Embedded Files
Original report of the bug: https://syzkaller.appspot.com/bug?id=0e3c97f1c4112e102c9988afd5eff079350eab7f
Our system SyzScope detected 1 UAF write primitives
Primitive 1: OOB write in v4l2_fh_init
Primitive 1: OOB write in v4l2_fh_init
BUG: KASAN: slab-out-of-bounds in instrument_atomic_write include/linux/instrumented.h:86 [inline]
BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
BUG: KASAN: slab-out-of-bounds in v4l2_fh_init+0xa3/0x160 drivers/media/v4l2-core/v4l2-fh.c:34
Write of size 8 at addr ffff88804fae8988 by task v4l_id/10776
CPU: 0 PID: 10776 Comm: v4l_id Tainted: G B 5.11.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x111/0x171 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5f/0x302 mm/kasan/report.c:230
__kasan_report mm/kasan/report.c:396 [inline]
kasan_report.cold+0x78/0xd1 mm/kasan/report.c:413
check_memory_region_inline mm/kasan/generic.c:179 [inline]
check_memory_region+0x148/0x190 mm/kasan/generic.c:185
__kasan_check_write+0x14/0x20 mm/kasan/shadow.c:36
instrument_atomic_write include/linux/instrumented.h:86 [inline]
set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline]
v4l2_fh_init+0xa3/0x160 drivers/media/v4l2-core/v4l2-fh.c:34
v4l2_fh_open+0x69/0x90 drivers/media/v4l2-core/v4l2-fh.c:63
em28xx_v4l2_open+0xe1/0x3f0 drivers/media/usb/em28xx/em28xx-video.c:2163
v4l2_open+0x1b5/0x270 drivers/media/v4l2-core/v4l2-dev.c:423
chrdev_open+0x1fc/0x4c0 fs/char_dev.c:414
do_dentry_open+0x306/0x930 fs/open.c:817
vfs_open+0x59/0x60 fs/open.c:931
do_open fs/namei.c:3254 [inline]
path_openat+0x1477/0x1980 fs/namei.c:3371
do_filp_open+0x135/0x290 fs/namei.c:3398
do_sys_openat2+0x165/0x360 fs/open.c:1172
do_sys_openat2+0x165/0x360 fs/open.c:1172
do_sys_open fs/open.c:1188 [inline]
__do_sys_open fs/open.c:1196 [inline]
__se_sys_open fs/open.c:1192 [inline]
__x64_sys_open+0xff/0x190 fs/open.c:1192
do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f52e7bb6840
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00
00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffccf4ae068 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffccf4ae1d8 RCX: 00007f52e7bb6840
RDX: 00007f52e7ba2ea0 RSI: 0000000000000000 RDI: 00007ffccf4aef1e
Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00
00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24
RSP: 002b:00007ffccf4ae068 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007ffccf4ae1d8 RCX: 00007f52e7bb6840
RDX: 00007f52e7ba2ea0 RSI: 0000000000000000 RDI: 00007ffccf4aef1e
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000056260e8648d0
R13: 00007ffccf4ae1d0 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 4899:
kasan_save_stack+0x23/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:401 [inline]
____kasan_kmalloc.constprop.0+0x88/0xb0 mm/kasan/common.c:429
__kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:437
kasan_slab_alloc include/linux/kasan.h:209 [inline]
slab_post_alloc_hook mm/slab.h:512 [inline]
slab_alloc_node mm/slub.c:2892 [inline]
slab_alloc mm/slub.c:2900 [inline]
kmem_cache_alloc+0x1c4/0x450 mm/slub.c:2905
kmem_cache_zalloc include/linux/slab.h:672 [inline]
__alloc_file+0x27/0x1c0 fs/file_table.c:101
alloc_empty_file+0x6e/0x140 fs/file_table.c:150
path_openat+0xcd/0x1980 fs/namei.c:3357
do_filp_open+0x135/0x290 fs/namei.c:3398
do_sys_openat2+0x165/0x360 fs/open.c:1172
do_sys_open fs/open.c:1188 [inline]
__do_sys_open fs/open.c:1196 [inline]
__se_sys_open fs/open.c:1192 [inline]
__x64_sys_open+0xff/0x190 fs/open.c:1192
do_syscall_64+0x32/0x80 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 19:
kasan_save_stack+0x23/0x50 mm/kasan/common.c:38
kasan_set_track+0x20/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x24/0x40 mm/kasan/generic.c:356
____kasan_slab_free+0xe5/0x120 mm/kasan/common.c:362
__kasan_slab_free+0xe/0x10 mm/kasan/common.c:369
kasan_slab_free include/linux/kasan.h:192 [inline]
slab_free_hook mm/slub.c:1547 [inline]
slab_free_freelist_hook+0x65/0x160 mm/slub.c:1580
slab_free mm/slub.c:3143 [inline]
kmem_cache_free+0x82/0x350 mm/slub.c:3159
file_free_rcu+0x82/0xc0 fs/file_table.c:50
rcu_do_batch kernel/rcu/tree.c:2489 [inline]
rcu_core+0x4b8/0x990 kernel/rcu/tree.c:2723
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2736
__do_softirq+0x1f0/0x721 kernel/softirq.c:343
Last potentially related work creation:
kasan_save_stack+0x23/0x50 mm/kasan/common.c:38
kasan_record_aux_stack+0xce/0x100 mm/kasan/generic.c:344
__call_rcu kernel/rcu/tree.c:2965 [inline]
call_rcu+0x94/0x410 kernel/rcu/tree.c:3038
file_free fs/file_table.c:58 [inline]
__fput+0x2f2/0x5b0 fs/file_table.c:298
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0xaf/0x110 kernel/task_work.c:140
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
exit_to_user_mode_prepare+0x24e/0x260 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1e/0x50 kernel/entry/common.c:294
do_syscall_64+0x3f/0x80 arch/x86/entry/common.c:56
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88804fae8780
which belongs to the cache filp of size 464
The buggy address is located 56 bytes to the right of
464-byte region [ffff88804fae8780, ffff88804fae8950)
The buggy address belongs to the page:
page:00000000833e1253 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4fae8
head:00000000833e1253 order:1 compound_mapcount:0
flags: 0x4fff00000010200(slab|head)
raw: 04fff00000010200 dead000000000100 dead000000000122 ffff888040005640
raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Page updated
Google Sites
Report abuse