lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+bgt2K0eNjxfY2VxgZ52-enQoEOUs5sNgH7_aRwHp+sjw@mail.gmail.com>
Date:   Wed, 16 Nov 2016 14:18:00 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Peter Zijlstra <peterz@...radead.org>
Cc:     Josh Poimboeuf <jpoimboe@...hat.com>,
        Vince Weaver <vincent.weaver@...ne.edu>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        "davej@...emonkey.org.uk" <davej@...emonkey.org.uk>,
        Stephane Eranian <eranian@...il.com>
Subject: Re: perf: fuzzer KASAN unwind_get_return_address

On Wed, Nov 16, 2016 at 2:03 PM, Peter Zijlstra <peterz@...radead.org> wrote:
> On Tue, Nov 15, 2016 at 02:57:48PM -0600, Josh Poimboeuf wrote:
>> Would you mind posting a disassembly of unwind_get_return_address()?
>
> $ objdump -D ivb-dbg/vmlinux | awk '/<[^>]*>:/ { p=0; } /<unwind_get_return_address>:/ { p=1; } { if (p) print $0; }'
>
> ffffffff811afd10 <unwind_get_return_address>:
> ffffffff811afd10:       e8 eb cc f4 01          callq  ffffffff830fca00 <__fentry__>
> ffffffff811afd15:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> ffffffff811afd1c:       fc ff df
> ffffffff811afd1f:       48 89 fa                mov    %rdi,%rdx
> ffffffff811afd22:       53                      push   %rbx
> ffffffff811afd23:       48 89 fb                mov    %rdi,%rbx
> ffffffff811afd26:       48 c1 ea 03             shr    $0x3,%rdx
> ffffffff811afd2a:       48 83 ec 18             sub    $0x18,%rsp
> ffffffff811afd2e:       0f b6 14 02             movzbl (%rdx,%rax,1),%edx
> ffffffff811afd32:       48 89 f8                mov    %rdi,%rax
> ffffffff811afd35:       83 e0 07                and    $0x7,%eax
> ffffffff811afd38:       83 c0 03                add    $0x3,%eax
> ffffffff811afd3b:       38 d0                   cmp    %dl,%al
> ffffffff811afd3d:       7c 04                   jl     ffffffff811afd43 <unwind_get_return_address+0x33>
> ffffffff811afd3f:       84 d2                   test   %dl,%dl
> ffffffff811afd41:       75 75                   jne    ffffffff811afdb8 <unwind_get_return_address+0xa8>
> ffffffff811afd43:       8b 03                   mov    (%rbx),%eax
> ffffffff811afd45:       85 c0                   test   %eax,%eax
> ffffffff811afd47:       75 08                   jne    ffffffff811afd51 <unwind_get_return_address+0x41>
> ffffffff811afd49:       48 83 c4 18             add    $0x18,%rsp
> ffffffff811afd4d:       31 c0                   xor    %eax,%eax
> ffffffff811afd4f:       5b                      pop    %rbx
> ffffffff811afd50:       c3                      retq
> ffffffff811afd51:       48 8d 7b 38             lea    0x38(%rbx),%rdi
> ffffffff811afd55:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> ffffffff811afd5c:       fc ff df
> ffffffff811afd5f:       48 89 fa                mov    %rdi,%rdx
> ffffffff811afd62:       48 c1 ea 03             shr    $0x3,%rdx
> ffffffff811afd66:       80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
> ffffffff811afd6a:       75 53                   jne    ffffffff811afdbf <unwind_get_return_address+0xaf>
> ffffffff811afd6c:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> ffffffff811afd73:       fc ff df
> ffffffff811afd76:       48 8b 4b 38             mov    0x38(%rbx),%rcx
> ffffffff811afd7a:       48 89 ca                mov    %rcx,%rdx
> ffffffff811afd7d:       48 c1 ea 03             shr    $0x3,%rdx
> ffffffff811afd81:       80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)
> ffffffff811afd85:       75 3f                   jne    ffffffff811afdc6 <unwind_get_return_address+0xb6>
> ffffffff811afd87:       48 8d 7b 28             lea    0x28(%rbx),%rdi
> ffffffff811afd8b:       48 8b 11                mov    (%rcx),%rdx
> ffffffff811afd8e:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> ffffffff811afd95:       fc ff df
> ffffffff811afd98:       48 8d 73 30             lea    0x30(%rbx),%rsi
> ffffffff811afd9c:       49 89 f8                mov    %rdi,%r8
> ffffffff811afd9f:       49 c1 e8 03             shr    $0x3,%r8
> ffffffff811afda3:       41 80 3c 00 00          cmpb   $0x0,(%r8,%rax,1)
> ffffffff811afda8:       75 2e                   jne    ffffffff811afdd8 <unwind_get_return_address+0xc8>
> ffffffff811afdaa:       48 8b 7b 28             mov    0x28(%rbx),%rdi
> ffffffff811afdae:       48 83 c4 18             add    $0x18,%rsp
> ffffffff811afdb2:       5b                      pop    %rbx
> ffffffff811afdb3:       e9 08 98 2a 00          jmpq   ffffffff814595c0 <ftrace_graph_ret_addr>
> ffffffff811afdb8:       e8 53 7d 42 00          callq  ffffffff815d7b10 <__asan_report_load4_noabort>
> ffffffff811afdbd:       eb 84                   jmp    ffffffff811afd43 <unwind_get_return_address+0x33>
> ffffffff811afdbf:       e8 9c 7d 42 00          callq  ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdc4:       eb a6                   jmp    ffffffff811afd6c <unwind_get_return_address+0x5c>
> ffffffff811afdc6:       48 89 cf                mov    %rcx,%rdi
> ffffffff811afdc9:       48 89 0c 24             mov    %rcx,(%rsp)
> ffffffff811afdcd:       e8 8e 7d 42 00          callq  ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdd2:       48 8b 0c 24             mov    (%rsp),%rcx
> ffffffff811afdd6:       eb af                   jmp    ffffffff811afd87 <unwind_get_return_address+0x77>
> ffffffff811afdd8:       48 89 74 24 10          mov    %rsi,0x10(%rsp)
> ffffffff811afddd:       48 89 54 24 08          mov    %rdx,0x8(%rsp)
> ffffffff811afde2:       48 89 0c 24             mov    %rcx,(%rsp)
> ffffffff811afde6:       e8 75 7d 42 00          callq  ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdeb:       48 8b 74 24 10          mov    0x10(%rsp),%rsi
> ffffffff811afdf0:       48 8b 54 24 08          mov    0x8(%rsp),%rdx
> ffffffff811afdf5:       48 8b 0c 24             mov    (%rsp),%rcx
> ffffffff811afdf9:       eb af                   jmp    ffffffff811afdaa <unwind_get_return_address+0x9a>
> ffffffff811afdfb:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
>
>> Any idea how recreatable it is?  (In particular I'd be interested in
>> seeing this dump with the latest unwinder improvements in the -tip tree,
>> which dump the pt_regs associated with an interrupt.)
>
> Fairly reproducable it seems, doesn't seem to include pt_regs dumps
> though :/
>
> tip/master as of this morning.

Can you print the stack that it gets after unwinding? If we will see
some garbage there, then it will confirm that it reads from redzones.
You can check taint before/after unwind and dump the stack iff kernel
become tainted during unwind.


> 3==================================================================
> 3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff88042fc87be0
> 3Read of size 8 by task swapper/28/0
> 0page:ffffea0010bf21c0 count:1 mapcount:0 mapping:          (null) index:0x0c
> 0flags: 0x2ffff8000000400(reserved)
> 1page dumped because: kasan: bad access detected
> dCPU: 28 PID: 0 Comm: swapper/28 Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
> dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
> dCall Trace:
> d <NMI>
> d ? dump_stack+0x5e/0x89
> d ? kasan_report_error+0x4a5/0x4d0
> d ? __asan_report_load8_noabort+0x45/0x50
> d ? __kernel_text_address+0x20/0xa0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? perf_callchain_kernel+0x33c/0x540
> d ? arch_perf_update_userpage+0x340/0x340
> d ? get_perf_callchain+0x24d/0x610
> d ? put_callchain_buffers+0x50/0x50
> d ? number+0x653/0x830
> d ? perf_callchain+0x126/0x190
> d ? perf_prepare_sample+0x720/0x1010
> d ? perf_event_output_forward+0x81/0xf0
> d ? perf_prepare_sample+0x1010/0x1010
> d ? pointer+0x880/0x880
> d ? perf_event_update_userpage+0x16/0x730
> d ? __perf_event_overflow+0x1a0/0x510
> d ? intel_pmu_handle_irq+0x34b/0xa90
> d ? intel_pmu_save_and_restart+0xd0/0xd0
> d ? acpi_os_read_memory+0x205/0x23c
> d ? format_decode+0xc5/0x7a0
> d ? vunmap_page_range+0x26a/0x400
> d ? ghes_copy_tofrom_phys+0x141/0x270
> d ? ghes_read_estatus+0x112/0x5a0
> d ? ghes_copy_tofrom_phys+0x270/0x270
> d ? early_printk+0xa4/0xd0
> d ? devkmsg_sysctl_set_loglvl+0x160/0x160
> d ? perf_event_nmi_handler+0x28/0x40
> d ? nmi_handle+0xa1/0x250
> d ? default_do_nmi+0x61/0x170
> d ? do_nmi+0x191/0x200
> d ? end_repeat_nmi+0x1a/0x1e
> d ? format_decode+0xc5/0x7a0
> d ? format_decode+0xc5/0x7a0
> d ? format_decode+0xc5/0x7a0
> d <EOE>
> d <IRQ>
> d ? vsnprintf+0xfc/0x15e0
> d ? pointer+0x880/0x880
> d ? x86_pmu_enable_all+0x1c0/0x1c0
> d ? vscnprintf+0x9/0x30
> d ? early_vprintk+0xb0/0x130
> d ? trace_raw_output_console+0x160/0x160
> d ? memcpy+0x34/0x50
> d ? x86_pmu_commit_txn+0x180/0x260
> d ? events_sysfs_show+0xb0/0xb0
> d ? save_stack+0x33/0xb0
> d ? hrtimer_init+0x120/0x120
> d ? timerqueue_del+0x62/0x140
> d ? perf_event_update_userpage+0x16/0x730
> d ? perf_event_update_userpage+0x16/0x730
> d ? x86_perf_event_set_period+0x239/0x450
> d ? perf_event_update_userpage+0x16/0x730
> d ? x86_pmu_enable+0x5f7/0xaa0
> d ? printk+0xb6/0xef
> d ? printk_emit+0xa0/0xa0
> d ? _raw_spin_unlock_irqrestore+0x42/0x70
> d ? ___ratelimit+0x1e4/0x3f0
> d ? irq_work_run_list+0xa1/0xf0
> d ? irq_work_run+0x14/0x40
> d ? smp_call_function_single_interrupt+0x60/0x80
> d ? call_function_single_interrupt+0x89/0x90
> d <EOI>
> d ? cpuidle_enter_state+0x113/0x780
> d ? cpuidle_enter_state+0x10e/0x780
> d ? cpu_load_update_nohz_stop+0x155/0x1b0
> d ? cpu_startup_entry+0x19a/0x2c0
> d ? start_cpu+0x5/0x14
> 3Memory state around the buggy address:
> 3 ffff88042fc87a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3 ffff88042fc87b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3>ffff88042fc87b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
> 3                                                       ^
> 3 ffff88042fc87c00: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> 3 ffff88042fc87c80: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00
> 3==================================================================
>
>
> 3==================================================================
> 3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff880424a97878
> 3Read of size 8 by task perf_fuzzer/3451
> 0page:ffffea001092a5c0 count:0 mapcount:0 mapping:          (null) index:0x0c
> 0flags: 0x2ffff8000000000()
> 1page dumped because: kasan: bad access detected
> dCPU: 28 PID: 3451 Comm: perf_fuzzer Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
> dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
> dCall Trace:
> d ? dump_stack+0x5e/0x89
> d ? kasan_report_error+0x4a5/0x4d0
> d ? __asan_report_load8_noabort+0x45/0x50
> d ? __kernel_text_address+0x20/0xa0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? perf_callchain_kernel+0x33c/0x540
> d ? arch_perf_update_userpage+0x340/0x340
> d ? get_perf_callchain+0x24d/0x610
> d ? put_callchain_buffers+0x50/0x50
> d ? ipv6_flowlabel_opt+0x1111/0x17d0
> d ? perf_log_itrace_start+0x3a0/0x3a0
> d ? cpumask_next_and+0x5a/0xa0
> d ? ktime_get_raw_fast_ns+0xd3/0x1e0
> d ? perf_callchain+0x126/0x190
> d ? perf_prepare_sample+0x720/0x1010
> d ? perf_event_output_forward+0x81/0xf0
> d ? perf_prepare_sample+0x1010/0x1010
> d ? perf_event_update_userpage+0x16/0x730
> d ? kasan_unpoison_shadow+0x31/0x40
> d ? get_page_from_freelist+0x52e/0x2310
> d ? perf_output_begin+0x3a1/0x9b0
> d ? cpu_clock_event_add+0x17/0x20
> d ? __perf_event_overflow+0x1a0/0x510
> d ? perf_swevent_overflow+0x156/0x1f0
> d ? perf_tp_event+0x3e8/0x5c0
> d ? perf_output_begin_backward+0x960/0x960
> d ? perf_tp_event_match.isra.85.part.86+0x140/0x140
> d ? __mark_inode_dirty+0x459/0xa50
> d ? legitimize_path.isra.28+0x6b/0x150
> d ? unlazy_walk+0x456/0x790
> d ? memset+0x1f/0x40
> d ? perf_trace_writeback_dirty_inode_template+0x3af/0x610
> d ? save_stack+0x33/0xb0
> d ? inode_congested+0x450/0x450
> d ? dput+0x1de/0x530
> d ? walk_component+0x2cc/0xdc0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? pick_link+0xbe0/0xbe0
> d ? inode_congested+0x450/0x450
> d ? __mark_inode_dirty+0x459/0xa50
> d ? proc_sys_setattr+0x84/0xb0
> d ? notify_change+0x4d6/0xc40
> d ? security_inode_need_killpriv+0x58/0x80
> d ? do_truncate+0xd7/0x160
> d ? file_open_root+0x1a0/0x1a0
> d ? path_openat+0x97f/0x3b30
> d ? vfs_rename+0x14a0/0x14a0
> d ? getname_flags+0xba/0x500
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? do_filp_open+0x175/0x230
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? may_open_dev+0xc0/0xc0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? do_sys_open+0x16d/0x310
> d ? SyS_write+0xab/0x160
> d ? filp_open+0x50/0x50
> d ? task_stopped_code+0xf0/0xf0
> d ? trace_hardirqs_on_thunk+0x1a/0x1c
> d ? entry_SYSCALL_64_fastpath+0x18/0xa8
> 3Memory state around the buggy address:
> 3 ffff880424a97700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3 ffff880424a97780: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
> 3>ffff880424a97800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
> 3                                                                ^
> 3 ffff880424a97880: f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f3
> 3 ffff880424a97900: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3==================================================================
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ