lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200807160627.GA1420741@elver.google.com>
Date:   Fri, 7 Aug 2020 18:06:27 +0200
From:   Marco Elver <elver@...gle.com>
To:     elver@...gle.com
Cc:     Alexander Potapenko <glider@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Pekka Enberg <penberg@...nel.org>,
        Christoph Lameter <cl@...ux.com>,
        Kees Cook <keescook@...omium.org>, kasan-dev@...glegroups.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Odd-sized kmem_cache_alloc and slub_debug=Z

Hi,

I found that the below debug-code using kmem_cache_alloc(), when using
slub_debug=Z, results in the following crash:

	general protection fault, probably for non-canonical address 0xcccccca41caea170: 0000 [#1] PREEMPT SMP PTI
	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0+ #1
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
	RIP: 0010:freelist_dereference mm/slub.c:272 [inline]
	RIP: 0010:get_freepointer mm/slub.c:278 [inline]
	RIP: 0010:deactivate_slab+0x54/0x460 mm/slub.c:2111
	Code: 8b bc c7 e0 00 00 00 48 85 d2 0f 84 00 01 00 00 49 89 d5 31 c0 48 89 44 24 08 66 66 2e 0f 1f 84 00 00 00 00 00 90 44 8b 43 20 <4b> 8b 44 05 00 48 85 c0 0f 84 1e 01 00 00 4c 89 ed 49 89 c5 8b 43
	RSP: 0000:ffffffffa7e03e18 EFLAGS: 00010046
	RAX: 0000000000000000 RBX: ffffa3a41c972340 RCX: 0000000000000000
	RDX: cccccca41caea160 RSI: ffffe7c6a072ba80 RDI: ffffa3a41c972340
	RBP: ffffa3a41caea008 R08: 0000000000000010 R09: ffffa3a41caea01d
	R10: ffffffffa7f8dc50 R11: ffffffffa68f44c0 R12: ffffa3a41c972340
	R13: cccccca41caea160 R14: ffffe7c6a072ba80 R15: ffffa3a41c96d540
	FS:  0000000000000000(0000) GS:ffffa3a41fc00000(0000) knlGS:0000000000000000
	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: ffffa3a051c01000 CR3: 000000045140a001 CR4: 0000000000770ef0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 00000000
	Call Trace:
	 ___slab_alloc+0x336/0x340 mm/slub.c:2690
	 __slab_alloc mm/slub.c:2714 [inline]
	 slab_alloc_node mm/slub.c:2788 [inline]
	 slab_alloc mm/slub.c:2832 [inline]
	 kmem_cache_alloc+0x135/0x200 mm/slub.c:2837
	 start_kernel+0x3d6/0x44e init/main.c:1049
	 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:243

Any ideas what might be wrong?

This does not crash when redzones are not enabled.

Thanks,
-- Marco

------ >8 ------

diff --git a/init/main.c b/init/main.c
index 15bd0efff3df..f4aa5bb3f2ec 100644
--- a/init/main.c
+++ b/init/main.c
@@ -1041,6 +1041,16 @@ asmlinkage __visible void __init start_kernel(void)
 	sfi_init_late();
 	kcsan_init();
 
+	/* DEBUG CODE */
+	{
+		struct kmem_cache *c = kmem_cache_create("test", 21, 1, 0, NULL);
+		char *buf;
+		BUG_ON(!c);
+		buf = kmem_cache_alloc(c, GFP_KERNEL);
+		kmem_cache_free(c, buf);
+		kmem_cache_destroy(c);
+	}
+
 	/* Do the rest non-__init'ed, we're now alive */
 	arch_call_rest_init();
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ