| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Feb 2022 09:49:55 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S. Miller" <davem@...emloft.net>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [ip6mr] f2f2325ec7: BUG:KASAN:use-after-free_in_ip6mr_sk_done
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: f2f2325ec79970807012dfc9e716cdbb02d9b574 ("ip6mr: ip6mr_sk_done() can exit early in common cases")
url: https://github.com/0day-ci/linux/commits/Biju-Das/dt-bindings-net-renesas-etheravb-Document-RZ-V2L-SoC/20220207-042554
in testcase: trinity
version: trinity-x86_64-608712d8-1_20220128
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 43.727566][ T7] BUG: KASAN: use-after-free in ip6mr_sk_done (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 net/ipv6/ip6mr.c:1578)
[ 43.728665][ T7] Read of size 4 at addr ffff88810eb94888 by task kworker/u4:0/7
[ 43.729851][ T7]
[ 43.730219][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.17.0-rc2-00638-gf2f2325ec799 #1
[ 43.731561][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 43.732945][ T7] Workqueue: netns cleanup_net
[ 43.733744][ T7] Call Trace:
[ 43.734297][ T7] <TASK>
[ 43.734792][ T7] dump_stack_lvl (lib/dump_stack.c:107)
[ 43.735543][ T7] print_address_description+0x21/0x180
[ 43.736636][ T7] ? ip6mr_sk_done (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 net/ipv6/ip6mr.c:1578)
[ 43.737405][ T7] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[ 43.738113][ T7] ? ip6mr_sk_done (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 net/ipv6/ip6mr.c:1578)
[ 43.738764][ T7] kasan_check_range (mm/kasan/generic.c:190)
[ 43.739475][ T7] ip6mr_sk_done (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 net/ipv6/ip6mr.c:1578)
[ 43.740207][ T7] rawv6_close (net/ipv6/raw.c:1202)
[ 43.743739][ T7] inet_release (net/ipv4/af_inet.c:429)
[ 43.747360][ T7] __sock_release (net/socket.c:651)
[ 43.749878][ T7] igmp6_net_exit (net/ipv6/mcast.c:3174)
[ 43.752005][ T7] ops_exit_list+0x98/0x180
[ 43.754973][ T7] cleanup_net (net/core/net_namespace.c:599 (discriminator 3))
[ 43.757738][ T7] ? peernet2id_alloc (net/core/net_namespace.c:553)
[ 43.760247][ T7] ? __schedule (kernel/sched/core.c:6174)
[ 43.762857][ T7] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
[ 43.765808][ T7] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2455)
[ 43.768529][ T7] ? process_one_work (kernel/workqueue.c:2397)
[ 43.771855][ T7] kthread (kernel/kthread.c:377)
[ 43.775300][ T7] ? kthread_complete_and_exit (kernel/kthread.c:332)
[ 43.778982][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 43.782691][ T7] </TASK>
[ 43.786069][ T7]
[ 43.789270][ T7] Allocated by task 1:
[ 43.792813][ T7] kasan_save_stack (mm/kasan/common.c:39)
[ 43.796486][ T7] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
[ 43.799875][ T7] fib_create_info (include/linux/slab.h:586 include/linux/slab.h:715 net/ipv4/fib_semantics.c:1442)
[ 43.803543][ T7] fib_table_insert (net/ipv4/fib_trie.c:1224)
[ 43.807195][ T7] fib_magic+0x297/0x440
[ 43.810869][ T7] fib_add_ifaddr (net/ipv4/fib_frontend.c:1129)
[ 43.814464][ T7] fib_netdev_event (net/ipv4/fib_frontend.c:1465 (discriminator 3))
[ 43.818098][ T7] raw_notifier_call_chain (kernel/notifier.c:89 kernel/notifier.c:392)
[ 43.821558][ T7] __dev_notify_flags (net/core/dev.c:1931 net/core/dev.c:1945 net/core/dev.c:8177)
[ 43.824595][ T7] dev_change_flags (net/core/dev.c:8217)
[ 43.827778][ T7] ip_auto_config (net/ipv4/ipconfig.c:224 net/ipv4/ipconfig.c:1502)
[ 43.831118][ T7] do_one_initcall (init/main.c:1300)
[ 43.834106][ T7] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 43.837190][ T7] kernel_init (init/main.c:1504)
[ 43.839802][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 43.842527][ T7]
[ 43.844785][ T7] Freed by task 7:
[ 43.845862][ T660] VFS: Warning: trinity-c3 using old stat() call. Recompile your binary.
[ 43.847180][ T7] kasan_save_stack (mm/kasan/common.c:39)
[ 43.847193][ T7] kasan_set_track (mm/kasan/common.c:45)
[ 43.847198][ T7] kasan_set_free_info (mm/kasan/generic.c:372)
[ 43.858233][ T7] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 43.861032][ T7] kfree (mm/slub.c:1754 mm/slub.c:3509 mm/slub.c:4562)
[ 43.863634][ T7] ops_exit_list+0x98/0x180
[ 43.866428][ T7] cleanup_net (net/core/net_namespace.c:599 (discriminator 3))
[ 43.868846][ T7] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
[ 43.871491][ T7] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2455)
[ 43.874217][ T7] kthread (kernel/kthread.c:377)
[ 43.876775][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 43.879429][ T7]
[ 43.881813][ T7] Last potentially related work creation:
[ 43.884669][ T7] kasan_save_stack (mm/kasan/common.c:39)
[ 43.887467][ T7] __kasan_record_aux_stack (mm/kasan/generic.c:348)
[ 43.890366][ T7] call_rcu (kernel/rcu/tree.c:3027 kernel/rcu/tree.c:3106)
[ 43.893057][ T7] fib_create_info (net/ipv4/fib_semantics.c:1574)
[ 43.895888][ T7] fib_table_insert (net/ipv4/fib_trie.c:1224)
[ 43.898686][ T7] fib_magic+0x297/0x440
[ 43.901503][ T7] fib_add_ifaddr (net/ipv4/fib_frontend.c:1129)
[ 43.904283][ T7] fib_netdev_event (net/ipv4/fib_frontend.c:1465 (discriminator 3))
[ 43.906925][ T7] raw_notifier_call_chain (kernel/notifier.c:89 kernel/notifier.c:392)
[ 43.909660][ T7] __dev_notify_flags (net/core/dev.c:1931 net/core/dev.c:1945 net/core/dev.c:8177)
[ 43.912346][ T7] dev_change_flags (net/core/dev.c:8217)
[ 43.915108][ T7] ip_auto_config (net/ipv4/ipconfig.c:224 net/ipv4/ipconfig.c:1502)
[ 43.917827][ T7] do_one_initcall (init/main.c:1300)
[ 43.920549][ T7] kernel_init_freeable (init/main.c:1372 init/main.c:1389 init/main.c:1408 init/main.c:1613)
[ 43.923383][ T7] kernel_init (init/main.c:1504)
[ 43.926096][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 43.928757][ T7]
[ 43.931153][ T7] The buggy address belongs to the object at ffff88810eb94800
[ 43.931153][ T7] which belongs to the cache kmalloc-256 of size 256
[ 43.937453][ T7] The buggy address is located 136 bytes inside of
[ 43.937453][ T7] 256-byte region [ffff88810eb94800, ffff88810eb94900)
[ 43.943729][ T7] The buggy address belongs to the page:
[ 43.946822][ T7] page:00000000392d4f15 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10eb94
[ 43.950810][ T7] head:00000000392d4f15 order:1 compound_mapcount:0
[ 43.954208][ T7] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 43.957836][ T7] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100041b40
[ 43.961613][ T7] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 43.965353][ T7] page dumped because: kasan: bad access detected
[ 43.968765][ T7] page_owner tracks the page as allocated
[ 43.971860][ T7] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 24086391223, free_ts 24079533892
[ 43.979986][ T7] prep_new_page (include/linux/page_owner.h:31 mm/page_alloc.c:2427 mm/page_alloc.c:2434)
[ 43.983297][ T7] get_page_from_freelist (mm/page_alloc.c:4171)
[ 43.986879][ T7] __alloc_pages (mm/page_alloc.c:5390)
[ 43.990280][ T7] alloc_page_interleave (arch/x86/include/asm/jump_label.h:27 mm/mempolicy.c:2118)
[ 43.993759][ T7] allocate_slab (mm/slub.c:1799 mm/slub.c:1944)
[ 43.997239][ T7] ___slab_alloc (mm/slub.c:3018)
[ 44.000639][ T7] __slab_alloc+0x1c/0x40
[ 44.004090][ T7] __kmalloc (mm/slub.c:3196 mm/slub.c:3238 mm/slub.c:4420)
To reproduce:
# build kernel
cd linux
cp config-5.17.0-rc2-00638-gf2f2325ec799 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.17.0-rc2-00638-gf2f2325ec799" of type "text/plain" (178953 bytes)
View attachment "job-script" of type "text/plain" (4466 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (17784 bytes)
View attachment "trinity" of type "text/plain" (2081 bytes)
Powered by blists - more mailing lists