lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1556657902.6132.13.camel@lca.pw>
Date:   Tue, 30 Apr 2019 16:58:22 -0400
From:   Qian Cai <cai@....pw>
To:     bigeasy@...utronix.de
Cc:     dave.hansen@...el.com, bp@...e.de, tglx@...utronix.de,
        x86@...nel.org, "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        luto@...capital.net, hpa@...or.com, mingo@...nel.org
Subject: copy_fpstate_to_sigframe()  use-after-free

The commit eeec00d73be2 ("x86/fpu: Fault-in user stack if
copy_fpstate_to_sigframe() fails") causes use-after-free when running the LTP
signal06 test case. Reverted this commit fixed the issue.

[ 6150.581746] LTP: starting signal06
[ 6151.099635]
==================================================================
[ 6151.137893] BUG: KASAN: use-after-free in follow_page_mask+0x32/0x3e0
[ 6151.169683] Read of size 8 at addr ffff8884ac424048 by task signal06/45144
[ 6151.201832] 
[ 6151.208652] CPU: 45 PID: 45144 Comm: signal06 Kdump: loaded Not tainted
5.1.0-rc7-next-20190430+ #8
[ 6151.251025] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6151.289642] Call Trace:
[ 6151.300966]  dump_stack+0x62/0x9a
[ 6151.316552]  print_address_description.cold.2+0x9/0x28b
[ 6151.340859]  __kasan_report.cold.3+0x7a/0xb5
[ 6151.360819]  ? follow_page_mask+0x32/0x3e0
[ 6151.380970]  kasan_report+0xc/0x10
[ 6151.396922]  __asan_load8+0x71/0xa0
[ 6151.413474]  follow_page_mask+0x32/0x3e0
[ 6151.431870]  __get_user_pages+0x3cc/0x7c0
[ 6151.450644]  ? follow_page_mask+0x3e0/0x3e0
[ 6151.470058]  ? lock_downgrade+0x300/0x300
[ 6151.488677]  ? __bad_area_nosemaphore+0x66/0x230
[ 6151.510560]  ? do_raw_spin_unlock+0xa8/0x140
[ 6151.530468]  __gup_longterm_locked+0x32c/0xa90
[ 6151.551432]  ? do_page_fault+0x4c/0x260
[ 6151.569327]  ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6151.591874]  get_user_pages+0x60/0x70
[ 6151.609098]  copy_fpstate_to_sigframe+0x31a/0x670
[ 6151.631612]  ? __fpu__restore_sig+0x7a0/0x7a0
[ 6151.652869]  do_signal+0x40c/0x9d0
[ 6151.669822]  ? do_send_specific+0x87/0xe0
[ 6151.690250]  ? setup_sigcontext+0x280/0x280
[ 6151.710151]  ? check_kill_permission+0x8e/0x1c0
[ 6151.731618]  ? do_send_specific+0xa6/0xe0
[ 6151.750539]  ? do_tkill+0x125/0x160
[ 6151.766493]  ? signal_fault+0x160/0x160
[ 6151.783820]  exit_to_usermode_loop+0x9d/0xc0
[ 6151.803040]  do_syscall_64+0x470/0x5d8
[ 6151.819575]  ? syscall_return_slowpath+0xf0/0xf0
[ 6151.840392]  ? __do_page_fault+0x44d/0x5b0
[ 6151.858886]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6151.882493] RIP: 0033:0x40377e
[ 6151.896645] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6151.984032] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6152.018779] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6152.052252] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6152.085621] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6152.119275] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6152.155037] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6152.190814] 
[ 6152.197777] Allocated by task 45145:
[ 6152.214655]  __kasan_kmalloc.part.0+0x44/0xc0
[ 6152.235078]  __kasan_kmalloc.constprop.1+0xac/0xc0
[ 6152.257665]  kasan_slab_alloc+0x11/0x20
[ 6152.275711]  kmem_cache_alloc+0x131/0x360
[ 6152.294272]  vm_area_dup+0x20/0x80
[ 6152.310227]  __split_vma+0x68/0x270
[ 6152.326595]  split_vma+0x51/0x70
[ 6152.341817]  mprotect_fixup+0x469/0x540
[ 6152.359402]  do_mprotect_pkey+0x2a8/0x480
[ 6152.378313]  __x64_sys_mprotect+0x48/0x60
[ 6152.397014]  do_syscall_64+0xc8/0x5d8
[ 6152.414015]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.437731] 
[ 6152.444797] Freed by task 45145:
[ 6152.459202]  __kasan_slab_free+0x134/0x200
[ 6152.477692]  kasan_slab_free+0xe/0x10
[ 6152.494044]  kmem_cache_free+0xa0/0x300
[ 6152.512009]  vm_area_free+0x18/0x20
[ 6152.528295]  __vma_adjust+0x2f8/0xca0
[ 6152.545417]  vma_merge+0x619/0x6d0
[ 6152.561416]  mprotect_fixup+0x2bf/0x540
[ 6152.579336]  do_mprotect_pkey+0x2a8/0x480
[ 6152.597772]  __x64_sys_mprotect+0x48/0x60
[ 6152.616119]  do_syscall_64+0xc8/0x5d8
[ 6152.633298]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.657665] 
[ 6152.665119] The buggy address belongs to the object at ffff8884ac424008
[ 6152.665119]  which belongs to the cache vm_area_struct(96:user.slice) of size
200
[ 6152.734268] The buggy address is located 64 bytes inside of
[ 6152.734268]  200-byte region [ffff8884ac424008, ffff8884ac4240d0)
[ 6152.788643] The buggy address belongs to the page:
[ 6152.810991] page:ffffea0012b10900 count:1 mapcount:0 mapping:ffff88829c7383c0
index:0x0
[ 6152.848361] flags: 0x15fffe000000200(slab)
[ 6152.867558] raw: 015fffe000000200 ffffea00171b6c08 ffff8885928109a0
ffff88829c7383c0
[ 6152.903840] raw: 0000000000000000 0000000000070007 00000001ffffffff
ffff8884da644008
[ 6152.940077] page dumped because: kasan: bad access detected
[ 6152.966181] page->mem_cgroup:ffff8884da644008
[ 6152.986737] page allocated via order 0, migratetype Unmovable, gfp_mask
0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[ 6153.036670]  prep_new_page+0x29d/0x2c0
[ 6153.054207]  get_page_from_freelist+0x95b/0x2050
[ 6153.076165]  __alloc_pages_nodemask+0x2ff/0x1b50
[ 6153.097886]  alloc_pages_current+0x9c/0x110
[ 6153.117199]  allocate_slab+0x3a7/0x850
[ 6153.134763]  new_slab+0x46/0x70
[ 6153.149507]  ___slab_alloc+0x5d3/0x9c0
[ 6153.167080]  __slab_alloc+0x12/0x20
[ 6153.184301]  kmem_cache_alloc+0x30a/0x360
[ 6153.203847]  vm_area_dup+0x20/0x80
[ 6153.221785]  __split_vma+0x68/0x270
[ 6153.238130]  split_vma+0x51/0x70
[ 6153.253442]  mprotect_fixup+0x4be/0x540
[ 6153.271351]  do_mprotect_pkey+0x2a8/0x480
[ 6153.290282]  __x64_sys_mprotect+0x48/0x60
[ 6153.308993]  do_syscall_64+0xc8/0x5d8
[ 6153.326146] 
[ 6153.333065] Memory state around the buggy address:
[ 6153.355172]  ffff8884ac423f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.388572]  ffff8884ac423f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.422389] >ffff8884ac424000: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 6153.456232]                                               ^
[ 6153.482324]  ffff8884ac424080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
fc
[ 6153.516323]  ffff8884ac424100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6153.549993]
==================================================================
[ 6153.583892] Disabling lock debugging due to kernel taint
[ 6190.482570] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 6190.519596] CPU: 0 PID: 45144 Comm: signal06 Kdump: loaded Tainted:
G    B             5.1.0-rc7-next-20190430+ #8
[ 6190.568280] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6190.605290] RIP: 0010:hugetlb_fault+0x46/0x920
[ 6190.625151] Code: 41 54 53 48 83 ec 48 48 89 7d c8 4c 89 ef 89 4d c4 48 89 55
a0 e8 aa 36 02 00 49 8b 9e a0 00 00 00 48 8d 7b 20 e8 9a 36 02 00 <48> 8b 5b 20
48 8d 7b 28 e8 8d 36 02 00 48 8b 5b 28 48 8d bb 40 06
[ 6190.711533] RSP: 0018:ffff8887c7bcf820 EFLAGS: 00010282
[ 6190.734963] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff8c33a376
[ 6190.767109] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6b8b
[ 6190.799329] RBP: ffff8887c7bcf890 R08: fffffbfff1b05102 R09: fffffbfff1b05101
[ 6190.831304] R10: fffffbfff1b05101 R11: ffffffff8d82880b R12: 0000000000000001
[ 6190.863311] R13: ffff8884ac4240a8 R14: ffff8884ac424008 R15: 0000000000629c80
[ 6190.895367] FS:  00007f8105646740(0000) GS:ffff888453400000(0000)
knlGS:0000000000000000
[ 6190.931839] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6190.957598] CR2: 00007ff1a60018c0 CR3: 0000000834bd8002 CR4: 00000000001606b0
[ 6190.989654] Call Trace:
[ 6191.000738]  ? kasan_check_read+0x11/0x20
[ 6191.019852]  handle_mm_fault+0x313/0x360
[ 6191.040562]  __get_user_pages+0x448/0x7c0
[ 6191.059723]  ? follow_page_mask+0x3e0/0x3e0
[ 6191.078545]  ? lock_downgrade+0x300/0x300
[ 6191.096551]  ? __bad_area_nosemaphore+0x66/0x230
[ 6191.117323]  ? do_raw_spin_unlock+0xa8/0x140
[ 6191.136813]  __gup_longterm_locked+0x32c/0xa90
[ 6191.156738]  ? do_page_fault+0x4c/0x260
[ 6191.174016]  ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6191.195529]  get_user_pages+0x60/0x70
[ 6191.212026]  copy_fpstate_to_sigframe+0x31a/0x670
[ 6191.233252]  ? __fpu__restore_sig+0x7a0/0x7a0
[ 6191.252704]  do_signal+0x40c/0x9d0
[ 6191.267912]  ? do_send_specific+0x87/0xe0
[ 6191.285864]  ? setup_sigcontext+0x280/0x280
[ 6191.304675]  ? check_kill_permission+0x8e/0x1c0
[ 6191.325007]  ? do_send_specific+0xa6/0xe0
[ 6191.343005]  ? do_tkill+0x125/0x160
[ 6191.358809]  ? signal_fault+0x160/0x160
[ 6191.376088]  exit_to_usermode_loop+0x9d/0xc0
[ 6191.395176]  do_syscall_64+0x470/0x5d8
[ 6191.412299]  ? syscall_return_slowpath+0xf0/0xf0
[ 6191.433590]  ? __do_page_fault+0x44d/0x5b0
[ 6191.452211]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6191.474981] RIP: 0033:0x40377e
[ 6191.488761] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6191.578915] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6191.613071] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6191.645339] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6191.677764] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6191.709916] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6191.741996] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6191.774072] Modules linked in: brd vfat fat ext4 crc16 mbcache jbd2 overlay
loop kvm_intel kvm dax_pmem irqbypass dax_pmem_core ip_tables x_tables xfs
sd_mod igb i2c_algo_bit hpsa i2c_core scsi_transport_sas dm_mirror
dm_region_hash dm_log dm_mod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ