lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 18 Mar 2013 22:06:25 -0400
From:	Sasha Levin <levinsasha928@...il.com>
To:	Ming Lei <tom.leiming@...il.com>
CC:	Hillf Danton <dhillf@...il.com>, Dave Jones <davej@...hat.com>,
	Greg Kroah-Hartman <greg@...ah.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: use after free in sysfs_find_dirent

On 03/17/2013 12:23 PM, Ming Lei wrote:
> On Sun, Mar 17, 2013 at 10:24 PM, Sasha Levin <levinsasha928@...il.com> wrote:
>>
>> I still see it going on with the patch applied:
> 
> Looks the previous patch still has the race problem, so could you just
> apply the attachment patch and cancel all previous patches for the
> test? If there is still the problem, please post out the log.
> 
> BTW, the attachment patch is only for verifying if the current problem
> is caused by 'filp->private_data' race, and not for merge.

[  232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: vx855(vx855)-bind, 0-25520352
[  232.824100] release_sysfs_dirent-285 sysfs_dirent use after free: vx855-bind
[  232.825297] Pid: 22751, comm: trinity-child99 Tainted: G        W    3.9.0-rc2-next-20130318-sasha-00041-g7b66226-dirty #304
[  232.827141] Call Trace:
[  232.827566]  [<ffffffff812fa0a3>] release_sysfs_dirent+0x53/0x120
[  232.828545]  [<ffffffff812fa26a>] sysfs_dir_pos+0x9a/0x140
[  232.829498]  [<ffffffff812fa41b>] sysfs_readdir+0x10b/0x230
[  232.830765]  [<ffffffff8128c900>] ? filldir+0x100/0x100
[  232.831644]  [<ffffffff8128c900>] ? filldir+0x100/0x100
[  232.832490]  [<ffffffff8128cb78>] vfs_readdir+0x78/0xc0
[  232.833327]  [<ffffffff8117ac7d>] ? trace_hardirqs_on+0xd/0x10
[  232.834313]  [<ffffffff8128cdf0>] SyS_getdents64+0x90/0x120
[  232.835242]  [<ffffffff83d94d98>] tracesys+0xe1/0xe6
[  233.906761] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[  233.907976] Dumping ftrace buffer:
[  233.908522]    (ftrace buffer empty)
[  233.909186] Modules linked in:
[  233.909741] CPU 2
[  233.910037] Pid: 17193, comm: trinity-child57 Tainted: G        W    3.9.0-rc2-next-20130318-sasha-00041-g7b66226-dirty #304
[  233.910037] RIP: 0010:[<ffffffff812fab70>]  [<ffffffff812fab70>] sysfs_find_dirent+0xa0/0x120
[  233.910037] RSP: 0018:ffff880099211bf8  EFLAGS: 00010202
[  233.910037] RAX: 000000009651d576 RBX: 0000000000000000 RCX: 0000000000000000
[  233.910037] RDX: 000000009651d576 RSI: 0000000000000000 RDI: 0000000001bd40e1
[  233.910037] RBP: ffff880099211c28 R08: 0000000000000000 R09: 0000000000000000
[  233.910037] R10: 2222222222222222 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b
[  233.910037] R13: 0000000001bd40e1 R14: ffff8800b12eb4f8 R15: ffff8800817bfc58
[  233.910037] FS:  00007f7dd41f8700(0000) GS:ffff8800bbc00000(0000) knlGS:0000000000000000
[  233.910037] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  233.910037] CR2: 0000000000000008 CR3: 000000009ceb4000 CR4: 00000000000406e0
[  233.910037] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  233.910037] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  233.910037] Process trinity-child57 (pid: 17193, threadinfo ffff880099210000, task ffff88009c1eb000)
[  233.910037] Stack:
[  233.910037]  fffffffffffffffe ffff8800817bfc20 ffff8800a5d79540 ffff8800b12ea3d0
[  233.910037]  fffffffffffffffe 0000000000000000 ffff880099211c58 ffffffff812fac59
[  233.910037]  ffff8800817bfc20 ffff8800a5d6f530 ffff8800a5d6f530 0000000000000000
[  233.910037] Call Trace:
[  233.910037]  [<ffffffff812fac59>] sysfs_lookup+0x69/0xf0
[  233.910037]  [<ffffffff81283abe>] lookup_real+0x2e/0x60
[  233.910037]  [<ffffffff81283ea3>] __lookup_hash+0x33/0x40
[  233.910037]  [<ffffffff83d02bcd>] lookup_slow+0x42/0xa8
[  233.910037]  [<ffffffff81285175>] ? getname_flags+0x55/0x1a0
[  233.910037]  [<ffffffff812864b2>] path_lookupat+0xf2/0x770
[  233.910037]  [<ffffffff83d0177c>] ? __slab_alloc.isra.34+0x2ed/0x31f
[  233.910037]  [<ffffffff8117ac38>] ? trace_hardirqs_on_caller+0x168/0x1a0
[  233.910037]  [<ffffffff81286b5f>] filename_lookup+0x2f/0xc0
[  233.910037]  [<ffffffff81285175>] ? getname_flags+0x55/0x1a0
[  233.910037]  [<ffffffff81286c9d>] do_path_lookup+0x2d/0x30
[  233.910037]  [<ffffffff81286f05>] kern_path+0x25/0x50
[  233.910037]  [<ffffffff812851a3>] ? getname_flags+0x83/0x1a0
[  233.910037]  [<ffffffff812b6387>] lookup_bdev+0x27/0x90
[  233.910037]  [<ffffffff812852cd>] ? getname+0xd/0x10
[  233.910037]  [<ffffffff812e2d53>] quotactl_block+0x33/0xf0
[  233.910037]  [<ffffffff812e3793>] SyS_quotactl+0xe3/0x150
[  233.910037]  [<ffffffff83d94d98>] tracesys+0xe1/0xe6
[  233.910037] Code: 8e 00 00 00 0f 1f 80 00 00 00 00 4c 89 fe 48 89 df 45 31 f6 e8 f2 ee ff ff 4d 85 e4 41 89 c5 74 71 66 2e 0f
1f 84 00 00 00 00 00 <41> 8b 44 24 28 4d 8d 74 24 b8 41 39 c5 74 11 44 89 ea 29 c2 89
[  233.910037] RIP  [<ffffffff812fab70>] sysfs_find_dirent+0xa0/0x120
[  233.910037]  RSP <ffff880099211bf8>
[  233.973905] ---[ end trace a80e42d248abaa1f ]---


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ