| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210217160726.GD4503@xsang-OptiPlex-9020>
Date: Thu, 18 Feb 2021 00:07:26 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>,
kernel test robot <oliver.sang@...el.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
io-uring@...r.kernel.org,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
Kees Cook <keescook@...omium.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>
Subject: f009495a8d: BUG:KASAN:use-after-free_in_user_shm_unlock
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: f009495a8def89a71b9e0b9025a39379d6f9097d ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210215-204524
in testcase: trinity
version: trinity-x86_64-4d2343bd-1_20210105
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | ebc4144c8c | f009495a8d |
+---------------------------------------------+------------+------------+
| boot_successes | 12 | 3 |
| boot_failures | 0 | 9 |
| BUG:KASAN:use-after-free_in_user_shm_unlock | 0 | 9 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 379.451460] BUG: KASAN: use-after-free in user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839)
[ 379.452995] Read of size 8 at addr ffff888117ff7e90 by task trinity-c2/3961
[ 379.454626]
[ 379.455018] CPU: 0 PID: 3961 Comm: trinity-c2 Tainted: G E 5.11.0-rc7-00017-gf009495a8def #1
[ 379.457212] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 379.459153] Call Trace:
[ 379.459777] print_address_description+0x18/0x26f
[ 379.461168] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839)
[ 379.462171] kasan_report (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413)
[ 379.463132] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839)
[ 379.464053] user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839)
[ 379.464986] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247)
[ 379.465741] shmctl_do_lock (kbuild/src/consumer/ipc/shm.c:1124)
[ 379.466611] ksys_shmctl+0x19b/0x1e2
[ 379.467620] ? __x32_compat_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1141)
[ 379.468612] ? lock_acquire (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:5444)
[ 379.469427] ? find_held_lock (kbuild/src/consumer/kernel/locking/lockdep.c:4956)
[ 379.470301] ? __context_tracking_exit (kbuild/src/consumer/kernel/context_tracking.c:161)
[ 379.471508] ? lock_downgrade (kbuild/src/consumer/kernel/locking/lockdep.c:5450)
[ 379.472561] ? kvm_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90)
[ 379.473521] ? account_steal_time (kbuild/src/consumer/kernel/sched/cputime.c:212)
[ 379.474581] ? account_other_time (kbuild/src/consumer/kernel/sched/cputime.c:245 kbuild/src/consumer/kernel/sched/cputime.c:262)
[ 379.475544] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4000 (discriminator 1))
[ 379.476491] ? lockdep_hardirqs_on_prepare (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:4099)
[ 379.477743] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 379.478611] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127)
[ 379.479768] RIP: 0033:0x7f79708ebf59
[ 379.480640] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f41
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f17
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 379.484875] RSP: 002b:00007ffd0b8ac428 EFLAGS: 00000246 ORIG_RAX: 000000000000001f
[ 379.486602] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007f79708ebf59
[ 379.488077] RDX: 0000000000000004 RSI: 000000000000000c RDI: 0000000000000000
[ 379.489493] RBP: 000000000000001f R08: 0000a7fc6cf3f14d R09: 0000000008000000
[ 379.491020] R10: ffffffffffffff71 R11: 0000000000000246 R12: 0000000000000002
[ 379.492661] R13: 00007f796f2bb058 R14: 00007f79707d46c0 R15: 00007f796f2bb000
[ 379.494454]
[ 379.494871] Allocated by task 0:
[ 379.495620] (stack is not available)
[ 379.496488]
[ 379.496893] Freed by task 10:
[ 379.497655] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:38)
[ 379.498658] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46)
[ 379.499609] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358)
[ 379.500681] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364)
[ 379.501725] slab_free_freelist_hook (kbuild/src/consumer/mm/slub.c:1580)
[ 379.502861] kmem_cache_free (kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159)
[ 379.503731] rcu_process_callbacks (kbuild/src/consumer/include/linux/rcupdate.h:264 kbuild/src/consumer/kernel/rcu/tiny.c:99 kbuild/src/consumer/kernel/rcu/tiny.c:130)
[ 379.504755] __do_softirq (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:27 kbuild/src/consumer/include/linux/jump_label.h:254 kbuild/src/consumer/include/linux/jump_label.h:264 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344)
[ 379.505618]
[ 379.505979] The buggy address belongs to the object at ffff888117ff7e00
[ 379.505979] which belongs to the cache cred_jar of size 176
[ 379.508744] The buggy address is located 144 bytes inside of
[ 379.508744] 176-byte region [ffff888117ff7e00, ffff888117ff7eb0)
[ 379.511290] The buggy address belongs to the page:
[ 379.512399] page:0000000097ece402 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117ff7
[ 379.514652] flags: 0x8000000000000200(slab)
[ 379.515652] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100372a00
[ 379.517377] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 379.519257] page dumped because: kasan: bad access detected
[ 379.520478]
[ 379.520835] Memory state around the buggy address:
[ 379.521953] ffff888117ff7d80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 379.523570] ffff888117ff7e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 379.525357] >ffff888117ff7e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 379.527029] ^
[ 379.527887] ffff888117ff7f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 379.529581] ffff888117ff7f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 379.531334] ==================================================================
[ 379.533107] Disabling lock debugging due to kernel taint
[ 379.755941] [main] kernel became tainted! (8224/8192) Last seed was 782038633
[ 379.756009]
[ 379.773617] trinity: Detected kernel tainting. Last seed was 782038633
[ 379.773690]
[ 379.789324] [main] exit_reason=7, but 3 children still running.
[ 379.789394]
[ 381.812865] [main] Bailing main loop because kernel became tainted..
[ 381.812932]
[ 382.091273] [main] Ran 93208 syscalls. Successes: 23634 Failures: 67538
[ 382.091348]
[ 405.279282] /lkp/lkp/src/tests/trinity: 45: kill: No such process
[ 405.279354]
[ 405.298590]
[ 405.298646]
[ 405.656613] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/vm-snb-124/trinity-300s-debian-10.4-x86_64-20200603.cgz-f009495a8def89a71b9e0b9025a39379d6f9097d-20210217-33540-1tuu5rt-2.yaml&job_state=post_run -O /dev/null
[ 405.656700]
[ 407.339684] kill 377 vmstat --timestamp -n 10
[ 407.339744]
[ 407.453173] kill 375 dmesg --follow --decode
[ 407.453237]
[ 407.547712] wait for background processes: 379 meminfo
[ 407.547783]
[ 415.539948] sysrq: Emergency Sync
[ 415.540999] Emergency Sync complete
[ 415.544090] sysrq: Resetting
Kboot worker: lkp-worker31
Elapsed time: 420
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-124.cgz
-m 8192
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
ip=::::vm-snb-124::dhcp
root=/dev/ram0
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc7-00017-gf009495a8def .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc7-00017-gf009495a8def" of type "text/plain" (151174 bytes)
View attachment "job-script" of type "text/plain" (4334 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (35376 bytes)
View attachment "trinity" of type "text/plain" (145955 bytes)
Powered by blists - more mailing lists