lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87pn3uisnm.fsf@x220.int.ebiederm.org>
Date:   Mon, 30 Nov 2020 12:52:29 -0600
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     syzbot <syzbot+71c4697e27c99fddcf17@...kaller.appspotmail.com>
Cc:     akpm@...ux-foundation.org, bernd.edlinger@...mail.de,
        chris@...isdown.name, dhowells@...hat.com, guro@...com,
        keescook@...omium.org, linux-kernel@...r.kernel.org,
        mhocko@...e.com, shakeelb@...gle.com,
        syzkaller-bugs@...glegroups.com, Jens Axboe <axboe@...nel.dk>,
        Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Subject: Re: memory leak in prepare_creds

syzbot <syzbot+71c4697e27c99fddcf17@...kaller.appspotmail.com> writes:

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    99c710c4 Merge tag 'platform-drivers-x86-v5.10-2' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a77ddd500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c7a27a77f20fbc95
> dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d6161d500000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f15e65500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+71c4697e27c99fddcf17@...kaller.appspotmail.com

My guess is someones error cleanup somewhere did the wrong thing.

It looks like there was one forced failure in tomoyo and the rest were
in io_uring.  Adding the relevant maintainers perhaps one of them can
see the problem.

>
> BUG: memory leak
> unreferenced object 0xffff888101401300 (size 168):
>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000caa0de2b>] prepare_creds+0x25/0x390 kernel/cred.c:258
>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b0a6f20 (size 32):
>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     b0 6e 93 00 81 88 ff ff 00 00 00 00 00 00 00 00  .n..............
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<000000007d750ba1>] kmalloc include/linux/slab.h:557 [inline]
>     [<000000007d750ba1>] kzalloc include/linux/slab.h:664 [inline]
>     [<000000007d750ba1>] lsm_cred_alloc security/security.c:533 [inline]
>     [<000000007d750ba1>] security_prepare_creds+0xa5/0xd0 security/security.c:1632
>     [<00000000ba63fcc7>] prepare_creds+0x277/0x390 kernel/cred.c:285
>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff888101ea2200 (size 256):
>   comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
>   backtrace:
>     [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
>     [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
>     [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
>     [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
>     [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
>     [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
>     [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
>     [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
>     [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
>     [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ