| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Jun 2017 23:42:22 -0400
From: Dave Jones <davej@...emonkey.org.uk>
To: Hugh Dickins <hughd@...gle.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Oleg Nesterov <oleg@...hat.com>, Michal Hocko <mhocko@...e.com>
Subject: Re: Linux 4.12-rc6
On Mon, Jun 19, 2017 at 08:12:12PM -0700, Hugh Dickins wrote:
> for Dave perhaps to try - but probably he's shut down now, so I'll
> then grab a trinity, and see what luck I have with it.
Almost shutdown, but not quite. Coincidentally, coverity just finished
the rc6 run, and barfed this up.. related ?
*** CID 1412907: Control flow issues (DEADCODE)
/include/linux/mm.h: 2243 in vm_end_gap()
2237
2238 static inline unsigned long vm_end_gap(struct vm_area_struct *vma)
2239 {
2240 unsigned long vm_end = vma->vm_end;
2241
2242 if (vma->vm_flags & VM_GROWSUP) {
>>> CID 1412907: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "vm_end += stack_guard_gap;".
2243 vm_end += stack_guard_gap;
2244 if (vm_end < vma->vm_end)
2245 vm_end = -PAGE_SIZE;
2246 }
2247 return vm_end;
2248 }
I hacked up this harness to try and narrow it down more..
#!/bin/bash
. scripts/taint.sh
while [ 1 ];
do
./trinity -a64 -C1 -c mmap -N1 --enable-fds=testfile
check_tainted
done
Run that for a little while and eventually you'll get a single syscall trigger
that looks like this..
Trinity v1.7-255-gf21c0a62f708 Dave Jones <davej@...emonkey.org.uk>
shm:0x7f3e43c11000-0x7f3e5080dd00 (4 pages)
Enabled fd provider testfile
[main] Done parsing arguments.
[main] shm is at 0x7f3e43c11000
[main] Initial random seed: 3122467917
[main] 32-bit syscalls: all disabled.. 64-bit syscalls: 1 enabled, 332 disabled.
freeing 0x5575fa29c9c0
[main] Using pid_max = 32768
Logging to 192.168.0.135
socket buffer size set to: 1000000. (res:Success)
Sending hello to logging server.
Waiting for reply from logging server.
Got reply from server. Logging enabled.
[main] start: 0x7f3e43c0f000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e43c0e000 size:4KB name: anon(PROT_READ)
[main] start: 0x7f3e43c0d000 size:4KB name: anon(PROT_WRITE)
[main] start: 0x7f3e43b02000 size:1MB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e4199d000 size:1MB name: anon(PROT_READ)
[main] start: 0x7f3e4189d000 size:1MB name: anon(PROT_WRITE)
[main] start: 0x7f3e4169d000 size:2MB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e4149d000 size:2MB name: anon(PROT_READ)
[main] start: 0x7f3e4129d000 size:2MB name: anon(PROT_WRITE)
[main] start: 0x7f3e43c0c000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[main] start: 0x7f3e43c0b000 size:4KB name: anon(PROT_READ)
[main] start: 0x7f3e43b01000 size:4KB name: anon(PROT_WRITE)
[main] sysv_shm: id:9240858 size:4096 flags:7b0 ptr:(nil)
[main] sysv_shm: id:9273627 size:24576 flags:17b0 ptr:(nil)
[main] testfile fd:5 filename:trinity-testfile1 flags:4040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e43afe000 size:4KB name: trinity-testfile1
[main] testfile fd:6 filename:trinity-testfile2 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x40ab6000 size:4KB name: trinity-testfile2
[main] testfile fd:7 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:40000
[main] start: 0x7f3e43afd000 size:4KB name: trinity-testfile3
[main] testfile fd:8 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:40800
[main] start: 0x7f3e43afc000 size:4KB name: trinity-testfile4
[main] testfile fd:9 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:40000
[main] start: 0x7f3e43afb000 size:4KB name: trinity-testfile1
[main] testfile fd:10 filename:trinity-testfile2 flags:2 fopened:1 fcntl_flags:42c00
[main] start: 0x7f3e43afa000 size:4KB name: trinity-testfile2
[main] testfile fd:11 filename:trinity-testfile3 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x7f3e43af9000 size:4KB name: trinity-testfile3
[main] testfile fd:12 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:44800
[main] start: 0x7f3e43af8000 size:4KB name: trinity-testfile4
[main] testfile fd:13 filename:trinity-testfile1 flags:40 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129c000 size:4KB name: trinity-testfile1
[main] testfile fd:14 filename:trinity-testfile2 flags:4040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129b000 size:4KB name: trinity-testfile2
[main] testfile fd:15 filename:trinity-testfile3 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e4129a000 size:4KB name: trinity-testfile3
[main] testfile fd:16 filename:trinity-testfile4 flags:2 fopened:1 fcntl_flags:6c00
[main] start: 0x7f3e41299000 size:4KB name: trinity-testfile4
[main] testfile fd:17 filename:trinity-testfile1 flags:2 fopened:1 fcntl_flags:0
[main] start: 0x7f3e41298000 size:4KB name: trinity-testfile1
[main] testfile fd:18 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x41dc0000 size:4KB name: trinity-testfile2
[main] testfile fd:19 filename:trinity-testfile3 flags:101040 fopened:0 fcntl_flags:0
G[main] start: 0x7f3e41297000 size:4KB name: trinity-testfile3
[main] testfile fd:20 filename:trinity-testfile4 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41296000 size:4KB name: trinity-testfile4
[main] testfile fd:21 filename:trinity-testfile1 flags:5040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41295000 size:4KB name: trinity-testfile1
[main] testfile fd:22 filename:trinity-testfile2 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41294000 size:4KB name: trinity-testfile2
[main] testfile fd:23 filename:trinity-testfile3 flags:2 fopened:1 fcntl_flags:4000
[main] start: 0x7f3e41293000 size:4KB name: trinity-testfile3
[main] testfile fd:24 filename:trinity-testfile4 flags:101040 fopened:0 fcntl_flags:0
[main] start: 0x7f3e41292000 size:4KB name: trinity-testfile4
[main] Enabled 1/14 fd providers. initialized:1.
[main] Error opening tracing_on : Permission denied
[child0:2875] start: 0x7f3e43c0f000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e43c0e000 size:4KB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e43c0d000 size:4KB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e43b02000 size:1MB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e4199d000 size:1MB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e4189d000 size:1MB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e4169d000 size:2MB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e4149d000 size:2MB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e4129d000 size:2MB name: anon(PROT_WRITE)
[child0:2875] start: 0x7f3e43c0c000 size:4KB name: anon(PROT_READ | PROT_WRITE)
[child0:2875] start: 0x7f3e43c0b000 size:4KB name: anon(PROT_READ)
[child0:2875] start: 0x7f3e43b01000 size:4KB name: anon(PROT_WRITE)
[child0:2875] [0] mmap(addr=0, len=0x200000, prot=0x9[PROT_READ|PROT_SEM], flags=0x2, fd=22, off=4096) [main] trace_fd was -1
[main] kernel became tainted! (128/0) Last seed was 3122467917
trinity: Detected kernel tainting. Last seed was 3122467917
args from that case in case it's interesting was..
RAX: 0000000000000000 RBX: 0000000000000004 RCX: ffff8805079e2ef8
RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff880507ddc448
RBP: ffffc9000026bd50 R08: ffffffffffffffff R09: 000000000000000b
R10: ffffc9000026bd20 R11: 0000000000000000 R12: ffff880507ddc440
R13: ffff880507ddc448 R14: 0000000000000004 R15: ffffc9000026bd88
Doing just that mmap by itself doesn't trigger it, so it must rely on the placement
of the earlier static mmaps trinity does on startup (see near top)
and that's where I've run out of steam for the night.
Dave
Powered by blists - more mailing lists