lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAeHK+y25S6GYMrGUEQJJ5AU1LZ7T-jWrwoDsLXdxuk_E+q5BQ@mail.gmail.com>
Date:   Wed, 3 Apr 2019 13:23:44 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Qian Cai <cai@....pw>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Linux Memory Management List <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] slab: store tagged freelist for off-slab slabmgmt

On Wed, Apr 3, 2019 at 4:29 AM Qian Cai <cai@....pw> wrote:
>
> The commit 51dedad06b5f ("kasan, slab: make freelist stored without
> tags") calls kasan_reset_tag() for off-slab slab management object
> leading to freelist being stored non-tagged. However, cache_grow_begin()
> -> alloc_slabmgmt() -> kmem_cache_alloc_node() which assigns a tag for
> the address and stores in the shadow address. As the result, it causes
> endless errors below during boot due to drain_freelist() ->
> slab_destroy() -> kasan_slab_free() which compares already untagged
> freelist against the stored tag in the shadow address. Since off-slab
> slab management object freelist is such a special case, so just store it
> tagged. Non-off-slab management object freelist is still stored untagged
> which has not been assigned a tag and should not cause any other
> troubles with this inconsistency.

Hi Qian,

Could you share the config (or other steps) you used to reproduce this?

Thanks!

>
> BUG: KASAN: double-free or invalid-free in slab_destroy+0x84/0x88
> Pointer tag: [ff], memory tag: [99]
>
> CPU: 0 PID: 1376 Comm: kworker/0:4 Tainted: G        W
> 5.1.0-rc3+ #8
> Hardware name: HPE Apollo 70             /C01_APACHE_MB         , BIOS
> L50_5.13_1.0.6 07/10/2018
> Workqueue: cgroup_destroy css_killed_work_fn
> Call trace:
>  dump_backtrace+0x0/0x450
>  show_stack+0x20/0x2c
>  dump_stack+0xe0/0x16c
>  print_address_description+0x74/0x2a4
>  kasan_report_invalid_free+0x80/0xc0
>  __kasan_slab_free+0x204/0x208
>  kasan_slab_free+0xc/0x18
>  kmem_cache_free+0xe4/0x254
>  slab_destroy+0x84/0x88
>  drain_freelist+0xd0/0x104
>  __kmem_cache_shrink+0x1ac/0x224
>  __kmemcg_cache_deactivate+0x1c/0x28
>  memcg_deactivate_kmem_caches+0xa0/0xe8
>  memcg_offline_kmem+0x8c/0x3d4
>  mem_cgroup_css_offline+0x24c/0x290
>  css_killed_work_fn+0x154/0x618
>  process_one_work+0x9cc/0x183c
>  worker_thread+0x9b0/0xe38
>  kthread+0x374/0x390
>  ret_from_fork+0x10/0x18
>
> Allocated by task 1625:
>  __kasan_kmalloc+0x168/0x240
>  kasan_slab_alloc+0x18/0x20
>  kmem_cache_alloc_node+0x1f8/0x3a0
>  cache_grow_begin+0x4fc/0xa24
>  cache_alloc_refill+0x2f8/0x3e8
>  kmem_cache_alloc+0x1bc/0x3bc
>  sock_alloc_inode+0x58/0x334
>  alloc_inode+0xb8/0x164
>  new_inode_pseudo+0x20/0xec
>  sock_alloc+0x74/0x284
>  __sock_create+0xb0/0x58c
>  sock_create+0x98/0xb8
>  __sys_socket+0x60/0x138
>  __arm64_sys_socket+0xa4/0x110
>  el0_svc_handler+0x2c0/0x47c
>  el0_svc+0x8/0xc
>
> Freed by task 1625:
>  __kasan_slab_free+0x114/0x208
>  kasan_slab_free+0xc/0x18
>  kfree+0x1a8/0x1e0
>  single_release+0x7c/0x9c
>  close_pdeo+0x13c/0x43c
>  proc_reg_release+0xec/0x108
>  __fput+0x2f8/0x784
>  ____fput+0x1c/0x28
>  task_work_run+0xc0/0x1b0
>  do_notify_resume+0xb44/0x1278
>  work_pending+0x8/0x10
>
> The buggy address belongs to the object at ffff809681b89e00
>  which belongs to the cache kmalloc-128 of size 128
> The buggy address is located 0 bytes inside of
>  128-byte region [ffff809681b89e00, ffff809681b89e80)
> The buggy address belongs to the page:
> page:ffff7fe025a06e00 count:1 mapcount:0 mapping:01ff80082000fb00
> index:0xffff809681b8fe04
> flags: 0x17ffffffc000200(slab)
> raw: 017ffffffc000200 ffff7fe025a06d08 ffff7fe022ef7b88 01ff80082000fb00
> raw: ffff809681b8fe04 ffff809681b80000 00000001000000e0 0000000000000000
> page dumped because: kasan: bad access detected
> page allocated via order 0, migratetype Unmovable, gfp_mask
> 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
>  prep_new_page+0x4e0/0x5e0
>  get_page_from_freelist+0x4ce8/0x50d4
>  __alloc_pages_nodemask+0x738/0x38b8
>  cache_grow_begin+0xd8/0xa24
>  ____cache_alloc_node+0x14c/0x268
>  __kmalloc+0x1c8/0x3fc
>  ftrace_free_mem+0x408/0x1284
>  ftrace_free_init_mem+0x20/0x28
>  kernel_init+0x24/0x548
>  ret_from_fork+0x10/0x18
>
> Memory state around the buggy address:
>  ffff809681b89c00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>  ffff809681b89d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
> >ffff809681b89e00: 99 99 99 99 99 99 99 99 fe fe fe fe fe fe fe fe
>                    ^
>  ffff809681b89f00: 43 43 43 43 43 fe fe fe fe fe fe fe fe fe fe fe
>  ffff809681b8a000: 6d fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
>
> Fixes: 51dedad06b5f ("kasan, slab: make freelist stored without tags")
> Signed-off-by: Qian Cai <cai@....pw>
> ---
>  mm/slab.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/mm/slab.c b/mm/slab.c
> index 329bfe67f2ca..46a6e084222b 100644
> --- a/mm/slab.c
> +++ b/mm/slab.c
> @@ -2374,7 +2374,6 @@ static void *alloc_slabmgmt(struct kmem_cache *cachep,
>                 /* Slab management obj is off-slab. */
>                 freelist = kmem_cache_alloc_node(cachep->freelist_cache,
>                                               local_flags, nodeid);
> -               freelist = kasan_reset_tag(freelist);
>                 if (!freelist)
>                         return NULL;
>         } else {
> --
> 2.17.2 (Apple Git-113)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ