lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3e4b6f03-384d-411e-5243-9d3b0595d5cb@virtuozzo.com>
Date:   Wed, 25 Jan 2017 19:58:39 +0300
From:   Andrey Ryabinin <aryabinin@...tuozzo.com>
To:     Borislav Petkov <bp@...en8.de>,
        Thomas Gleixner <tglx@...utronix.de>
CC:     LKML <linux-kernel@...r.kernel.org>,
        "H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...nel.org>
Subject: x86/microcode: use-after-free after cpu offline/online

On 4.10-rc5 
   # echo 0 > /sys/devices/system/cpu/cpu1/online
   # echo 1 > /sys/devices/system/cpu/cpu1/online

triggers use-after-free (probably caused by 06b8534cb72 "x86/microcode: Rework microcode loading").

 __load_ucode_intel() accesses initrd which is obviously gone at this point:

[   62.347662] ==================================================================
[   62.347670] BUG: KASAN: use-after-free in find_cpio_data+0x779/0x850 at addr ffff880036e75000
[   62.347672] Read of size 1 by task swapper/1/0
[   62.347675] page:ffffea0000db9d40 count:0 mapcount:0 mapping:          (null) index:0x1
[   62.347677] flags: 0x100000000000000()
[   62.347680] raw: 0100000000000000 0000000000000000 0000000000000001 00000000ffffffff
[   62.347682] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[   62.347682] page dumped because: kasan: bad access detected
[   62.347685] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.10.0-rc5-debug-00075-g2dbde22 #3
[   62.347686] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 1.2.3 12/01/2016
[   62.347687] Call Trace:
[   62.347690]  dump_stack+0xb1/0x10c
[   62.347693]  ? _atomic_dec_and_lock+0xc4/0xc4
[   62.347696]  ? __dump_page+0x529/0x760
[   62.347699]  kasan_report_error+0x5ba/0x8b0
[   62.347702]  ? pointer+0xe70/0xe70
[   62.347704]  ? find_cpio_data+0x779/0x850
[   62.347706]  __asan_report_load1_noabort+0x59/0x80
[   62.347708]  ? find_cpio_data+0x779/0x850
[   62.347711]  find_cpio_data+0x779/0x850
[   62.347713]  ? vsprintf+0x20/0x20
[   62.347716]  ? dump_stack+0x10c/0x10c
[   62.347718]  ? get_ucode_user+0x50/0x50
[   62.347721]  ? print_usage_bug+0x6e0/0x6e0
[   62.347724]  find_microcode_in_initrd+0x25f/0x330
[   62.347726]  __load_ucode_intel+0xde/0x120
[   62.347728]  ? collect_cpu_info_early+0x360/0x360
[   62.347731]  ? debug_check_no_locks_freed+0x330/0x330
[   62.347733]  load_ucode_intel_ap+0x8b/0xc0
[   62.347735]  ? collect_cpu_info+0x4e0/0x4e0
[   62.347737]  ? trace_hardirqs_on+0xd/0x10
[   62.347740]  ? flat_send_IPI_mask_allbutself+0xf0/0xf0
[   62.347741]  load_ucode_ap+0x15d/0x180
[   62.347743]  ? get_builtin_firmware+0x160/0x160
[   62.347746]  ? flush_tlb_func+0x690/0x690
[   62.347749]  ? do_raw_spin_trylock+0x110/0x110
[   62.347752]  ? cpumask_weight+0x50/0x50
[   62.347754]  cpu_init+0x7b7/0x1580
[   62.347756]  ? trace_hardirqs_off+0xd/0x10
[   62.347758]  ? play_dead_common+0x30/0x40
[   62.347760]  ? native_play_dead+0x76/0x1c0
[   62.347762]  ? hlt_play_dead+0x40/0x40
[   62.347764]  ? syscall_init+0x140/0x140
[   62.347766]  ? arch_cpu_idle_dead+0x2d/0x40
[   62.347769]  ? do_idle+0x1da/0x2f0
[   62.347771]  start_secondary+0x14/0x370
[   62.347774]  start_cpu+0x14/0x14
[   62.347776] Memory state around the buggy address:
[   62.347778]  ffff880036e74f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.347780]  ffff880036e74f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.347782] >ffff880036e75000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.347783]                    ^
[   62.347785]  ffff880036e75080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.347786]  ffff880036e75100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   62.347787] ==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ