314]  ? __might_fault+0x177/0x1b0
[   46.115836]  ? copy_msghdr_from_user+0x354/0x4f0
[   46.116432]  ? security_socket_recvmsg+0x8b/0xc0
[   46.116992]  ? packet_rcv_spkt+0x570/0x570
[   46.117491]  ? sock_recvmsg+0xc2/0x110
[   46.117927]  ? __sock_recv_wifi_status+0x1e0/0x1e0
[   46.118468]  ? ___sys_recvmsg+0x26c/0x5e0
[   46.118882]  ? SYSC_recvfrom+0x560/0x560
[   46.119444]  ? fput+0xa/0x130
[   46.119782]  ? SYSC_sendto+0x3ff/0x560
[   46.120224]  ? SYSC_connect+0x420/0x420
[   46.120611]  ? fget_raw+0x20/0x20
[   46.120946]  ? selinux_netlbl_socket_setsockopt+0xf1/0x430
[   46.121505]  ? __sys_recvmsg+0xc9/0x200
[   46.121892]  ? SyS_sendmmsg+0x50/0x50
[   46.122282]  ? SyS_futex+0x261/0x31e
[   46.122654]  ? SyS_futex+0x26a/0x31e
[   46.123063]  ? security_file_ioctl+0x76/0xb0
[   46.123589]  ? SyS_recvmsg+0x27/0x40
[   46.124007]  ? __sys_recvmsg+0x200/0x200
[   46.124419]  ? do_syscall_64+0x23e/0x7a0
[   46.124815]  ? _raw_spin_unlock_irq+0x24/0x40
[   46.125286]  ? finish_task_switch+0x1c2/0x740
[   46.125719]  ? syscall_return_slowpath+0x470/0x470
[   46.126212]  ? syscall_return_slowpath+0x2df/0x470
[   46.126741]  ? prepare_exit_to_usermode+0x330/0x330
[   46.127282]  ? entry_SYSCALL_64_after_hwframe+0x52/0xb7
[   46.127953]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   46.128478]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   46.129062] Dumping ftrace buffer:
[   46.129406]    (ftrace buffer empty)
[   46.129773] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   46.130866] Rebooting in 86400 seconds..

End