lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABXGCsMvRzY_JHH4cPtxQ3nsYrsEJFgD0Wh5Aimx+iGB8GnY3g@mail.gmail.com>
Date:   Thu, 21 Jan 2021 23:03:47 +0500
From:   Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
To:     Linux List Kernel Mailing <linux-kernel@...r.kernel.org>
Cc:     keescook@...omium.org, paulmck@...ux.vnet.ibm.com
Subject: BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 (5.11-rc4)

Hi folks,
I am testing new kernels under high load and KASAN found some troubles:

BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0
Read of size 8 at addr ffff8881f2cda008 by task ThreadPoolForeg/110220

CPU: 22 PID: 110220 Comm: ThreadPoolForeg Tainted: G        W
--------- ---  5.11.0-0.rc4.20210120git45dfb8a5659a.131.fc34.x86_64 #1
Hardware name: System manufacturer System Product Name/ROG STRIX
X570-I GAMING, BIOS 3402 01/13/2021
Call Trace:
 dump_stack+0xae/0xe5
 print_address_description.constprop.0+0x18/0x160
 ? __list_add_valid+0x81/0xa0
 kasan_report.cold+0x7f/0x10e
 ? lock_contended+0xb10/0xbe0
 ? __list_add_valid+0x81/0xa0
 __list_add_valid+0x81/0xa0
 do_compact_page+0x8bf/0x2720
 ? z3fold_zpool_free+0x92d/0x1150
 ? lock_contended+0xbe0/0xbe0
 zswap_free_entry+0xfa/0x1b0
 zswap_frontswap_invalidate_page+0x14a/0x1a0
 __frontswap_invalidate_page+0x104/0x1c0
 swap_range_free+0x2ad/0x350
 swapcache_free_entries+0x1e1/0x300
 free_swap_slot+0x1d2/0x290
 ? enable_swap_slots_cache+0x90/0x90
 __swap_entry_free+0x109/0x130
 ? __swap_entry_free_locked+0x1a0/0x1a0
 free_swap_and_cache+0xb3/0x100
 ? get_swap_page_of_type+0x160/0x160
 unmap_page_range+0xf3c/0x23e0
 ? lock_downgrade+0x6b0/0x6b0
 ? lru_add_drain_cpu+0x182/0x670
 ? vm_normal_page_pmd+0x350/0x350
 zap_page_range+0x289/0x400
 ? unmap_vmas+0x250/0x250
 ? lock_downgrade+0x6b0/0x6b0
 ? lock_acquire+0x31d/0x7a0
 ? __init_rwsem+0x1a0/0x1a0
 ? find_vma_prev+0x21/0x1d0
 do_madvise.part.0+0x10b6/0x2060
 ? do_wp_page+0x311/0xca0
 ? madvise_cold+0x1c0/0x1c0
 ? do_user_addr_fault+0x432/0x9b0
 ? __x64_sys_madvise+0xd8/0x140
 __x64_sys_madvise+0xd8/0x140
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f662cf620cb
Code: c3 66 0f 1f 44 00 00 48 8b 15 a1 7d 0c 00 f7 d8 64 89 02 b8 ff
ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 1c 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 75 7d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007f66038f4668 EFLAGS: 00000206 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f662cf620cb
RDX: 0000000000000004 RSI: 0000000000008000 RDI: 00003cb26d246000
RBP: 00007f66038f4690 R08: 0000000000000000 R09: aaaaaaaa00000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000008000
R13: 00000003cb26d246 R14: 00003cb26d24e000 R15: 00003cb26d246000

The buggy address belongs to the page:
page:00000000d921a94d refcount:0 mapcount:-128
mapping:0000000000000000 index:0x1 pfn:0x1f2cda
flags: 0x17ffffc0000000()
raw: 0017ffffc0000000 ffffea0007cb3a48 ffffea0007cb3588 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881f2cd9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8881f2cd9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8881f2cda000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                      ^
 ffff8881f2cda080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881f2cda100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
list_add corruption. next->prev should be prev (ffffe8fffd662670), but
was 0000000000672100. (next=ffff8881f2cda000).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:23!
invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 22 PID: 107597 Comm: kworker/u64:2 Tainted: G    B   W
--------- ---  5.11.0-0.rc4.20210120git45dfb8a5659a.131.fc34.x86_64 #1

$ /usr/src/kernels/`uname -r`/scripts/faddr2line
/lib/debug/lib/modules/`uname -r`/vmlinux __list_add_valid+0x81
__list_add_valid+0x81/0xa0:
__list_add_valid at lib/list_debug.c:23

$ git checkout 45dfb8a5659a
Previous HEAD position was 19c329f68089 Linux 5.11-rc4
HEAD is now at 45dfb8a5659a Merge tag 'task_work-2021-01-19' of
git://git.kernel.dk/linux-block

$ git blame lib/list_debug.c -L14,33
Blaming lines:  32% (20/62), done.
199a9afc3dbe9 (Dave Jones     2006-09-29 01:59:00 -0700 14) /*
d7c816733d501 (Kees Cook      2016-08-17 14:42:08 -0700 15)  * Check
that the data structures for the list manipulations are reasonably
d7c816733d501 (Kees Cook      2016-08-17 14:42:08 -0700 16)  * valid.
Failures here indicate memory corruption (and possibly an exploit
d7c816733d501 (Kees Cook      2016-08-17 14:42:08 -0700 17)  * attempt).
199a9afc3dbe9 (Dave Jones     2006-09-29 01:59:00 -0700 18)  */
199a9afc3dbe9 (Dave Jones     2006-09-29 01:59:00 -0700 19)
d7c816733d501 (Kees Cook      2016-08-17 14:42:08 -0700 20) bool
__list_add_valid(struct list_head *new, struct list_head *prev,
d7c816733d501 (Kees Cook      2016-08-17 14:42:08 -0700 21)
       struct list_head *next)
199a9afc3dbe9 (Dave Jones     2006-09-29 01:59:00 -0700 22) {
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 23)     if
(CHECK_DATA_CORRUPTION(next->prev != prev,
68c1f08203f2b (Matthew Wilcox 2018-04-10 16:33:06 -0700 24)
         "list_add corruption. next->prev should be prev (%px), but
was %px. (next=%px).\n",
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 25)
         prev, next->prev, next) ||
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 26)
CHECK_DATA_CORRUPTION(prev->next != next,
68c1f08203f2b (Matthew Wilcox 2018-04-10 16:33:06 -0700 27)
         "list_add corruption. prev->next should be next (%px), but
was %px. (prev=%px).\n",
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 28)
         next, prev->next, prev) ||
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 29)
CHECK_DATA_CORRUPTION(new == prev || new == next,
68c1f08203f2b (Matthew Wilcox 2018-04-10 16:33:06 -0700 30)
         "list_add double add: new=%px, prev=%px, next=%px.\n",
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 31)
         new, prev, next))
85caa95b9f19b (Kees Cook      2017-02-24 15:00:38 -0800 32)
 return false;
de54ebbe26bb3 (Kees Cook      2016-08-17 14:42:11 -0700 33)

Full kernel log here: https://pastebin.com/sycghWB5

I added to CC all who was involved in these lines of code.
I hope you help fix this issue.

-- 
Best Regards,
Mike Gavrilov.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ