anon_vma_chain - slab padding/red zone overwritten

posted & found by zer0day

tl;dr

Got from syzkaller & Found in LK v4.16.0-rc7.

Call Trace (Dump)

Here’s a syzkaller report.

INFO: Slab ADDR objects=18 used=18 fp=0x (null) flags=ADDR

BUG anon_vma_chain (Not tainted): Padding overwritten. 0x000000006fe6e975-0x00000000d2999cdc
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Slab 0x00000000b505159c objects=18 used=18 fp=0x          (null) flags=0x500000000008101
CPU: 1 PID: 12071 Comm: ip Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 slab_err+0xab/0xcf mm/slub.c:724
 slab_pad_check.part.45.cold.81+0x23/0x75 mm/slub.c:864
Padding 000000006fe6e975: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000004938624c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000003a30b2bc: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000abc764f9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000e374b01e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000ddff5969: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000008d39c33b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000005f158a09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000007427554b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000002e5ffe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000002180c90a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000004e6decb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000007a43f35b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000751350b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000c53b393e: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000740423c9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 0000000028288523: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000a7a07601: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 0000000033ab7532: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000eb1cbbd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000fadd1252: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000a40a3d13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000752136f1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000d39d6b17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000a577fdeb: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000009f2fb35a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
FIX anon_vma_chain: Restoring 0x000000006fe6e975-0x00000000d2999cdc=0x5a

=============================================================================
BUG anon_vma_chain (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x00000000d2aea25c-0x00000000b7560b65. First byte 0x0 instead of 0xcc
INFO: Slab 0x00000000b505159c objects=18 used=18 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x000000009f2cb95c @offset=5624 fp=0x          (null)

Redzone 00000000d2aea25c: 00 00 00 00 00 00 00 00                          ........
Object 000000009f2cb95c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000008c540521: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000024e5d905: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000087d66cf6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000040aaa316: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 000000006172e99c: 00 00 00 00 00 00 00 00                          ........
Padding 00000000624f770f: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12071 Comm: ip Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX anon_vma_chain: Restoring 0x00000000d2aea25c-0x00000000b7560b65=0xcc

FIX anon_vma_chain: Object at 0x000000009f2cb95c not freed
=============================================================================
BUG anon_vma_chain (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x00000000ee235c64-0x000000003480ff57. First byte 0x0 instead of 0xcc
INFO: Slab 0x00000000b505159c objects=18 used=18 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x00000000660a475d @offset=8 fp=0x          (null)

Redzone 00000000ee235c64: 00 00 00 00 00 00 00 00                          ........
Object 00000000660a475d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000e6e68d84: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000a7674d61: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000e5085e46: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000003b1a98f7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 00000000dde82ea3: 00 00 00 00 00 00 00 00                          ........
Padding 00000000c33cf2e2: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12082 Comm: sh Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX anon_vma_chain: Restoring 0x00000000ee235c64-0x000000003480ff57=0xcc

FIX anon_vma_chain: Object at 0x00000000660a475d not freed
=============================================================================
BUG anon_vma_chain (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x000000005f350485-0x0000000076389ac8. First byte 0x0 instead of 0xcc
INFO: Slab 0x00000000b505159c objects=18 used=18 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x0000000015376e75 @offset=5192 fp=0x          (null)

Redzone 000000005f350485: 00 00 00 00 00 00 00 00                          ........
Object 0000000015376e75: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000f0e35b16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000030f1a66b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000007ac4d59f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000008924595b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 00000000d93f0449: 00 00 00 00 00 00 00 00                          ........
Padding 0000000052bc5876: 00 00 00 00 00 00 00 00                          ........
CPU: 0 PID: 12097 Comm: modprobe Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX anon_vma_chain: Restoring 0x000000005f350485-0x0000000076389ac8=0xcc

FIX anon_vma_chain: Object at 0x0000000015376e75 not freed
=============================================================================
BUG anon_vma_chain (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x0000000090d05828-0x00000000640c301f. First byte 0x0 instead of 0xcc
INFO: Slab 0x00000000b505159c objects=18 used=18 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x00000000c3a2e01a @offset=2168 fp=0x          (null)

Redzone 0000000090d05828: 00 00 00 00 00 00 00 00                          ........
Object 00000000c3a2e01a: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000d974dda9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000d6a18047: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000c5c1e97d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000024798423: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 000000009b3bd61d: 00 00 00 00 00 00 00 00                          ........
Padding 000000001712f520: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12113 Comm: modprobe Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX anon_vma_chain: Restoring 0x0000000090d05828-0x00000000640c301f=0xcc

FIX anon_vma_chain: Object at 0x00000000c3a2e01a not freed
=============================================================================
BUG kmalloc-64 (Tainted: G    B           ): Padding overwritten. 0x00000000e2e92ca3-0x00000000de7fbde8
-----------------------------------------------------------------------------

INFO: Slab 0x0000000010fbf3d8 objects=19 used=19 fp=0x          (null) flags=0x500000000008101
CPU: 1 PID: 12160 Comm: modprobe Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 slab_err+0xab/0xcf mm/slub.c:724
 slab_pad_check.part.45.cold.81+0x23/0x75 mm/slub.c:864
Padding 00000000e2e92ca3: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000003b73d901: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000e1534de7: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000009cad5477: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000003b32512b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 0000000066d813c6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000d0266b36: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000000bb47526: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000e0046aa9: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000020f9edd: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000fa9d2db1: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000001f39e3a5: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000003da23d9d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000006882d379: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 0000000013778799: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000000b973d86: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 000000000e58426f: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Padding 00000000f2649fb2: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
FIX kmalloc-64: Restoring 0x00000000e2e92ca3-0x00000000de7fbde8=0x5a

=============================================================================
BUG kmalloc-64 (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x0000000084bd3121-0x00000000edba746e. First byte 0x0 instead of 0xcc
INFO: Slab 0x0000000010fbf3d8 objects=19 used=19 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x000000003d33a159 @offset=6248 fp=0x          (null)

Redzone 0000000084bd3121: 00 00 00 00 00 00 00 00                          ........
Object 000000003d33a159: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000003dbc71c6: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000aef4ebae: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000d8014f8b: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 0000000005f86c21: 00 00 00 00 00 00 00 00                          ........
Padding 0000000035d8a4ed: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12160 Comm: modprobe Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX kmalloc-64: Restoring 0x0000000084bd3121-0x00000000edba746e=0xcc

FIX kmalloc-64: Object at 0x000000003d33a159 not freed
=============================================================================
BUG kmalloc-64 (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x00000000f8dca494-0x0000000099d1331e. First byte 0x0 instead of 0xcc
INFO: Slab 0x0000000010fbf3d8 objects=19 used=19 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x0000000053a1a9e8 @offset=840 fp=0x          (null)

Redzone 00000000f8dca494: 00 00 00 00 00 00 00 00                          ........
Object 0000000053a1a9e8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 0000000007841875: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000000e92da29: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000004ae2b4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 00000000d40f7f3a: 00 00 00 00 00 00 00 00                          ........
Padding 000000003da1fdd4: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12023 Comm: syz-executor0 Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX kmalloc-64: Restoring 0x00000000f8dca494-0x0000000099d1331e=0xcc

FIX kmalloc-64: Object at 0x0000000053a1a9e8 not freed
=============================================================================
BUG kmalloc-64 (Tainted: G    B           ): Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0x00000000d7a78f15-0x0000000055e37950. First byte 0x0 instead of 0xcc
INFO: Slab 0x0000000010fbf3d8 objects=19 used=19 fp=0x          (null) flags=0x500000000008101
INFO: Object 0x000000006aa17a7d @offset=6664 fp=0x          (null)

Redzone 00000000d7a78f15: 00 00 00 00 00 00 00 00                          ........
Object 000000006aa17a7d: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000005951e69c: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 00000000151f58dd: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object 000000007b7e4602: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Redzone 00000000ed905c40: 00 00 00 00 00 00 00 00                          ........
Padding 000000003045bfb1: 00 00 00 00 00 00 00 00                          ........
CPU: 1 PID: 12023 Comm: syz-executor0 Tainted: G    B            4.16.0-rc6+ #21
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x10a/0x1dd lib/dump_stack.c:53
 check_bytes_and_report.cold.80+0x40/0x6f mm/slub.c:770
FIX kmalloc-64: Restoring 0x00000000d7a78f15-0x0000000055e37950=0xcc

FIX kmalloc-64: Object at 0x000000006aa17a7d not freed
=============================================================================
BUG task_struct (Tainted: G    B           ): Padding overwritten. 0x00000000f74e5132-0x0000000051a28b29

End