lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Nov 2017 11:36:06 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Thomas Meyer <thomas@...3r.de>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, lkp@...org
Subject: BUG: KASAN: use-after-free in cmp_ex_search+0x29/0x71

Hello,

FYI this happens in mainline kernel 4.15.0-rc1.
It looks like a new regression and hard to bisect.

It occurs in 1 out of 19 boots.

Starting udev
/etc/rcS.d/S03udev: line 72: can't create /proc/sys/kernel/hotplug: nonexistent directory
[   23.684970] gfs2: path_lookup on rootfs returned error -2
Kernel tests: Boot OK!
[   40.847825] ==================================================================
[   40.848720] BUG: KASAN: use-after-free in cmp_ex_search+0x29/0x71:
						ex_to_insn at lib/extable.c:23
						 (inlined by) cmp_ex_search at lib/extable.c:104
[   40.849362] Read of size 8 at addr ffff8800155d8578 by task trinity-main/504
[   40.850085]
[   40.850317] CPU: 0 PID: 504 Comm: trinity-main Not tainted 4.15.0-rc1 #204
[   40.851013] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   40.851880] Call Trace:
[   40.852190]
[   40.852424] Allocated by task 504:
[   40.852845]  kasan_kmalloc+0x62/0xee
[   40.853315]  kasan_kmalloc+0x7f/0x8b:
						kasan_kmalloc at mm/kasan/kasan.c:552
[   40.853735]  kmem_cache_alloc_trace+0x289/0x29b:
						kmem_cache_alloc_trace at mm/slub.c:2754
[   40.854234]  perf_event_alloc+0x20e/0x1cb7:
						perf_event_alloc at kernel/events/core.c:9368
[   40.854714]  SyS_perf_event_open+0xa89/0x200a
[   40.855201]  entry_SYSCALL_64_fastpath+0x1a/0x7d:
						entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210
[   40.855705]
[   40.855931] Freed by task 504:
[   40.856296]  kasan_slab_free+0xc8/0x171:
						filter_irq_stacks at mm/kasan/kasan.c:427
						 (inlined by) save_stack at mm/kasan/kasan.c:448
						 (inlined by) set_track at mm/kasan/kasan.c:459
						 (inlined by) kasan_slab_free at mm/kasan/kasan.c:524
[   40.856736]  kfree+0x1ef/0x333:
						slab_free at mm/slub.c:2973
						 (inlined by) kfree at mm/slub.c:3899
[   40.857098]  perf_event_alloc+0x1c73/0x1cb7:
						perf_event_alloc at kernel/events/core.c:9532
[   40.857567]  SyS_perf_event_open+0xa89/0x200a
[   40.858048]  entry_SYSCALL_64_fastpath+0x1a/0x7d:
						entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210
[   40.858549]
[   40.858777] The buggy address belongs to the object at ffff8800155d8008
[   40.858777]  which belongs to the cache kmalloc-2048 of size 2048

Attached the full dmesg, kconfig and reproduce scripts.

Thanks,
Fengguang

View attachment "dmesg-yocto-lkp-hsw01-33:20171130041107:x86_64-randconfig-v0-11300145:4.15.0-rc1:204" of type "text/plain" (40798 bytes)

View attachment ".config" of type "text/plain" (107671 bytes)

View attachment "reproduce-yocto-lkp-hsw01-33:20171130041107:x86_64-randconfig-v0-11300145:4.15.0-rc1:204" of type "text/plain" (897 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ