lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 15 May 2017 23:53:18 +0200
From:   "Luis R. Rodriguez" <mcgrof@...nel.org>
To:     Andy Lutomirski <luto@...capital.net>
Cc:     "Luis R. Rodriguez" <mcgrof@...nel.org>,
        Michal Hocko <mhocko@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Ingo Molnar <mingo@...nel.org>,
        Andy Lutomirski <luto@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Mateusz Guzik <mguzik@...hat.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: kmemleak splat on copy_process()

On Fri, Feb 17, 2017 at 11:32:34AM -0800, Andy Lutomirski wrote:
> On Fri, Feb 17, 2017 at 9:23 AM, Luis R. Rodriguez <mcgrof@...nel.org> wrote:
> > On Fri, Feb 17, 2017 at 9:07 AM, Andy Lutomirski <luto@...capital.net> wrote:
> >> But maybe
> >> there really is a race in which a kmemleak check right in the middle
> >> of duplicating the task struct really can't see the stack pointer.
> >
> > Funny, but it was actually using kmemleak how I can easily reproduce:
> >
> > To reproduce the kmemleak splat:
> >
> > echo clear >  /sys/kernel/debug/kmemleak
> > echo scan >  /sys/kernel/debug/kmemleak
> > cat /sys/kernel/debug/kmemleak
> 
> Worked fine for me.  Maybe your config is special?

I don't think my config is special at all, here it is its just
what I use for my qemu kvm guest image:

http://drvbp1.linux-foundation.org/~mcgrof/2017/05/15/configs/piggy-x86_64_qemu_fork_kmemleak.config

Another new kernel (next-20170515 based now on v4.12-rc1) and yet the same
kmemleeak can be triggered easily, although this time I need to hit "scan"
quite a bit more -- try using scan 6 times in a row or so.

echo clear >  /sys/kernel/debug/kmemleak
echo scan >  /sys/kernel/debug/kmemleak
echo scan >  /sys/kernel/debug/kmemleak
echo scan >  /sys/kernel/debug/kmemleak
echo scan >  /sys/kernel/debug/kmemleak
echo scan >  /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak

root@...gy:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0xffffa07500d4c000 (size 16384):
  comm "bash", pid 1349, jiffies 4294895999 (age 263.204s)
  hex dump (first 32 bytes):
    9d 6e ac 57 00 00 00 00 00 00 00 00 00 00 00 00  .n.W............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffffa5464cca>] kmemleak_alloc+0x4a/0xa0
    [<ffffffffa4fdfe6c>] __vmalloc_node_range+0x20c/0x2b0
    [<ffffffffa4e7d1a2>] copy_process.part.37+0x5c2/0x1af0
    [<ffffffffa4e7e89f>] _do_fork+0xcf/0x390
    [<ffffffffa4e7ec09>] SyS_clone+0x19/0x20
    [<ffffffffa4e03b0b>] do_syscall_64+0x5b/0xc0
    [<ffffffffa547072b>] return_from_SYSCALL_64+0x0/0x6a
    [<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffffa07500c30000 (size 16384):
  comm "bash", pid 1394, jiffies 4294940106 (age 86.780s)
  hex dump (first 32 bytes):
    9d 6e ac 57 00 00 00 00 00 00 00 00 00 00 00 00  .n.W............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffffa5464cca>] kmemleak_alloc+0x4a/0xa0
    [<ffffffffa4fdfe6c>] __vmalloc_node_range+0x20c/0x2b0
    [<ffffffffa4e7d1a2>] copy_process.part.37+0x5c2/0x1af0
    [<ffffffffa4e7e89f>] _do_fork+0xcf/0x390
    [<ffffffffa4e7ec09>] SyS_clone+0x19/0x20
    [<ffffffffa4e03b0b>] do_syscall_64+0x5b/0xc0
    [<ffffffffa547072b>] return_from_SYSCALL_64+0x0/0x6a
    [<ffffffffffffffff>] 0xffffffffffffffff
unreferenced object 0xffffa07500c98000 (size 16384):
  comm "bash", pid 1368, jiffies 4294956480 (age 21.284s)
  hex dump (first 32 bytes):
    9d 6e ac 57 00 00 00 00 00 00 00 00 fe 01 00 00  .n.W............
    c0 f4 9d 44 2f e8 ff ff 00 de ac 44 2f e8 ff ff  ...D/......D/...
  backtrace:  
    [<ffffffffa5464cca>] kmemleak_alloc+0x4a/0xa0
    [<ffffffffa4fdfe6c>] __vmalloc_node_range+0x20c/0x2b0
    [<ffffffffa4e7d1a2>] copy_process.part.37+0x5c2/0x1af0
    [<ffffffffa4e7e89f>] _do_fork+0xcf/0x390
    [<ffffffffa4e7ec09>] SyS_clone+0x19/0x20
    [<ffffffffa4e03b0b>] do_syscall_64+0x5b/0xc0
    [<ffffffffa547072b>] return_from_SYSCALL_64+0x0/0x6a
    [<ffffffffffffffff>] 0xffffffffffffffff

I confirm that stack is allocated and that a respective tsk->stack_vm_area gets
assigned. So neither of these BUG() triggers, for instance but yet the kmemleak
does:

diff --git a/kernel/fork.c b/kernel/fork.c
index 657373b2ddd2..9bd7ccd55b89 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -230,8 +230,12 @@ static unsigned long *alloc_thread_stack_node(struct task_struct *tsk, int node)
 	 * free_thread_stack() can be called in interrupt context,
 	 * so cache the vm_struct.
 	 */
-	if (stack)
+	if (stack) {
 		tsk->stack_vm_area = find_vm_area(stack);
+		if (!tsk->stack_vm_area)
+			BUG();
+	} else
+		BUG();
 	return stack;
 #else
 	struct page *page = alloc_pages_node(node, THREADINFO_GFP,



  Luis

Powered by blists - more mailing lists