lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+aS2grw2xA4omKv+5s4OPXCYzxSG-fZ=Gt-w9LQ91Cc9Q@mail.gmail.com>
Date:   Fri, 18 Nov 2016 11:09:54 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     joern@...fs.org, Prasad Joshi <prasadjoshi.linux@...il.com>,
        logfs@...fs.org, LKML <linux-kernel@...r.kernel.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: logfs: GPF in logfs_alloc_inode

Hello,

The following program triggers GPF in logfs_alloc_inode:
https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt


general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 2 PID: 6602 Comm: a.out Not tainted 4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003604c400 task.stack: ffff880035380000
RIP: 0010:[<ffffffff82514115>]  [<     inline     >] i_uid_write
./include/linux/fs.h:1469
RIP: 0010:[<ffffffff82514115>]  [<ffffffff82514115>]
logfs_init_inode.isra.5+0x155/0x480 fs/logfs/inode.c:212
RSP: 0018:ffff880035387838  EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800640af9e0 RCX: 0000000000000000
RDX: 000000000000011b RSI: ffffffff8995e940 RDI: 00000000000008d8
RBP: ffff8800353878c0 R08: 00000000000004d0 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff8800640afe00
R13: 1ffff10006a70f07 R14: 0000000000000000 R15: ffff88006b563700
FS:  0000000001b3b940(0000) GS:ffff88006d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8526a449de CR3: 0000000034106000 CR4: 00000000000006e0
Stack:
 0000000041b58ab3 ffffffff894c4c0b ffffffff82513fc0 000000000000aa81
 ffffffff819efe35 ffff88006a63a7ff 1ffff1000d4c7500 ffffe8ffffc18490
 00000001819effad 0000000000000003 ffff88000000000c 0000000000000282
Call Trace:
 [<ffffffff82514475>] logfs_alloc_inode+0x35/0x40 fs/logfs/inode.c:234
 [<ffffffff81ade226>] alloc_inode+0x66/0x180 fs/inode.c:207
 [<ffffffff81ae57de>] new_inode_pseudo+0x6e/0x190 fs/inode.c:889
 [<ffffffff81ae5921>] new_inode+0x21/0x50 fs/inode.c:918
 [<ffffffff82514986>] logfs_new_meta_inode+0x26/0x120 fs/logfs/inode.c:267
 [<ffffffff82533f97>] logfs_init_mapping+0x47/0x160 fs/logfs/segment.c:912
 [<     inline     >] logfs_read_sb fs/logfs/super.c:446
 [<     inline     >] logfs_get_sb_device fs/logfs/super.c:546
 [<ffffffff825375f0>] logfs_mount+0x690/0x1e50 fs/logfs/super.c:600
 [<ffffffff81a7d62c>] mount_fs+0x9c/0x2e0 fs/super.c:1177
 [<ffffffff81af4e9c>] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954
 [<     inline     >] vfs_kern_mount fs/namespace.c:2433
 [<     inline     >] do_new_mount fs/namespace.c:2436
 [<ffffffff81afe3dd>] do_mount+0x41d/0x2db0 fs/namespace.c:2758
 [<     inline     >] SYSC_mount fs/namespace.c:2974
 [<ffffffff81b016d0>] SyS_mount+0xb0/0x120 fs/namespace.c:2951
 [<ffffffff88147985>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 13 03 00 00 4c 8b 73 28 48 b8
00 00 00 00 00 fc ff df 49 8d be d8 08 00 00 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 e3 02 00 00 48 8d 7b 04 48 b8 00 00 00 00 00
RIP  [<     inline     >] i_uid_write ./include/linux/fs.h:1469
RIP  [<ffffffff82514115>] logfs_init_inode.isra.5+0x155/0x480
fs/logfs/inode.c:212
 RSP <ffff880035387838>
---[ end trace a44003de9322a2bc ]---
LogFS: Start mount 1
==================================================================
BUG: KASAN: use-after-free in
__rwsem_down_write_failed_common+0xde7/0xf90 at addr ffff88003604c430
Read of size 4 by task a.out/6605
CPU: 1 PID: 6605 Comm: a.out Tainted: G    B D         4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003cf6f130 ffffffff834c2a59 ffffffff00000001 1ffff100079eddb9
 ffffed00079eddb1 0000000041b58ab3 ffffffff895758d0 ffffffff834c276b
 ffffffff894f179e ffffffff815774c0 ffff88003cf6eff0 dffffc0000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff834c2a59>] dump_stack+0x2ee/0x3f5 lib/dump_stack.c:51
 [<ffffffff819f09f1>] kasan_object_err+0x21/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<     inline     >] kasan_report_error mm/kasan/report.c:286
 [<ffffffff819f0cdb>] kasan_report+0x1eb/0x4c0 mm/kasan/report.c:306
 [<ffffffff819f1009>] __asan_report_load4_noabort+0x19/0x20
mm/kasan/report.c:331
 [<     inline     >] rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:339
 [<ffffffff8157a567>] __rwsem_down_write_failed_common+0xde7/0xf90
kernel/locking/rwsem-xadd.c:470
 [<ffffffff881426f3>] rwsem_down_write_failed+0x13/0x20
kernel/locking/rwsem-xadd.c:555
 [<ffffffff83504657>] call_rwsem_down_write_failed+0x17/0x30
arch/x86/lib/rwsem.S:105
 [<     inline     >] __down_write ./arch/x86/include/asm/rwsem.h:125
 [<ffffffff88140a4c>] down_write+0xac/0x120 kernel/locking/rwsem.c:54
 [<ffffffff81a79bc8>] grab_super+0xa8/0x290 fs/super.c:364
 [<ffffffff81a7ab58>] sget_userns+0x1f8/0xd40 fs/super.c:491
 [<ffffffff81a7b764>] sget+0xc4/0x100 fs/super.c:548
 [<     inline     >] logfs_get_sb_device fs/logfs/super.c:522
 [<ffffffff825372ee>] logfs_mount+0x38e/0x1e50 fs/logfs/super.c:600
 [<ffffffff81a7d62c>] mount_fs+0x9c/0x2e0 fs/super.c:1177
 [<ffffffff81af4e9c>] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954
 [<     inline     >] vfs_kern_mount fs/namespace.c:2433
 [<     inline     >] do_new_mount fs/namespace.c:2436
 [<ffffffff81afe3dd>] do_mount+0x41d/0x2db0 fs/namespace.c:2758
 [<     inline     >] SYSC_mount fs/namespace.c:2974
 [<ffffffff81b016d0>] SyS_mount+0xb0/0x120 fs/namespace.c:2951
 [<ffffffff88147985>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Object at ffff88003604c400, in cache task_struct size: 5632
Allocated:
PID = 6598
 [  204.878017] [<ffffffff8127101b>] save_stack_trace+0x1b/0x20
 [  204.878017] [<ffffffff819efce3>] save_stack+0x43/0xd0
 [  204.878017] [<ffffffff819effad>] kasan_kmalloc+0xad/0xe0
 [  204.878017] [<ffffffff819f0582>] kasan_slab_alloc+0x12/0x20
 [  204.878017] [<ffffffff819e9b48>] kmem_cache_alloc_node+0x138/0x740
 [  204.878017] [<ffffffff813f63a5>] copy_process.part.38+0x1995/0x4920
 [  204.878017] [<ffffffff813f9825>] _do_fork+0x205/0x1070
 [  204.878017] [<ffffffff813fa76c>] SyS_clone+0x3c/0x50
 [  204.878017] [<ffffffff81009a24>] do_syscall_64+0x2f4/0x940
 [  204.878017] [<ffffffff88147a4d>] return_from_SYSCALL_64+0x0/0x7a
Freed:
PID = 0
 [  204.878017] [<ffffffff8127101b>] save_stack_trace+0x1b/0x20
 [  204.878017] [<ffffffff819efce3>] save_stack+0x43/0xd0
 [  204.878017] [<ffffffff819f0602>] kasan_slab_free+0x72/0xc0
 [  204.878017] [<ffffffff819ed5ab>] kmem_cache_free+0x7b/0x2f0
 [  204.878017] [<ffffffff813f3504>] free_task+0x114/0x190
 [  204.878017] [<ffffffff813f37d8>] __put_task_struct+0x258/0x610
 [  204.878017] [<ffffffff8140a024>] delayed_put_task_struct+0xe4/0x4b0
 [  204.878017] [<ffffffff815cbced>] rcu_do_batch.isra.70+0x9ed/0xe20
 [  204.878017] [<ffffffff815cc5ac>] rcu_process_callbacks+0x48c/0xd70
 [  204.878017] [<ffffffff8814b0fb>] __do_softirq+0x32b/0xca8
Memory state around the buggy address:
 ffff88003604c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88003604c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88003604c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88003604c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88003604c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (4.9-rc5).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ