lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Feb 2016 13:48:08 -0800 From: Peter Hurley <peter@...leysoftware.com> To: Dmitry Vyukov <dvyukov@...gle.com> Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jiri Slaby <jslaby@...e.com>, LKML <linux-kernel@...r.kernel.org>, syzkaller <syzkaller@...glegroups.com>, Kostya Serebryany <kcc@...gle.com>, Alexander Potapenko <glider@...gle.com>, Sasha Levin <sasha.levin@...cle.com> Subject: Re: tty: tty_struct memory leak On 02/04/2016 02:48 AM, Dmitry Vyukov wrote: > On Thu, Feb 4, 2016 at 12:27 AM, Peter Hurley <peter@...leysoftware.com> wrote: >> Hi Dmitry, >> >> On 02/03/2016 08:26 AM, Dmitry Vyukov wrote: >>> On Wed, Feb 3, 2016 at 5:10 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote: >>>> Hello, >>>> >>>> The following program causes tty_struct memory leak: >>>> >>>> // autogenerated by syzkaller (http://github.com/google/syzkaller) >>>> #include <pthread.h> >>>> #include <stdint.h> >>>> #include <string.h> >>>> #include <sys/syscall.h> >>>> #include <unistd.h> >>>> >>>> int main() >>>> { >>>> alarm(1); >>>> syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0); >>>> return 0; >>>> } >> >> Going to need more information than this because the reproducer >> above does not generate a tty_struct memory leak. >> >> Here's what I did: >> >> Enabled tty debugging and added patch below [1] to show kfree(tty), then: >> >> $ sudo modprobe ircomm >> $ ./reproducer >> >> Here's what I got: >> >> [ 1436.864342] tty_ldisc_open: ircomm ircomm7: ffff8802aa3b3410: opened >> [ 1436.864352] tty_open: ircomm ircomm7: opening (count=1) >> [ 1437.863994] tty_open: ircomm ircomm7: open error -512, releasing >> [ 1437.864051] tty_release: ircomm ircomm7: releasing (count=1) >> [ 1437.864055] tty_wait_until_sent: ircomm ircomm7: wait until sent, timeout=7500 >> [ 1437.864110] tty_release: ircomm ircomm7: final close >> [ 1437.864120] tty_ldisc_close: ircomm ircomm7: ffff8802aa3b3410: closed >> [ 1437.864124] tty_ldisc_release: ircomm ircomm7: released >> [ 1437.864130] tty_release: ircomm ircomm7: release >> [ 1437.864148] release_one_tty: ircomm ircomm7: freeing structure >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >> Note that release_one_tty() ends in kfree(tty) > > > There seems to be some race, please try this one: Yes, I see the bug now, thanks. > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include <pthread.h> > #include <stdint.h> > #include <stdlib.h> > #include <string.h> > #include <sys/syscall.h> > #include <unistd.h> > #include <sys/types.h> > #include <sys/wait.h> > > void work() > { > alarm(1); > syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0); > } > > int main() { > int running, status; > > for (;;) { > while (running < 32) { > if (fork() == 0) { > work(); > exit(0); > } > running++; > } > if (wait(&status) > 0) > running--; > } > } > > > If I sample /proc/slabinfo while it runs: > > # cat /proc/slabinfo | egrep "^kmalloc-2048" > > Number of allocated objects constantly grow. >
Powered by blists - more mailing lists