lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 22 Jan 2015 17:21:48 +0100
From:	Stephane Eranian <eranian@...glemail.com>
To:	Peter Zijlstra <peterz@...radead.org>
Cc:	Vince Weaver <vincent.weaver@...ne.edu>,
	LKML <linux-kernel@...r.kernel.org>,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	Ingo Molnar <mingo@...nel.org>,
	Paul Mackerras <paulus@...ba.org>, cl@...ux.com
Subject: Re: perf: easily crash kernel with rapl event close

On Thu, Jan 22, 2015 at 1:39 PM, Stephane Eranian
<eranian@...glemail.com> wrote:
> On Thu, Jan 22, 2015 at 2:17 AM, Peter Zijlstra <peterz@...radead.org> wrote:
>> On Wed, Jan 21, 2015 at 09:13:11PM -0800, Stephane Eranian wrote:
>>> Vince,
>>>
>>> On Wed, Jan 21, 2015 at 10:55 AM, Vince Weaver <vincent.weaver@...ne.edu> wrote:
>>> > Hello
>>> >
>>> > on my haswell system, running 3.19-rc5, and with
>>> >         echo "0" > /proc/sys/kernel/perf_event_paranoid
>>> >
>>> > I can easily crash my system with the attached test program that simply
>>> > opens a RAPL event and then closes it.
>>> >
>>> > This bug was found by the perf_fuzzer.
>>> >
>>> > It looks like somehow rapl_pmu gets freed to NULL but the
>>> > call in rapl_scale()
>>> >         __this_cpu_read(rapl_pmu->hw_unit)
>>> > still happens.
>>> >
>>> I don't see how this can happen.
>>>
>>> I get some crashes but not with your program on my laptop.
>>> But I cannot catch the serial console from my laptop.
>>> Will try with another machine tomorrow.
>>
>> I saw it today as well on an ivb-ep. I disabled rapl for now since I'm
>> chasing other things.
>
> I will fix that today.

Ok, problem identified. One liner.
Bug introduced by:

commit 89cbc76768c2fa4ed95545bf961f3a14ddfeed21
Author: Christoph Lameter <cl@...ux.com>
Date:   Sun Aug 17 12:30:40 2014 -0500

    x86: Replace __get_cpu_var uses


Fix looks like this:

diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
index 6e434f8..c4bb8b8 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
@@ -142,7 +142,7 @@ static inline u64 rapl_scale(u64 v)
         * or use ldexp(count, -32).
         * Watts = Joules/Time delta
         */
-       return v << (32 - __this_cpu_read(rapl_pmu->hw_unit));
+       return v << (32 - __this_cpu_read(rapl_pmu)->hw_unit);
 }


Will post the patch shortly.
Thanks Vince for reporting this issue.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ