lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 29 Nov 2017 11:54:30 -0600
From:   Dennis Zhou <dennisszhou@...il.com>
To:     Fengguang Wu <fengguang.wu@...el.com>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        Kees Cook <keescook@...omium.org>
Cc:     linux-mm@...ck.org, Tejun Heo <tj@...nel.org>,
        Christoph Lameter <cl@...ux.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Josef Bacik <jbacik@...com>, linux-kernel@...r.kernel.org,
        lkp@...org, Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Mark Rutland <mark.rutland@....com>
Subject: Re: [pcpu] BUG: KASAN: use-after-scope in
 pcpu_setup_first_chunk+0x1e3b/0x29e2

Hi everyone,

I spent a bit of time learning more about this problem as Fengguang was
able to determine the root commit f7dd2507893cc3. I reproduced the bug
in userspace to make life a bit easier and below the assignment occurs
before the unpoison. This is fine if we're sequentially proceeding, but
as in the case in percpu, it's calling the function in a for loop
causing the assignment to happen after it has been poisoned in the prior
iteration.

<bb 3> [0.00%]:
  _1 = (long unsigned int) i_4;
  _2 = _1 * 16;
  _3 = p_8 + _2;
  list_14 = _3;
  __u = {};
  ASAN_MARK (UNPOISON, &__u, 8);
  __u.__val = list_14;

<bb 9> [0.00%]:
  _24 = __u.__val;
  ASAN_MARK (POISON, &__u, 8);
  list_14->prev = list_14;
  i_13 = i_4 + 1;

<bb 10> [0.00%]:
  # i_4 = PHI <i_9(2), i_13(9)>
  if (i_4 <= 9)
    goto <bb 3>; [0.00%]
  else
    goto <bb 11>; [0.00%]

I don't know how to go about fixing this though. The reproducing code is
below and was compiled with gcc-7 and the structleak_plugin.

I hope this helps.

Thanks,
Dennis

----
#include <stdint.h>
#include <stdlib.h>

#define barrier()

#define WRITE_ONCE(x, val) \
({							\
	union { typeof(x) __val; char __c[1]; } __u =	\
		{ .__val = (typeof(x)) (val) }; \
	__write_once_size(&(x), __u.__c, sizeof(x));	\
	__u.__val;					\
})

typedef         uint8_t		__u8;
typedef         uint16_t	__u16;
typedef         uint32_t	__u32;
typedef         uint64_t	__u64;

static inline __attribute__((always_inline)) void __write_once_size(volatile void *p, void *res, int size)
{
	switch (size) {
	case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
	case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
	case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
	case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
	default:
		barrier();
		__builtin_memcpy((void *)p, (const void *)res, size);
		barrier();
	}
}

struct list_head {
	struct list_head *next, *prev;
};

static inline __attribute__((always_inline)) void INIT_LIST_HEAD(struct list_head *list)
{
	WRITE_ONCE(list->next, list);
	list->prev = list;
}

int main(int argc, char *argv[])
{
	struct list_head *p = malloc(10 * sizeof(struct list_head));
	int i;

	for (i = 0; i < 10; i++) {
		INIT_LIST_HEAD(&p[i]);
	}

	free(p);

	return 0;
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ