lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 7 Aug 2020 10:16:26 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Marco Elver <elver@...gle.com>
Cc:     Alexander Potapenko <glider@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Pekka Enberg <penberg@...nel.org>,
        Christoph Lameter <cl@...ux.com>, kasan-dev@...glegroups.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: Odd-sized kmem_cache_alloc and slub_debug=Z

On Fri, Aug 07, 2020 at 06:06:27PM +0200, Marco Elver wrote:
> I found that the below debug-code using kmem_cache_alloc(), when using
> slub_debug=Z, results in the following crash:
> 
> 	general protection fault, probably for non-canonical address 0xcccccca41caea170: 0000 [#1] PREEMPT SMP PTI
> 	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0+ #1
> 	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
> 	RIP: 0010:freelist_dereference mm/slub.c:272 [inline]
> 	RIP: 0010:get_freepointer mm/slub.c:278 [inline]

That really looks like more fun from my moving the freelist pointer... 

> 	R13: cccccca41caea160 R14: ffffe7c6a072ba80 R15: ffffa3a41c96d540

Except that it's all cccc at the start, which doesn't look like "data"
nor the hardened freelist obfuscation.

> 	FS:  0000000000000000(0000) GS:ffffa3a41fc00000(0000) knlGS:0000000000000000
> 	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> 	CR2: ffffa3a051c01000 CR3: 000000045140a001 CR4: 0000000000770ef0
> 	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> 	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 	PKRU: 00000000
> 	Call Trace:
> 	 ___slab_alloc+0x336/0x340 mm/slub.c:2690
> 	 __slab_alloc mm/slub.c:2714 [inline]
> 	 slab_alloc_node mm/slub.c:2788 [inline]
> 	 slab_alloc mm/slub.c:2832 [inline]
> 	 kmem_cache_alloc+0x135/0x200 mm/slub.c:2837
> 	 start_kernel+0x3d6/0x44e init/main.c:1049
> 	 secondary_startup_64+0xb6/0xc0 arch/x86/kernel/head_64.S:243
> 
> Any ideas what might be wrong?
> 
> This does not crash when redzones are not enabled.
> 
> Thanks,
> -- Marco
> 
> ------ >8 ------
> 
> diff --git a/init/main.c b/init/main.c
> index 15bd0efff3df..f4aa5bb3f2ec 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -1041,6 +1041,16 @@ asmlinkage __visible void __init start_kernel(void)
>  	sfi_init_late();
>  	kcsan_init();
>  
> +	/* DEBUG CODE */
> +	{
> +		struct kmem_cache *c = kmem_cache_create("test", 21, 1, 0, NULL);
> +		char *buf;
> +		BUG_ON(!c);
> +		buf = kmem_cache_alloc(c, GFP_KERNEL);
> +		kmem_cache_free(c, buf);
> +		kmem_cache_destroy(c);
> +	}
> +
>  	/* Do the rest non-__init'ed, we're now alive */
>  	arch_call_rest_init();
>  

Which kernel version? Can you send your CONFIG too?

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ