lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Mon, 22 Dec 2014 18:19:12 +0800
From:	Rui Xiang <rui.xiang@...wei.com>
To:	Rusty Russell <rusty@...tcorp.com.au>,
	<linux-kernel@...r.kernel.org>
CC:	Zefan Li <lizefan@...wei.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: [BUG] A bug report between init_moudle and kallsyms_lookup_name

Hi List, 

We encounter a crash in kallsyms_lookup_name in our product, the kernel version is Linux 3.4.
It seems a kernel bug.

In the scene, some modules were loading in CPU A. But kallsyms_lookup_name was  
executed to find an symbol name for each modules in CPU B.

The reason seems like that, 
after the module was added to modules list in CPU A, then module_kallsyms_lookup_name 
in CPU B would found the mod. The addrs of mod->strtab and mod->symtab would be saved in register.
After the module init, the mod_symtab, strtab and num_symtab are updated to core_***, and 
the init memory will be free. It means the memory area of the old mod->strtab and mod->symtab 
is also free. But in the mod_find_symname, the addr saved in the register is still old.

		CPU A					CPU B
						module_kallsyms_lookup_name
	load_module				    -->mod_find_symname
	    -->list_add_rcu(modules)
		。。。				                          *save mod->symtab/strtab into register
	do_one_initcall
		。。。				strcmp(name, mod->strtab+mod->symtab[i].st_name)		*OK
	mod->num_symtab = mod->core_num_syms;
	mod->symtab = mod->core_symtab;
	mod->strtab = mod->core_strtab;
		。。。
	module_free(module_init)
						strcmp(name, mod->strtab+mod->symtab[i].st_name) 		*old addr, crash

The same to other two functions in kernel. Using kallsyms_on_each_symbol or module_get_kallsym would 
cause a crash, while loading an modules, too.

It seems like an old bug in kernel, and also exits in mainline. Right?
Any advice is welcome.

Thanks,
Rui

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists