Large values returned by bitmap_find_next_zero_area() can overflow
and become negative when stored in signed variable 'pageno' that
can lead to failure of condition 'pageno < dma_mem->nr_pages'.
Due to this, Use-after-free issue is observed in bitmap_set(),
When user requests to allocate large size buffer using ion calls.
BUG: KASAN: use-after-free in bitmap_set+0x9c/0xd4 at addr
ffffffe774946cc0
Read of size 8 by task syz-executor0/19717
page:
ffffffbe5dd25180 count:0 mapcount:-127 mapping:(null)
index:0xffffffe774947000 flags: 0x0()
page dumped because: kasan: bad access detected
page_owner info is not active (free page?)
CPU: 3 PID: 19717 Comm: syz-executor0 Tainted: G W 4.4.78+ #1
Call trace:
[<
ffffffa10c68b6fc>] dump_backtrace+0x0/0x2fc
[<
ffffffa10c68ba1c>] show_stack+0x24/0x30
[<
ffffffa10cc29a34>] dump_stack+0xdc/0x134
[<
ffffffa10c8b2c10>] kasan_report+0x380/0x508
[<
ffffffa10c8b1f38>] __asan_load8+0x24/0x80
[<
ffffffa10cc42218>] bitmap_set+0x9c/0xd4
[<
ffffffa10d15941c>] removed_alloc+0x188/0x5e4
[<
ffffffa10dba4f40>] ion_cma_allocate+0x164/0x3e0
[<
ffffffa10db9cef4>] __ion_alloc+0x368/0x1044
[<
ffffffa10db9e0c8>] ion_ioctl+0x25c/0x6ac
[<
ffffffa10c8e2f40>] do_vfs_ioctl+0x844/0x9a8
[<
ffffffa10c8e311c>] SyS_ioctl+0x78/0xbc
[<
ffffffa10c683730>] el0_svc_naked+0x24/0x28
Change-Id: Ibbaa451250bdfa9ce2a6e2cb9d2ee357ee0c8385
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
OSDN Git Service
