| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Nov 2016 14:18:00 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>,
Vince Weaver <vincent.weaver@...ne.edu>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
"davej@...emonkey.org.uk" <davej@...emonkey.org.uk>,
Stephane Eranian <eranian@...il.com>
Subject: Re: perf: fuzzer KASAN unwind_get_return_address
On Wed, Nov 16, 2016 at 2:03 PM, Peter Zijlstra <peterz@...radead.org> wrote:
> On Tue, Nov 15, 2016 at 02:57:48PM -0600, Josh Poimboeuf wrote:
>> Would you mind posting a disassembly of unwind_get_return_address()?
>
> $ objdump -D ivb-dbg/vmlinux | awk '/<[^>]*>:/ { p=0; } /<unwind_get_return_address>:/ { p=1; } { if (p) print $0; }'
>
> ffffffff811afd10 <unwind_get_return_address>:
> ffffffff811afd10: e8 eb cc f4 01 callq ffffffff830fca00 <__fentry__>
> ffffffff811afd15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> ffffffff811afd1c: fc ff df
> ffffffff811afd1f: 48 89 fa mov %rdi,%rdx
> ffffffff811afd22: 53 push %rbx
> ffffffff811afd23: 48 89 fb mov %rdi,%rbx
> ffffffff811afd26: 48 c1 ea 03 shr $0x3,%rdx
> ffffffff811afd2a: 48 83 ec 18 sub $0x18,%rsp
> ffffffff811afd2e: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
> ffffffff811afd32: 48 89 f8 mov %rdi,%rax
> ffffffff811afd35: 83 e0 07 and $0x7,%eax
> ffffffff811afd38: 83 c0 03 add $0x3,%eax
> ffffffff811afd3b: 38 d0 cmp %dl,%al
> ffffffff811afd3d: 7c 04 jl ffffffff811afd43 <unwind_get_return_address+0x33>
> ffffffff811afd3f: 84 d2 test %dl,%dl
> ffffffff811afd41: 75 75 jne ffffffff811afdb8 <unwind_get_return_address+0xa8>
> ffffffff811afd43: 8b 03 mov (%rbx),%eax
> ffffffff811afd45: 85 c0 test %eax,%eax
> ffffffff811afd47: 75 08 jne ffffffff811afd51 <unwind_get_return_address+0x41>
> ffffffff811afd49: 48 83 c4 18 add $0x18,%rsp
> ffffffff811afd4d: 31 c0 xor %eax,%eax
> ffffffff811afd4f: 5b pop %rbx
> ffffffff811afd50: c3 retq
> ffffffff811afd51: 48 8d 7b 38 lea 0x38(%rbx),%rdi
> ffffffff811afd55: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> ffffffff811afd5c: fc ff df
> ffffffff811afd5f: 48 89 fa mov %rdi,%rdx
> ffffffff811afd62: 48 c1 ea 03 shr $0x3,%rdx
> ffffffff811afd66: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
> ffffffff811afd6a: 75 53 jne ffffffff811afdbf <unwind_get_return_address+0xaf>
> ffffffff811afd6c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> ffffffff811afd73: fc ff df
> ffffffff811afd76: 48 8b 4b 38 mov 0x38(%rbx),%rcx
> ffffffff811afd7a: 48 89 ca mov %rcx,%rdx
> ffffffff811afd7d: 48 c1 ea 03 shr $0x3,%rdx
> ffffffff811afd81: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
> ffffffff811afd85: 75 3f jne ffffffff811afdc6 <unwind_get_return_address+0xb6>
> ffffffff811afd87: 48 8d 7b 28 lea 0x28(%rbx),%rdi
> ffffffff811afd8b: 48 8b 11 mov (%rcx),%rdx
> ffffffff811afd8e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
> ffffffff811afd95: fc ff df
> ffffffff811afd98: 48 8d 73 30 lea 0x30(%rbx),%rsi
> ffffffff811afd9c: 49 89 f8 mov %rdi,%r8
> ffffffff811afd9f: 49 c1 e8 03 shr $0x3,%r8
> ffffffff811afda3: 41 80 3c 00 00 cmpb $0x0,(%r8,%rax,1)
> ffffffff811afda8: 75 2e jne ffffffff811afdd8 <unwind_get_return_address+0xc8>
> ffffffff811afdaa: 48 8b 7b 28 mov 0x28(%rbx),%rdi
> ffffffff811afdae: 48 83 c4 18 add $0x18,%rsp
> ffffffff811afdb2: 5b pop %rbx
> ffffffff811afdb3: e9 08 98 2a 00 jmpq ffffffff814595c0 <ftrace_graph_ret_addr>
> ffffffff811afdb8: e8 53 7d 42 00 callq ffffffff815d7b10 <__asan_report_load4_noabort>
> ffffffff811afdbd: eb 84 jmp ffffffff811afd43 <unwind_get_return_address+0x33>
> ffffffff811afdbf: e8 9c 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdc4: eb a6 jmp ffffffff811afd6c <unwind_get_return_address+0x5c>
> ffffffff811afdc6: 48 89 cf mov %rcx,%rdi
> ffffffff811afdc9: 48 89 0c 24 mov %rcx,(%rsp)
> ffffffff811afdcd: e8 8e 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdd2: 48 8b 0c 24 mov (%rsp),%rcx
> ffffffff811afdd6: eb af jmp ffffffff811afd87 <unwind_get_return_address+0x77>
> ffffffff811afdd8: 48 89 74 24 10 mov %rsi,0x10(%rsp)
> ffffffff811afddd: 48 89 54 24 08 mov %rdx,0x8(%rsp)
> ffffffff811afde2: 48 89 0c 24 mov %rcx,(%rsp)
> ffffffff811afde6: e8 75 7d 42 00 callq ffffffff815d7b60 <__asan_report_load8_noabort>
> ffffffff811afdeb: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
> ffffffff811afdf0: 48 8b 54 24 08 mov 0x8(%rsp),%rdx
> ffffffff811afdf5: 48 8b 0c 24 mov (%rsp),%rcx
> ffffffff811afdf9: eb af jmp ffffffff811afdaa <unwind_get_return_address+0x9a>
> ffffffff811afdfb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
>
>> Any idea how recreatable it is? (In particular I'd be interested in
>> seeing this dump with the latest unwinder improvements in the -tip tree,
>> which dump the pt_regs associated with an interrupt.)
>
> Fairly reproducable it seems, doesn't seem to include pt_regs dumps
> though :/
>
> tip/master as of this morning.
Can you print the stack that it gets after unwinding? If we will see
some garbage there, then it will confirm that it reads from redzones.
You can check taint before/after unwind and dump the stack iff kernel
become tainted during unwind.
> 3==================================================================
> 3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff88042fc87be0
> 3Read of size 8 by task swapper/28/0
> 0page:ffffea0010bf21c0 count:1 mapcount:0 mapping: (null) index:0x0c
> 0flags: 0x2ffff8000000400(reserved)
> 1page dumped because: kasan: bad access detected
> dCPU: 28 PID: 0 Comm: swapper/28 Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
> dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
> dCall Trace:
> d <NMI>
> d ? dump_stack+0x5e/0x89
> d ? kasan_report_error+0x4a5/0x4d0
> d ? __asan_report_load8_noabort+0x45/0x50
> d ? __kernel_text_address+0x20/0xa0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? perf_callchain_kernel+0x33c/0x540
> d ? arch_perf_update_userpage+0x340/0x340
> d ? get_perf_callchain+0x24d/0x610
> d ? put_callchain_buffers+0x50/0x50
> d ? number+0x653/0x830
> d ? perf_callchain+0x126/0x190
> d ? perf_prepare_sample+0x720/0x1010
> d ? perf_event_output_forward+0x81/0xf0
> d ? perf_prepare_sample+0x1010/0x1010
> d ? pointer+0x880/0x880
> d ? perf_event_update_userpage+0x16/0x730
> d ? __perf_event_overflow+0x1a0/0x510
> d ? intel_pmu_handle_irq+0x34b/0xa90
> d ? intel_pmu_save_and_restart+0xd0/0xd0
> d ? acpi_os_read_memory+0x205/0x23c
> d ? format_decode+0xc5/0x7a0
> d ? vunmap_page_range+0x26a/0x400
> d ? ghes_copy_tofrom_phys+0x141/0x270
> d ? ghes_read_estatus+0x112/0x5a0
> d ? ghes_copy_tofrom_phys+0x270/0x270
> d ? early_printk+0xa4/0xd0
> d ? devkmsg_sysctl_set_loglvl+0x160/0x160
> d ? perf_event_nmi_handler+0x28/0x40
> d ? nmi_handle+0xa1/0x250
> d ? default_do_nmi+0x61/0x170
> d ? do_nmi+0x191/0x200
> d ? end_repeat_nmi+0x1a/0x1e
> d ? format_decode+0xc5/0x7a0
> d ? format_decode+0xc5/0x7a0
> d ? format_decode+0xc5/0x7a0
> d <EOE>
> d <IRQ>
> d ? vsnprintf+0xfc/0x15e0
> d ? pointer+0x880/0x880
> d ? x86_pmu_enable_all+0x1c0/0x1c0
> d ? vscnprintf+0x9/0x30
> d ? early_vprintk+0xb0/0x130
> d ? trace_raw_output_console+0x160/0x160
> d ? memcpy+0x34/0x50
> d ? x86_pmu_commit_txn+0x180/0x260
> d ? events_sysfs_show+0xb0/0xb0
> d ? save_stack+0x33/0xb0
> d ? hrtimer_init+0x120/0x120
> d ? timerqueue_del+0x62/0x140
> d ? perf_event_update_userpage+0x16/0x730
> d ? perf_event_update_userpage+0x16/0x730
> d ? x86_perf_event_set_period+0x239/0x450
> d ? perf_event_update_userpage+0x16/0x730
> d ? x86_pmu_enable+0x5f7/0xaa0
> d ? printk+0xb6/0xef
> d ? printk_emit+0xa0/0xa0
> d ? _raw_spin_unlock_irqrestore+0x42/0x70
> d ? ___ratelimit+0x1e4/0x3f0
> d ? irq_work_run_list+0xa1/0xf0
> d ? irq_work_run+0x14/0x40
> d ? smp_call_function_single_interrupt+0x60/0x80
> d ? call_function_single_interrupt+0x89/0x90
> d <EOI>
> d ? cpuidle_enter_state+0x113/0x780
> d ? cpuidle_enter_state+0x10e/0x780
> d ? cpu_load_update_nohz_stop+0x155/0x1b0
> d ? cpu_startup_entry+0x19a/0x2c0
> d ? start_cpu+0x5/0x14
> 3Memory state around the buggy address:
> 3 ffff88042fc87a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3 ffff88042fc87b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3>ffff88042fc87b80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
> 3 ^
> 3 ffff88042fc87c00: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> 3 ffff88042fc87c80: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00
> 3==================================================================
>
>
> 3==================================================================
> 3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x1ba/0x1f0 at addr ffff880424a97878
> 3Read of size 8 by task perf_fuzzer/3451
> 0page:ffffea001092a5c0 count:0 mapcount:0 mapping: (null) index:0x0c
> 0flags: 0x2ffff8000000000()
> 1page dumped because: kasan: bad access detected
> dCPU: 28 PID: 3451 Comm: perf_fuzzer Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #2
> dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
> dCall Trace:
> d ? dump_stack+0x5e/0x89
> d ? kasan_report_error+0x4a5/0x4d0
> d ? __asan_report_load8_noabort+0x45/0x50
> d ? __kernel_text_address+0x20/0xa0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? unwind_next_frame+0x1ba/0x1f0
> d ? perf_callchain_kernel+0x33c/0x540
> d ? arch_perf_update_userpage+0x340/0x340
> d ? get_perf_callchain+0x24d/0x610
> d ? put_callchain_buffers+0x50/0x50
> d ? ipv6_flowlabel_opt+0x1111/0x17d0
> d ? perf_log_itrace_start+0x3a0/0x3a0
> d ? cpumask_next_and+0x5a/0xa0
> d ? ktime_get_raw_fast_ns+0xd3/0x1e0
> d ? perf_callchain+0x126/0x190
> d ? perf_prepare_sample+0x720/0x1010
> d ? perf_event_output_forward+0x81/0xf0
> d ? perf_prepare_sample+0x1010/0x1010
> d ? perf_event_update_userpage+0x16/0x730
> d ? kasan_unpoison_shadow+0x31/0x40
> d ? get_page_from_freelist+0x52e/0x2310
> d ? perf_output_begin+0x3a1/0x9b0
> d ? cpu_clock_event_add+0x17/0x20
> d ? __perf_event_overflow+0x1a0/0x510
> d ? perf_swevent_overflow+0x156/0x1f0
> d ? perf_tp_event+0x3e8/0x5c0
> d ? perf_output_begin_backward+0x960/0x960
> d ? perf_tp_event_match.isra.85.part.86+0x140/0x140
> d ? __mark_inode_dirty+0x459/0xa50
> d ? legitimize_path.isra.28+0x6b/0x150
> d ? unlazy_walk+0x456/0x790
> d ? memset+0x1f/0x40
> d ? perf_trace_writeback_dirty_inode_template+0x3af/0x610
> d ? save_stack+0x33/0xb0
> d ? inode_congested+0x450/0x450
> d ? dput+0x1de/0x530
> d ? walk_component+0x2cc/0xdc0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? pick_link+0xbe0/0xbe0
> d ? inode_congested+0x450/0x450
> d ? __mark_inode_dirty+0x459/0xa50
> d ? proc_sys_setattr+0x84/0xb0
> d ? notify_change+0x4d6/0xc40
> d ? security_inode_need_killpriv+0x58/0x80
> d ? do_truncate+0xd7/0x160
> d ? file_open_root+0x1a0/0x1a0
> d ? path_openat+0x97f/0x3b30
> d ? vfs_rename+0x14a0/0x14a0
> d ? getname_flags+0xba/0x500
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? do_filp_open+0x175/0x230
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? may_open_dev+0xc0/0xc0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? save_stack+0x33/0xb0
> d ? do_sys_open+0x16d/0x310
> d ? SyS_write+0xab/0x160
> d ? filp_open+0x50/0x50
> d ? task_stopped_code+0xf0/0xf0
> d ? trace_hardirqs_on_thunk+0x1a/0x1c
> d ? entry_SYSCALL_64_fastpath+0x18/0xa8
> 3Memory state around the buggy address:
> 3 ffff880424a97700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3 ffff880424a97780: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 f3
> 3>ffff880424a97800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
> 3 ^
> 3 ffff880424a97880: f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f3
> 3 ffff880424a97900: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> 3==================================================================
>
>
>
Powered by blists - more mailing lists