lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANnVG6=s1C7LSDGD1-Ato-sfaKi1LQvW3GM5wfAiUqWXibEohw@mail.gmail.com>
Date:   Wed, 12 Feb 2020 10:38:33 +0100
From:   Michael Stapelberg <michael+lkml@...pelberg.ch>
To:     Miklos Szeredi <miklos@...redi.hu>
Cc:     fuse-devel <fuse-devel@...ts.sourceforge.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kyle Sanderson <kyle.leet@...il.com>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: Still a pretty bad time on 5.4.6 with fuse_request_end.

Unfortunately not: when I change the code like so:

    bool async;
    uint32_t opcode_early = req->args->opcode;

    if (test_and_set_bit(FR_FINISHED, &req->flags))
        goto put_request;

    async = req->args->end;

…gdb only reports:

(gdb) bt
#0  0x000000a700000001 in ?? ()
#1  0xffffffff8137fc99 in fuse_copy_finish (cs=0x20000ffffffff) at
fs/fuse/dev.c:681
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

But maybe that’s a hint in and of itself?

On Wed, Feb 12, 2020 at 9:34 AM Miklos Szeredi <miklos@...redi.hu> wrote:
>
> On Wed, Feb 12, 2020 at 8:58 AM Michael Stapelberg
> <michael+lkml@...pelberg.ch> wrote:
>
> > (gdb) p *req->args
> > $5 = {
> >   nodeid = 18446683600620026424,
> >   opcode = 2167928246,
> >   in_numargs = 65535,
> >   out_numargs = 65535,
> >   force = false,
> >   noreply = false,
> >   nocreds = false,
> >   in_pages = false,
> >   out_pages = false,
> >   out_argvar = true,
> >   page_zeroing = true,
> >   page_replace = false,
> >   in_args = {{
> >       size = 978828800,
> >       value = 0x2fafce0
> >     }, {
> >       size = 978992728,
> >       value = 0xffffffff8138efaa <fuse_alloc_forget+26>
> >     }, {
> >       size = 50002688,
> >       value = 0xffffffff8138635f <fuse_lookup_name+255>
> >     }},
> >   out_args = {{
> >       size = 570,
> >       value = 0xffffc90002fafb10
> >     }, {
> >       size = 6876,
> >       value = 0x3000000001adc
> >     }},
> >   end = 0x1000100000001
> > }
>
> Okay, that looks like rubbish, the request was possibly freed and overwritten.
>
> > Independently, as a separate test, I have also modified the source like this:
> >
> > bool async;
> > bool async_early = req->args->end;
> >
> > if (test_and_set_bit(FR_FINISHED, &req->flags))
> > goto put_request;
> >
> > async = req->args->end;
> >
> > …and printed the value of async and async_early. async is true,
> > async_early is false.
>
> Can you save and print out the value of req->opcode before the
> test_and_set_bit()?
>
> Thanks,
> Miklos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ