lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170620034222.nykxdbagaqa3rqni@codemonkey.org.uk>
Date:   Mon, 19 Jun 2017 23:42:22 -0400
From:   Dave Jones <davej@...emonkey.org.uk>
To:     Hugh Dickins <hughd@...gle.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Oleg Nesterov <oleg@...hat.com>, Michal Hocko <mhocko@...e.com>
Subject: Re: Linux 4.12-rc6

On Mon, Jun 19, 2017 at 08:12:12PM -0700, Hugh Dickins wrote:
 
 > for Dave perhaps to try - but probably he's shut down now, so I'll
 > then grab a trinity, and see what luck I have with it.

Almost shutdown, but not quite.  Coincidentally, coverity just finished
the rc6 run, and barfed this up..  related ?

*** CID 1412907:  Control flow issues  (DEADCODE)
/include/linux/mm.h: 2243 in vm_end_gap()
2237
2238     static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
2239     {
2240            unsigned long vm_end = vma->vm_end;
2241
2242            if (vma->vm_flags & VM_GROWSUP) {
>>>     CID 1412907:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "vm_end += stack_guard_gap;".
2243                    vm_end += stack_guard_gap;
2244                    if (vm_end < vma->vm_end)
2245                            vm_end = -PAGE_SIZE;
2246            }
2247            return vm_end;
2248     }

I hacked up this harness to try and narrow it down more..

#!/bin/bash

. scripts/taint.sh

while [ 1 ];
do
  ./trinity -a64 -C1 -c mmap -N1 --enable-fds=testfile
  check_tainted
done

Run that for a little while and eventually you'll get a single syscall trigger
that looks like this..


Trinity v1.7-255-gf21c0a62f708  Dave Jones <davej@...emonkey.org.uk>
shm:0x7f3e43c11000-0x7f3e5080dd00 (4 pages)
Enabled fd provider testfile
[main] Done parsing arguments.
[main] shm is at 0x7f3e43c11000
[main] Initial random seed: 3122467917
[main] 32-bit syscalls: all disabled..  64-bit syscalls: 1 enabled, 332 disabled.
freeing 0x5575fa29c9c0
[main] Using pid_max = 32768
Logging to 192.168.0.135
socket buffer size set to: 1000000. (res:Success)
Sending hello to logging server.
Waiting for reply from logging server.
Got reply from server. Logging enabled.
[main]  start: 0x7f3e43c0f000 size:4KB  name: anon(PROT_READ | PROT_WRITE)
[main]  start: 0x7f3e43c0e000 size:4KB  name: anon(PROT_READ)
[main]  start: 0x7f3e43c0d000 size:4KB  name: anon(PROT_WRITE)
[main]  start: 0x7f3e43b02000 size:1MB  name: anon(PROT_READ | PROT_WRITE)
[main]  start: 0x7f3e4199d000 size:1MB  name: anon(PROT_READ)
[main]  start: 0x7f3e4189d000 size:1MB  name: anon(PROT_WRITE)
[main]  start: 0x7f3e4169d000 size:2MB  name: anon(PROT_READ | PROT_WRITE)
[main]  start: 0x7f3e4149d000 size:2MB  name: anon(PROT_READ)
[main]  start: 0x7f3e4129d000 size:2MB  name: anon(PROT_WRITE)
[main]  start: 0x7f3e43c0c000 size:4KB  name: anon(PROT_READ | PROT_WRITE)
[main]  start: 0x7f3e43c0b000 size:4KB  name: anon(PROT_READ)
[main]  start: 0x7f3e43b01000 size:4KB  name: anon(PROT_WRITE)
[main] sysv_shm: id:9240858 size:4096 flags:7b0 ptr:(nil)
[main] sysv_shm: id:9273627 size:24576 flags:17b0 ptr:(nil)
[main] testfile fd:5 filename:trinity-testfile1 flags:4040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e43afe000 size:4KB  name: trinity-testfile1
[main] testfile fd:6 filename:trinity-testfile2 flags:40 fopened:0 fcntl_flags:0
[main]  start: 0x40ab6000 size:4KB  name: trinity-testfile2
[main] testfile fd:7 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:40000
[main]  start: 0x7f3e43afd000 size:4KB  name: trinity-testfile3
[main] testfile fd:8 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:40800
[main]  start: 0x7f3e43afc000 size:4KB  name: trinity-testfile4
[main] testfile fd:9 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:40000
[main]  start: 0x7f3e43afb000 size:4KB  name: trinity-testfile1
[main] testfile fd:10 filename:trinity-testfile2 flags:2 fopened:1 fcntl_flags:42c00
[main]  start: 0x7f3e43afa000 size:4KB  name: trinity-testfile2
[main] testfile fd:11 filename:trinity-testfile3 flags:40 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e43af9000 size:4KB  name: trinity-testfile3
[main] testfile fd:12 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:44800
[main]  start: 0x7f3e43af8000 size:4KB  name: trinity-testfile4
[main] testfile fd:13 filename:trinity-testfile1 flags:40 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e4129c000 size:4KB  name: trinity-testfile1
[main] testfile fd:14 filename:trinity-testfile2 flags:4040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e4129b000 size:4KB  name: trinity-testfile2
[main] testfile fd:15 filename:trinity-testfile3 flags:5040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e4129a000 size:4KB  name: trinity-testfile3
[main] testfile fd:16 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:6c00
[main]  start: 0x7f3e41299000 size:4KB  name: trinity-testfile4
[main] testfile fd:17 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:0
[main]  start: 0x7f3e41298000 size:4KB  name: trinity-testfile1
[main] testfile fd:18 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main]  start: 0x41dc0000 size:4KB  name: trinity-testfile2
[main] testfile fd:19 filename:trinity-testfile3 flags:101040 fopened:0 fcntl_flags:0
G[main]  start: 0x7f3e41297000 size:4KB  name: trinity-testfile3
[main] testfile fd:20 filename:trinity-testfile4 flags:5040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e41296000 size:4KB  name: trinity-testfile4
[main] testfile fd:21 filename:trinity-testfile1 flags:5040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e41295000 size:4KB  name: trinity-testfile1
[main] testfile fd:22 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e41294000 size:4KB  name: trinity-testfile2
[main] testfile fd:23 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:4000
[main]  start: 0x7f3e41293000 size:4KB  name: trinity-testfile3
[main] testfile fd:24 filename:trinity-testfile4 flags:101040 fopened:0 fcntl_flags:0
[main]  start: 0x7f3e41292000 size:4KB  name: trinity-testfile4
[main] Enabled 1/14 fd providers. initialized:1.
[main] Error opening tracing_on : Permission denied
[child0:2875]  start: 0x7f3e43c0f000 size:4KB  name: anon(PROT_READ | PROT_WRITE)
[child0:2875]  start: 0x7f3e43c0e000 size:4KB  name: anon(PROT_READ)
[child0:2875]  start: 0x7f3e43c0d000 size:4KB  name: anon(PROT_WRITE)
[child0:2875]  start: 0x7f3e43b02000 size:1MB  name: anon(PROT_READ | PROT_WRITE)
[child0:2875]  start: 0x7f3e4199d000 size:1MB  name: anon(PROT_READ)
[child0:2875]  start: 0x7f3e4189d000 size:1MB  name: anon(PROT_WRITE)
[child0:2875]  start: 0x7f3e4169d000 size:2MB  name: anon(PROT_READ | PROT_WRITE)
[child0:2875]  start: 0x7f3e4149d000 size:2MB  name: anon(PROT_READ)
[child0:2875]  start: 0x7f3e4129d000 size:2MB  name: anon(PROT_WRITE)
[child0:2875]  start: 0x7f3e43c0c000 size:4KB  name: anon(PROT_READ | PROT_WRITE)
[child0:2875]  start: 0x7f3e43c0b000 size:4KB  name: anon(PROT_READ)
[child0:2875]  start: 0x7f3e43b01000 size:4KB  name: anon(PROT_WRITE)
[child0:2875] [0] mmap(addr=0, len=0x200000, prot=0x9[PROT_READ|PROT_SEM], flags=0x2, fd=22, off=4096) [main] trace_fd was -1
[main] kernel became tainted! (128/0) Last seed was 3122467917
trinity: Detected kernel tainting. Last seed was 3122467917


args from that case in case it's interesting was..
 RAX: 0000000000000000 RBX: 0000000000000004 RCX: ffff8805079e2ef8
 RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff880507ddc448
 RBP: ffffc9000026bd50 R08: ffffffffffffffff R09: 000000000000000b
 R10: ffffc9000026bd20 R11: 0000000000000000 R12: ffff880507ddc440
 R13: ffff880507ddc448 R14: 0000000000000004 R15: ffffc9000026bd88


Doing just that mmap by itself doesn't trigger it, so it must rely on the placement
of the earlier static mmaps trinity does on startup (see near top)

and that's where I've run out of steam for the night.

	Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ