lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140416180422.GA20907@redhat.com>
Date:	Wed, 16 Apr 2014 14:04:22 -0400
From:	Dave Jones <davej@...hat.com>
To:	Miklos Szeredi <miklos@...redi.hu>
Cc:	Al Viro <viro@...IV.linux.org.uk>, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] vfs: rw_copy_check_uvector() - free iov on error

On Tue, Apr 15, 2014 at 04:57:49PM +0200, Miklos Szeredi wrote:

 > Some callers (aio_run_iocb, vmsplice_to_user) forget to free the iov on
 > error.  This seems to be a recurring problem, with most callers being buggy
 > initially.

Your patch looks a lot more complete than the quick hack I did a few
days ago when coverity first started nagging about this, but in testing
I've found that something really ugly starts showing up when you patch this

The symptoms vary, but always are some kind of slab corruption.
Here's the last example:

=============================================================================
BUG kmalloc-256 (Not tainted): Invalid object pointer 0xffff8802407adc60
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Slab 0xffffea000901eb00 objects=28 used=22 fp=0xffff8802407ad6d0 flags=0x20000000004081
CPU: 1 PID: 1185 Comm: trinity-c1 Tainted: G    B         3.15.0-rc1+ #191
 ffff880243c073c0 00000000f952f249 ffff8800a1a2bc10 ffffffffbd74686d
 ffffea000901eb00 ffff8800a1a2bce8 ffffffffbd1b0cd4 ffffffff00000020
 ffff8800a1a2bcf8 ffff8800a1a2bca8 61766e4943c00a18 656a626f2064696c
Call Trace:
 [<ffffffffbd74686d>] dump_stack+0x4e/0x7a
 [<ffffffffbd1b0cd4>] slab_err+0xb4/0xe0
 [<ffffffffbd0bf3ae>] ? put_lock_stats.isra.23+0xe/0x30
 [<ffffffffbd1b0da6>] ? slab_pad_check.part.44+0xa6/0x170
 [<ffffffffbd744e7f>] free_debug_processing+0x88/0x22a
 [<ffffffffbd1c7041>] ? compat_do_readv_writev+0xe1/0x250
 [<ffffffffbd74506d>] __slab_free+0x4c/0x2c3
 [<ffffffffbd1c6679>] ? do_sync_readv_writev+0x59/0xa0
 [<ffffffffbd1b2614>] kfree+0x214/0x220
 [<ffffffffbd1c7041>] ? compat_do_readv_writev+0xe1/0x250
 [<ffffffffbd1c7041>] compat_do_readv_writev+0xe1/0x250
 [<ffffffffbd0bf716>] ? lock_release_holdtime.part.24+0xe6/0x160
 [<ffffffffbd0a3ccd>] ? get_parent_ip+0xd/0x50
 [<ffffffffbd75642b>] ? preempt_count_sub+0x6b/0xf0
 [<ffffffffbd751a01>] ? _raw_spin_unlock+0x31/0x50
 [<ffffffffbd349883>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffffbd1c730a>] compat_writev+0x3a/0x80
 [<ffffffffbd1c85d8>] compat_SyS_writev+0x58/0xd0
 [<ffffffffbd75c6a9>] ia32_do_call+0x13/0x13
FIX kmalloc-256: Object at 0xffff8802407adc60 not freed


I also had an incomplete trace that showed vmsplice causing a bug in mm/slub.c:3396
on an earlier run.

The crash happens very quickly (within a few seconds of running trinity) for me.

	Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ