lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <xm26fvforggn.fsf@sword-of-the-dawn.mtv.corp.google.com>
Date:	Thu, 18 Sep 2014 10:22:48 -0700
From:	bsegall@...gle.com
To:	Sasha Levin <sasha.levin@...cle.com>
Cc:	Ingo Molnar <mingo@...nel.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Dave Jones <davej@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: sched: NULL ptr deref in update_blocked_averages

Sasha Levin <sasha.levin@...cle.com> writes:

> Hi all,
>
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel, I've stumbled on the following spew:
>
> [  688.177091] BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0
> [  688.184049] IP: update_blocked_averages (kernel/sched/fair.c:5512 (discriminator 17) kernel/sched/fair.c:5557 (discriminator 17))
> [  688.186981] PGD 66fe03067 PUD 66f550067 PMD 0
> [  688.186981] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> [  688.186981] Dumping ftrace buffer:
> [  688.186981]    (ftrace buffer empty)
> [  688.186981] Modules linked in:
> [  688.186981] CPU: 2 PID: 14377 Comm: trinity-c269 Tainted: G        W      3.17.0-rc5-next-20140917-sasha-00041-gd01267b #1198
> [  688.186981] task: ffff88068c02b000 ti: ffff8806478ec000 task.ti: ffff8806478ec000
> [  688.186981] RIP: update_blocked_averages (kernel/sched/fair.c:5512 (discriminator 17) kernel/sched/fair.c:5557 (discriminator 17))
...
> [ 688.186981] Code: 30 09 00 00 4d 8d a5 40 ff ff ff 4d 39 ef 0f 84 95 02 00 00 0f 1f 84 00 00 00 00 00 49 8b 84 24 d0 00 00 00 48 63 93 f8 09 00 00 <48> 8b 88 e0 00 00 00 4c 8b 2c d1 66 66 66 66 90 48 8b 80 d8 00
> All code
> ========
>    0:	30 09                	xor    %cl,(%rcx)
>    2:	00 00                	add    %al,(%rax)
>    4:	4d 8d a5 40 ff ff ff 	lea    -0xc0(%r13),%r12
>    b:	4d 39 ef             	cmp    %r13,%r15
>    e:	0f 84 95 02 00 00    	je     0x2a9
>   14:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
>   1b:	00
>   1c:	49 8b 84 24 d0 00 00 	mov    0xd0(%r12),%rax
>   23:	00
>   24:	48 63 93 f8 09 00 00 	movslq 0x9f8(%rbx),%rdx
>   2b:*	48 8b 88 e0 00 00 00 	mov    0xe0(%rax),%rcx		<-- trapping instruction
>   32:	4c 8b 2c d1          	mov    (%rcx,%rdx,8),%r13
>   36:	66 66 66 66 90       	data32 data32 data32 xchg %ax,%ax

I believe this is the tg->cfs_rq deference failing in
__update_blocked_averages_cpu, ie tg == NULL, which means that some
cfs_rq->tg is NULL, but tg is set on cgroup creation and never cleared.
I don't see a plausible use-after-free, but I don't know the cgroup rules.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ