lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <573895B0.3050906@gmail.com>
Date:	Sun, 15 May 2016 23:28:48 +0800
From:	Baozeng Ding <sploving1@...il.com>
To:	cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
	iamjoonsoo.kim@....com, akpm@...ux-foundation.org
Cc:	linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: BUG: mm/slub NULL-ptr deref in get_freepointer

Hi all,
I've got the following report NULL-ptr deref in  get_freepointer 
(mm/slub.c) while running syzkaller.
Unfortunately no reproducer.The kernel version is 4.6.0-rc2+.

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory 
accessgeneral protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 14637 Comm: syz-executor Tainted: G    B 4.6.0-rc2+ #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
task: ffff880067c71780 ti: ffff880067450000 task.ti: ffff880067450000
RIP: 0010:[<ffffffff81711b59>]  [<ffffffff81711b59>] 
deactivate_slab+0x99/0x710
RSP: 0018:ffff880067457b40  EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffffea0000dab800 RCX: 0000000180180018
RDX: 0000000000000000 RSI: ffffea0000dab800 RDI: 0000000000010400
RBP: ffff880067457bf8 R08: 0000000000008018 R09: 0000000000008000
R10: 0000000000000000 R11: 0000000000000000 R12: 05fffc000004004c
R13: ffffea0001843640 R14: ffff88003e800c40 R15: ffff88003e806f00
FS:  00007ff2eec2e700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020008ff8 CR3: 00000000378cf000 CR4: 00000000000006f0
Stack:
  ffff880067457b90 ffffffff8177f632 ffff880067c71780 ffffffff8177f632
  ffffffff8177f632 0000000f67457b80 ffffffff811cf3e6 ffff880036ae7d88
  ffff880067457bc0 ffffffff8170ef8f 0000001000000008 ffff880036ae7d90
Call Trace:
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<ffffffff811cf3e6>] ? save_stack_trace+0x26/0x50 
arch/x86/kernel/stacktrace.c:67
  [<ffffffff8170ef8f>] ? set_track+0x6f/0x120 mm/slub.c:541
  [<ffffffff8170fd24>] ? init_object+0x64/0xa0 mm/slub.c:704
  [<ffffffff81710cde>] ? alloc_debug_processing+0x6e/0x1b0 mm/slub.c:1085
  [<ffffffff81712b27>] ___slab_alloc+0x167/0x500 mm/slub.c:2449
  [<ffffffff81403220>] ? lockdep_init_map+0xf0/0x13e0 
kernel/locking/lockdep.c:3120
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<ffffffff81403220>] ? lockdep_init_map+0xf0/0x13e0 
kernel/locking/lockdep.c:3120
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<ffffffff81712f0c>] __slab_alloc+0x4c/0x90 mm/slub.c:2475
  [<     inline     >] ? kmalloc include/linux/slab.h:483
  [<     inline     >] ? kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] ? alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<     inline     >] slab_alloc_node mm/slub.c:2538
  [<     inline     >] slab_alloc mm/slub.c:2580
  [<ffffffff81713e77>] __kmalloc+0x297/0x360 mm/slub.c:3561
  [<     inline     >] kmalloc include/linux/slab.h:483
  [<     inline     >] kzalloc include/linux/slab.h:622
  [<ffffffff8177f632>] alloc_pipe_info+0x292/0x3a0 fs/pipe.c:622
  [<     inline     >] get_pipe_inode fs/pipe.c:683
  [<ffffffff817807d4>] create_pipe_files+0xd4/0x8f0 fs/pipe.c:716
  [<ffffffff813fe03a>] ? up_write+0x1a/0x60 kernel/locking/rwsem.c:91
  [<ffffffff81780700>] ? fifo_open+0x9f0/0x9f0 fs/pipe.c:884
  [<ffffffff81670d60>] ? vma_is_stack_for_task+0xa0/0xa0 mm/util.c:235
  [<ffffffff81781029>] __do_pipe_flags+0x39/0x210 fs/pipe.c:774
  [<     inline     >] SYSC_pipe2 fs/pipe.c:822
  [<ffffffff817813cc>] SyS_pipe2+0x8c/0x170 fs/pipe.c:816
  [<ffffffff81781340>] ? do_pipe_flags+0x140/0x140 fs/pipe.c:807
  [<ffffffff816ba430>] ? find_mergeable_anon_vma+0xd0/0xd0 mm/mmap.c:1090
  [<ffffffff814011ad>] ? trace_hardirqs_off+0xd/0x10 
kernel/locking/lockdep.c:2772
  [<ffffffff8100301b>] ? trace_hardirqs_on_thunk+0x1b/0x1d 
arch/x86/entry/thunk_64.S:42
  [<ffffffff85c8ab80>] entry_SYSCALL_64_fastpath+0x23/0xc1 
arch/x86/entry/entry_64.S:207
Code: 89 54 05 00 4d 89 e8 49 8b 7f 08 48 89 de 48 89 4c 24 68 66 83 6c 
24 68 01 4c 8b 4c 24 68 e8 7f fe ff ff 84 c0 74 cc 49 63 47 20 <49> 8b 
0c 04 48 85 c9 74 0c 4d 89 e5 48 8b 53 10 49 89 cc eb bb
RIP  [<     inline     >] get_freepointer mm/slub.c:245
RIP  [<ffffffff81711b59>] deactivate_slab+0x99/0x710 mm/slub.c:1893
  RSP <ffff880067457b40>
---[ end trace b34379b339f95a27 ]---

Best Regards,
Baozeng Ding

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ