lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 4 Feb 2016 13:48:08 -0800
From:	Peter Hurley <peter@...leysoftware.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jslaby@...e.com>,
	LKML <linux-kernel@...r.kernel.org>,
	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: tty: tty_struct memory leak

On 02/04/2016 02:48 AM, Dmitry Vyukov wrote:
> On Thu, Feb 4, 2016 at 12:27 AM, Peter Hurley <peter@...leysoftware.com> wrote:
>> Hi Dmitry,
>>
>> On 02/03/2016 08:26 AM, Dmitry Vyukov wrote:
>>> On Wed, Feb 3, 2016 at 5:10 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>>>> Hello,
>>>>
>>>> The following program causes tty_struct memory leak:
>>>>
>>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>>> #include <pthread.h>
>>>> #include <stdint.h>
>>>> #include <string.h>
>>>> #include <sys/syscall.h>
>>>> #include <unistd.h>
>>>>
>>>> int main()
>>>> {
>>>>   alarm(1);
>>>>   syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0);
>>>>   return 0;
>>>> }
>>
>> Going to need more information than this because the reproducer
>> above does not generate a tty_struct memory leak.
>>
>> Here's what I did:
>>
>> Enabled tty debugging and added patch below [1] to show kfree(tty), then:
>>
>> $ sudo modprobe ircomm
>> $ ./reproducer
>>
>> Here's what I got:
>>
>> [ 1436.864342] tty_ldisc_open: ircomm ircomm7: ffff8802aa3b3410: opened
>> [ 1436.864352] tty_open: ircomm ircomm7: opening (count=1)
>> [ 1437.863994] tty_open: ircomm ircomm7: open error -512, releasing
>> [ 1437.864051] tty_release: ircomm ircomm7: releasing (count=1)
>> [ 1437.864055] tty_wait_until_sent: ircomm ircomm7: wait until sent, timeout=7500
>> [ 1437.864110] tty_release: ircomm ircomm7: final close
>> [ 1437.864120] tty_ldisc_close: ircomm ircomm7: ffff8802aa3b3410: closed
>> [ 1437.864124] tty_ldisc_release: ircomm ircomm7: released
>> [ 1437.864130] tty_release: ircomm ircomm7: release
>> [ 1437.864148] release_one_tty: ircomm ircomm7: freeing structure
>>                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> Note that release_one_tty() ends in kfree(tty)
> 
> 
> There seems to be some race, please try this one:

Yes, I see the bug now, thanks.


> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <pthread.h>
> #include <stdint.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> 
> void work()
> {
>   alarm(1);
>   syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0);
> }
> 
> int main() {
>   int running, status;
> 
>   for (;;) {
>     while (running < 32) {
>       if (fork() == 0) {
>         work();
>         exit(0);
>       }
>       running++;
>     }
>     if (wait(&status) > 0)
>       running--;
>   }
> }
> 
> 
> If I sample /proc/slabinfo while it runs:
> 
> # cat /proc/slabinfo | egrep "^kmalloc-2048"
> 
> Number of allocated objects constantly grow.
> 

Powered by blists - more mailing lists