[alsa-devel] sound: use-after-free in snd_timer_stop
Dmitry Vyukov
dvyukov at google.com
Tue Jan 12 11:22:09 CET 2016
Hello,
I've hit the following use-after-free while running syzkaller fuzzer.
It is followed by a splat of other reports and finally kernel death.
I wasn't able to reproduce it with a standalone C program (there is
probably some global state involved). But it reproduces by replaying
fuzzer logs in a loop (you will need Go toolchain):
$ go get github.com/google/syzkaller
$ cd $GOPATH/src/github.com/google/syzkaller
$ make executor execprog
$ scp bin/syz-executor bin/syz-execprog your at machine
$ scp snd_timer_stop your at machine # the attached file
on test machine:
$ ./syz-execprog -executor ./syz-executor -cover=0 -repeat=0 -procs=16
snd_timer_stop
==================================================================
BUG: KASAN: use-after-free in _snd_timer_stop+0x394/0x450 at addr
ffff8800356d0b70
Read of size 4 by task syz-executor/6313
=============================================================================
BUG kmalloc-256 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
INFO: Allocated in snd_timer_instance_new+0x52/0x3a0 age=20 cpu=1 pid=6312
[< none >] ___slab_alloc+0x486/0x4e0 mm/slub.c:2468
[< none >] __slab_alloc+0x66/0xc0 mm/slub.c:2497
[< inline >] slab_alloc_node mm/slub.c:2560
[< inline >] slab_alloc mm/slub.c:2602
[< none >] kmem_cache_alloc_trace+0x284/0x310 mm/slub.c:2619
[< inline >] kmalloc include/linux/slab.h:458
[< inline >] kzalloc include/linux/slab.h:602
[< none >] snd_timer_instance_new+0x52/0x3a0 sound/core/timer.c:105
[< none >] snd_timer_open+0x4ff/0xc50 sound/core/timer.c:286
[< none >] snd_seq_timer_open+0x223/0x540
sound/core/seq/seq_timer.c:279
[< none >] snd_seq_queue_use+0x147/0x230
sound/core/seq/seq_queue.c:526
[< none >] snd_seq_queue_alloc+0x36a/0x4d0
sound/core/seq/seq_queue.c:197
[< none >] snd_seq_ioctl_create_queue+0xdb/0x2b0
sound/core/seq/seq_clientmgr.c:1536
[< none >] snd_seq_do_ioctl+0x19a/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[< none >] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224
[< inline >] vfs_ioctl fs/ioctl.c:43
[< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Freed in snd_timer_close+0x351/0x5e0 age=10 cpu=3 pid=6345
[< none >] __slab_free+0x1fc/0x320 mm/slub.c:2678
[< inline >] slab_free mm/slub.c:2833
[< none >] kfree+0x2a8/0x2d0 mm/slub.c:3662
[< none >] snd_timer_close+0x351/0x5e0 sound/core/timer.c:364
[< none >] snd_seq_timer_close+0x9e/0x100
sound/core/seq/seq_timer.c:312
[< none >] snd_seq_queue_timer_close+0x28/0x50
sound/core/seq/seq_queue.c:473
[< none >] snd_seq_ioctl_set_queue_timer+0x159/0x300
sound/core/seq/seq_clientmgr.c:1809
[< none >] snd_seq_do_ioctl+0x19a/0x1c0
sound/core/seq/seq_clientmgr.c:2209
[< none >] snd_seq_ioctl+0x5d/0x80 sound/core/seq/seq_clientmgr.c:2224
[< inline >] vfs_ioctl fs/ioctl.c:43
[< none >] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[< none >] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613
[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
INFO: Slab 0xffffea0000d5b400 objects=22 used=8 fp=0xffff8800356d0b60
flags=0x1fffc0000004080
INFO: Object 0xffff8800356d0b60 @offset=2912 fp=0xffff8800356d27d0
CPU: 0 PID: 6313 Comm: syz-executor Tainted: G B 4.4.0+ #222
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff880036757748 ffffffff82904add ffff88003e807000
ffff8800356d0b60 ffff8800356d0000 ffff880036757778 ffffffff8172af94
ffff88003e807000 ffffea0000d5b400 ffff8800356d0b60 ffff8800356d0b60
Call Trace:
[<ffffffff817344ae>] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:294
[<ffffffff84aefda4>] _snd_timer_stop+0x394/0x450 sound/core/timer.c:488
[<ffffffff84aefe84>] snd_timer_stop+0x24/0x140 sound/core/timer.c:535
[<ffffffff84b6947e>] snd_seq_timer_close+0x7e/0x100
sound/core/seq/seq_timer.c:311
[<ffffffff84b6235b>] queue_delete+0x3b/0x90 sound/core/seq/seq_queue.c:146
[<ffffffff84b63f86>] snd_seq_queue_client_leave+0x36/0x130
sound/core/seq/seq_queue.c:593
[<ffffffff84b558a8>] seq_free_client1+0x58/0x290
sound/core/seq/seq_clientmgr.c:273
[<ffffffff84b55b45>] seq_free_client+0x65/0x160
sound/core/seq/seq_clientmgr.c:299
[<ffffffff84b5882d>] snd_seq_release+0x4d/0xb0
sound/core/seq/seq_clientmgr.c:380
[<ffffffff8177b453>] __fput+0x233/0x780 fs/file_table.c:208
[<ffffffff8177ba25>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8139a8fb>] task_work_run+0x16b/0x200 kernel/task_work.c:115
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff81347b4b>] do_exit+0x8bb/0x2b20 kernel/exit.c:750
[<ffffffff81349f28>] do_group_exit+0x108/0x320 kernel/exit.c:880
[<ffffffff8136d124>] get_signal+0x5e4/0x1500 kernel/signal.c:2307
[<ffffffff81192d83>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<ffffffff8100851a>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[<ffffffff85e74a62>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
==================================================================
On commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc (Jan 10).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snd_timer_stop
Type: application/octet-stream
Size: 1150282 bytes
Desc: not available
URL: <http://mailman.alsa-project.org/pipermail/alsa-devel/attachments/20160112/ea06968f/attachment-0001.obj>
More information about the Alsa-devel
mailing list