[Bug report] KASAN: use-after-free Read in fb_videomode_to_var

yang lan lanyang0908 at gmail.com
Wed May 31 05:51:03 UTC 2023 

Hi,

We use our modified Syzkaller to fuzz the Linux kernel and found the
following issue.

Head Commit: 4c893ff55907c61456bcb917781c0dd687a1e123
Git Tree: stable

Kernel config: https://pastebin.com/raw/BiggLxRg

Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: lanyang0908 at gmail.com

I guess that it is possible incurred by race condition?
Firstly, fb_videomode_to_var+0x2fc is corresponding to the field "xres" in
the struct fb_videomode. Although before converting fb_videomode to
fb_var_screeninfo, the system already checks whether the object mode is
NULL, this object has possibility to be freed by other threads at this
moment?

How do you think?

Related source code:
static int fbcon_resize(struct vc_data *vc, unsigned int width,
unsigned int height, unsigned int user)
{ ...
mode = fb_find_best_mode(&var, &info->modelist);
if (mode == NULL)
return -EINVAL;
display_to_var(&var, p);
fb_videomode_to_var(&var, mode);
  ...
}

void fb_videomode_to_var(struct fb_var_screeninfo *var,
const struct fb_videomode *mode)
{
var->xres = mode->xres;
...
}

Crash log:
==================================================================
BUG: KASAN: use-after-free in fb_videomode_to_var+0x2fc/0x5d0
Read of size 4 at addr ffff8880495c661c by task syz-executor.4/16705

CPU: 1 PID: 16705 Comm: syz-executor.4 Not tainted 5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
 dump_stack+0x172/0x21e
 ? stack_trace_save+0x107/0x1e0
 ? show_regs_print_info+0x12/0x12
 ? printk+0xc0/0x103
 print_address_description+0x66/0x640
 ? log_buf_vmcoreinfo_setup+0x45d/0x45d

 ? _raw_spin_lock_irqsave+0xbf/0x100
 ? stack_trace_save+0x107/0x1e0
 ? stack_trace_snprint+0xe0/0xe0
 kasan_report+0x141/0x1f0
 ? fb_videomode_to_var+0x2fc/0x5d0
 ? fb_videomode_to_var+0x2fc/0x5d0
 ? fbcon_resize+0x627/0x17f0
 ? fbcon_copy_font+0x130/0x130
 ? __kmalloc+0x224/0x300
 ? kzalloc+0x1d/0x40
 ? fbcon_copy_font+0x130/0x130
 ? vc_do_resize+0x7b7/0x18f0
 ? vc_resize+0x50/0x50
 ? _raw_spin_unlock_irqrestore+0x2e/0x60

 ? lockdep_hardirqs_on+0x90/0x140
 ? vt_ioctl+0x32f1/0x3ff0
 ? mark_lock+0x1ac/0x1dc0
 ? __vt_event_wait+0x230/0x230
 ? __bfs+0x660/0x660
 ? __bfs+0x660/0x660
 ? trace_lock_acquire+0x1a0/0x1a0
 ? rcu_read_lock_sched_held+0x87/0x110

 ? __bpf_trace_rcu_utilization+0x10/0x10

 ? __lock_acquire+0x1264/0x2b10
 ? __lock_acquire+0x1264/0x2b10
 ? trace_lock_acquire+0x1a0/0x1a0
 ? tty_ioctl+0xf2a/0x1700
 ? tty_do_resize+0x180/0x180
 ? rcu_lock_release+0x9/0x20
 ? __lock_acquire+0x2b10/0x2b10
 ? __fget_files+0x37c/0x3b0
 ? __fdget+0x18f/0x210
 ? tty_do_resize+0x180/0x180
 ? __x64_sys_ioctl+0x119/0x190
 ? do_syscall_64+0x74/0xc0
 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9


Allocated by task 7679:
 __kasan_kmalloc+0x102/0x140
 __kmalloc_node+0x262/0x380
 kvmalloc_node+0x81/0x110
 alloc_fdtable+0x151/0x260
 dup_fd+0x880/0xd00
 copy_process+0x1b66/0x5e80

The buggy address belongs to the object at ffff8880495c6600
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 28 bytes inside of
 96-byte region [ffff8880495c6600, ffff8880495c6660)
The buggy address belongs to the page:
page:0000000005617347 refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff8880495c6c80 pfn:0x495c6
flags: 0x4fff00000000200(slab)
raw: 04fff00000000200 ffffea0000629680 0000000200000002 ffff88800ec41780
raw: ffff8880495c6c80 000000008020001c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask
0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY)
 prep_new_page+0x16/0xa0
 get_page_from_freelist+0xa3d/0xcb0
 __alloc_pages_nodemask+0x225/0x580
 allocate_slab+0xb4/0x520
 ___slab_alloc+0x1df/0x330
 kmem_cache_alloc_trace+0x288/0x2c0
 __hw_addr_sync+0x3c0/0xb30
 dev_mc_sync+0xdb/0x1a0
 vlan_dev_set_rx_mode+0x47/0x70
 __dev_mc_add+0x3ed/0x510
 igmp6_group_added+0x1a0/0x880
 __ipv6_dev_mc_inc+0x8c1/0xb60
 addrconf_dad_work+0x3f2/0x2040
 process_one_work+0x83b/0x10a0
 worker_thread+0xa94/0x1440
 kthread+0x3af/0x3d0
page last free stack trace:
 free_pcp_prepare+0x1dc/0x410
 free_unref_page+0x6a/0x220
 tlb_remove_table_rcu+0x78/0xf0
 rcu_core+0x81a/0x1190
 __do_softirq+0x376/0x72b
 asm_call_irq_on_stack+0xf/0x20

Memory state around the buggy address:
 ffff8880495c6500: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff8880495c6580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8880495c6600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                            ^
 ffff8880495c6680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff8880495c6700: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 16705 Comm: syz-executor.4 Tainted: G    B
5.10.180+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
Call Trace:
 dump_stack+0x172/0x21e
 ? log_buf_vmcoreinfo_setup+0x45d/0x45d

 ? show_regs_print_info+0x12/0x12
 ? __irq_exit_rcu+0xc5/0x260
 ? irq_exit_rcu+0x20/0x20
 panic+0x2b6/0x7d0
 ? schedule_preempt_disabled+0x20/0x20

 ? trace_hardirqs_on+0x32/0x80
 ? nmi_panic+0x80/0x80
 ? preempt_schedule_thunk+0x16/0x18
 ? trace_hardirqs_on+0x32/0x80
 kasan_report+0x1e5/0x1f0
 ? fb_videomode_to_var+0x2fc/0x5d0
 ? fb_videomode_to_var+0x2fc/0x5d0
 ? fbcon_resize+0x627/0x17f0
 ? fbcon_copy_font+0x130/0x130
 ? __kmalloc+0x224/0x300
 ? kzalloc+0x1d/0x40
 ? fbcon_copy_font+0x130/0x130
 ? vc_do_resize+0x7b7/0x18f0
 ? vc_resize+0x50/0x50
 ? _raw_spin_unlock_irqrestore+0x2e/0x60

 ? lockdep_hardirqs_on+0x90/0x140
 ? vt_ioctl+0x32f1/0x3ff0
 ? mark_lock+0x1ac/0x1dc0
 ? __vt_event_wait+0x230/0x230
 ? __bfs+0x660/0x660
 ? __bfs+0x660/0x660
 ? trace_lock_acquire+0x1a0/0x1a0
 ? rcu_read_lock_sched_held+0x87/0x110
 ? __bpf_trace_rcu_utilization+0x10/0x10

 ? __lock_acquire+0x1264/0x2b10
 ? __lock_acquire+0x1264/0x2b10
 ? trace_lock_acquire+0x1a0/0x1a0
 ? tty_ioctl+0xf2a/0x1700
 ? tty_do_resize+0x180/0x180
 ? rcu_lock_release+0x9/0x20
 ? __lock_acquire+0x2b10/0x2b10
 ? __fget_files+0x37c/0x3b0
 ? __fdget+0x18f/0x210
 ? tty_do_resize+0x180/0x180
 ? __x64_sys_ioctl+0x119/0x190
 ? do_syscall_64+0x74/0xc0
 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9

Kernel Offset: disabled
Rebooting in 86400 seconds..


Best regards,

Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20230531/30c1dd5b/attachment-0001.htm>

More information about the dri-devel mailing list