Skip to content

Instantly share code, notes, and snippets.

@dvyukov

dvyukov/gist:8e1fe39aeb1e457664fb

Created November 26, 2015 13:39
Show Gist options
  • Save dvyukov/8e1fe39aeb1e457664fb to your computer and use it in GitHub Desktop.
Save dvyukov/8e1fe39aeb1e457664fb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
==================================================================
BUG: KASAN: use-after-free in tty_ioctl+0x1f06/0x2140 at addr ffff880061aa0968
Read of size 8 by task a.out/6241
=============================================================================
ser_gigaset: Serial Driver for Gigaset 307x using Siemens M101
gigaset: maximum number of devices exceeded
BUG kmalloc-16 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in tty_ldisc_get.part.3+0x66/0x140 age=6 cpu=3 pid=6230
[< inline >] slab_alloc_node mm/slub.c:2530
object = __slab_alloc(s, gfpflags, node, addr, c);
[< inline >] slab_alloc mm/slub.c:2572
return slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr);
[< none >] __slab_alloc+0x235/0x570 mm/slub.c:2577
void *ret = slab_alloc(s, gfpflags, _RET_IP_);
[< inline >] slab_alloc_node mm/slub.c:2530
object = __slab_alloc(s, gfpflags, node, addr, c);
[< inline >] slab_alloc mm/slub.c:2572
return slab_alloc_node(s, gfpflags, NUMA_NO_NODE, addr);
[< none >] kmem_cache_alloc_trace+0x1cf/0x220 mm/slub.c:2589
void *ret = slab_alloc(s, gfpflags, _RET_IP_);
[< none >] tty_ldisc_get.part.3+0x66/0x140 drivers/tty/tty_ldisc.c:172
if (ld == NULL) {
[< none >] tty_set_ldisc+0x83d/0xa70 drivers/tty/tty_ldisc.c:574
if (tty->ldisc->ops->num != old_ldisc->ops->num && tty->ops->set_ldisc) {
[< none >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
return put_user(excl, (int __user *)p);
[< inline >] spin_unlock include/linux/spinlock.h:347
raw_spin_unlock(&lock->rlock);
[< inline >] ioctl_fionbio fs/ioctl.c:492
spin_unlock(&filp->f_lock);
[< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
error = ioctl_fionbio(filp, argp);
[< none >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
{
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
call *sys_call_table(, %rax, 8)
INFO: Freed in tty_set_ldisc+0x4c2/0xa70 age=12 cpu=3 pid=6230
[< none >] __slab_free+0x1ec/0x350 mm/slub.c:2695
"__slab_free"));
[< inline >] slab_free mm/slub.c:2803
__slab_free(s, page, head, tail_obj, cnt, addr);
[< none >] kfree+0x199/0x1b0 mm/slub.c:3632
slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
[< inline >] tty_ldisc_restore drivers/tty/tty_ldisc.c:493
tty_set_termios_ldisc(tty, old->ops->num);
[< none >] tty_set_ldisc+0x4c2/0xa70 drivers/tty/tty_ldisc.c:571
tty_ldisc_restore(tty, old_ldisc);
[< none >] tty_ioctl+0xb2a/0x2140 drivers/tty/tty_io.c:2865
return put_user(excl, (int __user *)p);
[< inline >] spin_unlock include/linux/spinlock.h:347
raw_spin_unlock(&lock->rlock);
[< inline >] ioctl_fionbio fs/ioctl.c:492
spin_unlock(&filp->f_lock);
[< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
error = ioctl_fionbio(filp, argp);
[< none >] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
{
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
call *sys_call_table(, %rax, 8)
INFO: Slab 0xffffea000186a800 objects=23 used=19 fp=0xffff880061aa12d0 flags=0x5fffc0000004080
INFO: Object 0xffff880061aa0968 @offset=2408 fp=0xffff880061aa0810
Bytes b4 ffff880061aa0958: 86 a1 fc ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
Object ffff880061aa0968: 40 c7 53 86 ff ff ff ff 88 d3 55 62 00 88 ff ff @.S.......Ub....
Redzone ffff880061aa0978: cc cc cc cc cc cc cc cc ........
Padding ffff880061aa0ab8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
CPU: 2 PID: 6241 Comm: a.out Tainted: G B 4.4.0-rc1+ #117
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006db0fab8 ffffffff827450f6 ffff88003e807980
ffff880061aa0968 ffff880061aa0000 ffff88006db0fae8 ffffffff81629404
ffff88003e807980 ffffea000186a800 ffff880061aa0968 000000000000001b
Call Trace:
[<ffffffff827450f6>] dump_stack+0x68/0x92 lib/earlycpio.c:69
{
[<ffffffff81629404>] print_trailer+0xf4/0x150 mm/slub.c:652
dump_stack();
[<ffffffff8162f40f>] object_err+0x2f/0x40 mm/slub.c:659
print_trailer(s, page, object);
[< inline >] print_address_description mm/kasan/report.c:138
object_err(cache, page, object,
[<ffffffff81631bd0>] kasan_report_error+0x210/0x520 mm/kasan/report.c:236
print_address_description(info);
[< inline >] kasan_report mm/kasan/report.c:259
kasan_report_error(&info);
[<ffffffff81631fde>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:280
DEFINE_ASAN_REPORT_LOAD(8);
[< inline >] tty_check_change drivers/tty/tty_io.c:399
if (current->signal->tty != tty)
[<ffffffff82a7b0a6>] tty_ioctl+0x1f06/0x2140 drivers/tty/tty_io.c:2831
retval = tty_check_change(tty);
[< inline >] spin_unlock include/linux/spinlock.h:347
raw_spin_unlock(&lock->rlock);
[< inline >] ioctl_fionbio fs/ioctl.c:492
spin_unlock(&filp->f_lock);
[<ffffffff816aea91>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:572
error = ioctl_fionbio(filp, argp);
[<ffffffff816af2df>] SyS_ioctl+0x8f/0xc0 fs/readdir.c:25
{
[<ffffffff85415cf6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
call *sys_call_table(, %rax, 8)
Memory state around the buggy address:
ffff880061aa0800: fc fc fb fb fc fc fc fc fc fc fc fc fc fc fc fc
ffff880061aa0880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880061aa0900: fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 fc
^
ffff880061aa0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880061aa0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment