lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Feb 2022 10:59:12 +0100
From:   Michal Hocko <mhocko@...e.com>
To:     Yang Shi <shy828301@...il.com>,
        Suren Baghdasaryan <surenb@...gle.com>
Cc:     syzbot <syzbot+2ccf63a4bd07cf39cab0@...kaller.appspotmail.com>,
        Andrew Morton <akpm@...ux-foundation.org>, brauner@...nel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux MM <linux-mm@...ck.org>, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in __oom_reap_task_mm

[Add Suren - and keeping the full message for reference. My comment in
inlined]

On Mon 14-02-22 11:07:05, Yang Shi wrote:
> On Mon, Feb 14, 2022 at 2:44 AM syzbot
> <syzbot+2ccf63a4bd07cf39cab0@...kaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    e6251ab4551f Merge tag 'nfs-for-5.17-2' of git://git.linux..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1229b2f8700000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=266de9da75c71a45
> > dashboard link: https://syzkaller.appspot.com/bug?extid=2ccf63a4bd07cf39cab0
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > userspace arch: i386
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+2ccf63a4bd07cf39cab0@...kaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KASAN: use-after-free in can_madv_lru_vma mm/internal.h:76 [inline]
> > BUG: KASAN: use-after-free in __oom_reap_task_mm+0x3a4/0x400 mm/oom_kill.c:529
> > Read of size 8 at addr ffff88807b868ba8 by task syz-executor.2/12778
> >
> > CPU: 0 PID: 12778 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00029-ge6251ab4551f #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> >  print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255
> >  __kasan_report mm/kasan/report.c:442 [inline]
> >  kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
> >  can_madv_lru_vma mm/internal.h:76 [inline]
> >  __oom_reap_task_mm+0x3a4/0x400 mm/oom_kill.c:529
> >  __do_sys_process_mrelease+0x3f2/0x450 mm/oom_kill.c:1196
> >  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
> >  __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
> >  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> >  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> > RIP: 0023:0xf6e70549
> > Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
> > RSP: 002b:00000000f586a5cc EFLAGS: 00000296 ORIG_RAX: 00000000000001c0
> > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> >  </TASK>
> >
> > Allocated by task 12778:
> >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> >  kasan_set_track mm/kasan/common.c:45 [inline]
> >  set_alloc_info mm/kasan/common.c:436 [inline]
> >  __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469
> >  kasan_slab_alloc include/linux/kasan.h:260 [inline]
> >  slab_post_alloc_hook mm/slab.h:732 [inline]
> >  slab_alloc_node mm/slub.c:3230 [inline]
> >  slab_alloc mm/slub.c:3238 [inline]
> >  kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3243
> >  vm_area_dup+0x88/0x2b0 kernel/fork.c:357
> >  dup_mmap kernel/fork.c:554 [inline]
> >  dup_mm+0x5fa/0x13e0 kernel/fork.c:1451
> >  copy_mm kernel/fork.c:1503 [inline]
> >  copy_process+0x71f8/0x7300 kernel/fork.c:2164
> >  kernel_clone+0xe7/0xab0 kernel/fork.c:2555
> >  __do_compat_sys_ia32_clone+0xac/0xe0 arch/x86/kernel/sys_ia32.c:254
> >  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
> >  __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
> >  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> >  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> >
> > Freed by task 12780:
> >  kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
> >  kasan_set_track+0x21/0x30 mm/kasan/common.c:45
> >  kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
> >  ____kasan_slab_free mm/kasan/common.c:366 [inline]
> >  ____kasan_slab_free+0x130/0x160 mm/kasan/common.c:328
> >  kasan_slab_free include/linux/kasan.h:236 [inline]
> >  slab_free_hook mm/slub.c:1728 [inline]
> >  slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754
> >  slab_free mm/slub.c:3509 [inline]
> >  kmem_cache_free+0xd8/0x340 mm/slub.c:3526
> >  remove_vma+0x135/0x170 mm/mmap.c:189
> >  exit_mmap+0x29a/0x670 mm/mmap.c:3186
> >  __mmput+0x122/0x4b0 kernel/fork.c:1114
> >  mmput+0x56/0x60 kernel/fork.c:1135
> >  exit_mm kernel/exit.c:507 [inline]
> >  do_exit+0xa3c/0x2a30 kernel/exit.c:793
> >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> >  get_signal+0x4b0/0x28c0 kernel/signal.c:2862
> >  arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
> >  handle_signal_work kernel/entry/common.c:148 [inline]
> >  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> >  exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
> >  __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
> >  syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
> >  __do_fast_syscall_32+0x72/0xf0 arch/x86/entry/common.c:181
> >  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> >  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> 
> It seems process_mrelease() may be racy with exiting. mmgrab() just
> pin mm struct, but doesn't guarantee the associated address space
> still exists. mmget or mmget_not_zero() may be needed at first glance.

This is what process_mrelease used to do before ba535c1caf3e
("mm/oom_kill: allow process_mrelease to run under mmap_lock
protection"). It shouldn't be really necessary because of the
synchronization that happens on the exit_mmap level. There were some
patches in that area and I am not sure whether something is still
hanging in the Andrew's queue. Suren will surely know better.

> The below untested patch (compiled) may be able to fix it.
> 
> diff --git a/mm/oom_kill.c b/mm/oom_kill.c
> index 832fb330376e..c389995bcc71 100644
> --- a/mm/oom_kill.c
> +++ b/mm/oom_kill.c
> @@ -1185,9 +1185,11 @@ SYSCALL_DEFINE2(process_mrelease, int, pidfd,
> unsigned int, flags)
>         if (!reap)
>                 goto drop_mm;
> 
> +       if (!mmget_not_zero(mm))
> +               goto drop_mm;
>         if (mmap_read_lock_killable(mm)) {
>                 ret = -EINTR;
> -               goto drop_mm;
> +               goto put_mm;
>         }
>         /*
>          * Check MMF_OOM_SKIP again under mmap_read_lock protection to ensure
> @@ -1197,6 +1199,8 @@ SYSCALL_DEFINE2(process_mrelease, int, pidfd,
> unsigned int, flags)
>                 ret = -EAGAIN;
>         mmap_read_unlock(mm);
> 
> +put_mm:
> +       mmput(mm);
>  drop_mm:
>         mmdrop(mm);
>  put_task:
> 
> >
> > The buggy address belongs to the object at ffff88807b868b58
> >  which belongs to the cache vm_area_struct of size 200
> > The buggy address is located 80 bytes inside of
> >  200-byte region [ffff88807b868b58, ffff88807b868c20)
> > The buggy address belongs to the page:
> > page:ffffea0001ee1a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b868
> > memcg:ffff88804fe94a01
> > flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
> > raw: 00fff00000000200 dead000000000100 dead000000000122 ffff888140006a00
> > raw: 0000000000000000 00000000000f000f 00000001ffffffff ffff88804fe94a01
> > page dumped because: kasan: bad access detected
> > page_owner tracks the page as allocated
> > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3175, ts 344170603641, free_ts 344164018467
> >  prep_new_page mm/page_alloc.c:2434 [inline]
> >  get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
> >  __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
> >  alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271
> >  alloc_slab_page mm/slub.c:1799 [inline]
> >  allocate_slab mm/slub.c:1944 [inline]
> >  new_slab+0x28a/0x3b0 mm/slub.c:2004
> >  ___slab_alloc+0x87c/0xe90 mm/slub.c:3018
> >  __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105
> >  slab_alloc_node mm/slub.c:3196 [inline]
> >  slab_alloc mm/slub.c:3238 [inline]
> >  kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3243
> >  vm_area_dup+0x88/0x2b0 kernel/fork.c:357
> >  dup_mmap kernel/fork.c:554 [inline]
> >  dup_mm+0x5fa/0x13e0 kernel/fork.c:1451
> >  copy_mm kernel/fork.c:1503 [inline]
> >  copy_process+0x71f8/0x7300 kernel/fork.c:2164
> >  kernel_clone+0xe7/0xab0 kernel/fork.c:2555
> >  __do_sys_clone+0xc8/0x110 kernel/fork.c:2672
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> > page last free stack trace:
> >  reset_page_owner include/linux/page_owner.h:24 [inline]
> >  free_pages_prepare mm/page_alloc.c:1352 [inline]
> >  free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
> >  free_unref_page_prepare mm/page_alloc.c:3325 [inline]
> >  free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3441
> >  release_pages+0x317/0x1220 mm/swap.c:980
> >  tlb_batch_pages_flush mm/mmu_gather.c:50 [inline]
> >  tlb_flush_mmu_free mm/mmu_gather.c:243 [inline]
> >  tlb_flush_mmu mm/mmu_gather.c:250 [inline]
> >  tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:341
> >  exit_mmap+0x21b/0x670 mm/mmap.c:3180
> >  __mmput+0x122/0x4b0 kernel/fork.c:1114
> >  mmput+0x56/0x60 kernel/fork.c:1135
> >  exit_mm kernel/exit.c:507 [inline]
> >  do_exit+0xa3c/0x2a30 kernel/exit.c:793
> >  do_group_exit+0xd2/0x2f0 kernel/exit.c:935
> >  get_signal+0x4b0/0x28c0 kernel/signal.c:2862
> >  arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
> >  handle_signal_work kernel/entry/common.c:148 [inline]
> >  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> >  exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
> >  __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
> >  syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
> >  __do_fast_syscall_32+0x72/0xf0 arch/x86/entry/common.c:181
> >  do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
> >  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
> >
> > Memory state around the buggy address:
> >  ffff88807b868a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >  ffff88807b868b00: fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb
> > >ffff88807b868b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >                                   ^
> >  ffff88807b868c00: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb
> >  ffff88807b868c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> > ----------------
> > Code disassembly (best guess):
> >    0:   03 74 c0 01             add    0x1(%rax,%rax,8),%esi
> >    4:   10 05 03 74 b8 01       adc    %al,0x1b87403(%rip)        # 0x1b8740d
> >    a:   10 06                   adc    %al,(%rsi)
> >    c:   03 74 b4 01             add    0x1(%rsp,%rsi,4),%esi
> >   10:   10 07                   adc    %al,(%rdi)
> >   12:   03 74 b0 01             add    0x1(%rax,%rsi,4),%esi
> >   16:   10 08                   adc    %cl,(%rax)
> >   18:   03 74 d8 01             add    0x1(%rax,%rbx,8),%esi
> >   1c:   00 00                   add    %al,(%rax)
> >   1e:   00 00                   add    %al,(%rax)
> >   20:   00 51 52                add    %dl,0x52(%rcx)
> >   23:   55                      push   %rbp
> >   24:   89 e5                   mov    %esp,%ebp
> >   26:   0f 34                   sysenter
> >   28:   cd 80                   int    $0x80
> > * 2a:   5d                      pop    %rbp <-- trapping instruction
> >   2b:   5a                      pop    %rdx
> >   2c:   59                      pop    %rcx
> >   2d:   c3                      retq
> >   2e:   90                      nop
> >   2f:   90                      nop
> >   30:   90                      nop
> >   31:   90                      nop
> >   32:   8d b4 26 00 00 00 00    lea    0x0(%rsi,%riz,1),%esi
> >   39:   8d b4 26 00 00 00 00    lea    0x0(%rsi,%riz,1),%esi
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@...glegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ