lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 28 Feb 2022 23:34:26 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     "Liam R. Howlett" <Liam.Howlett@...cle.com>
Cc:     "Liam R. Howlett" <Liam.Howlett@...cle.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        lkp@...ts.01.org, lkp@...el.com
Subject: [mm]  82e080f318: BUG:KASAN:use-after-free_in_move_vma



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 82e080f31808330f67ded631246798ec3ea37cff ("mm: Remove the vma linked list")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: blktests
version: blktests-x86_64-bd6b882-1_20220226
with following parameters:

	disk: 1HDD
	test: block-group-09
	ucode: 0xec



on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 29.418341][ T743] BUG: KASAN: use-after-free in move_vma (mm/mremap.c:714) 
[   29.424842][  T743] Read of size 8 at addr ffff888805c9e2a8 by task python3.7/743
[   29.432285][  T743]
[   29.434458][  T743] CPU: 3 PID: 743 Comm: python3.7 Not tainted 5.17.0-rc4-00070-g82e080f31808 #1
[   29.443284][  T743] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[   29.451329][  T743] Call Trace:
[   29.454452][  T743]  <TASK>
[ 29.457230][ T743] dump_stack_lvl (lib/dump_stack.c:107) 
[ 29.461564][ T743] print_address_description+0x21/0x180 
[ 29.467971][ T743] ? move_vma (mm/mremap.c:714) 
[ 29.472132][ T743] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) 
[ 29.476812][ T743] ? move_vma (mm/mremap.c:714) 
[ 29.480972][ T743] move_vma (mm/mremap.c:714) 
[ 29.484962][ T743] ? move_page_tables (mm/mremap.c:571) 
[ 29.489985][ T743] ? security_mmap_addr (security/security.c:1594 (discriminator 13)) 
[   29.492284][  T301] LKP: stdout: 284: Kernel tests: Boot OK!
[ 29.494838][ T743] __do_sys_mremap (mm/mremap.c:1063) 
[ 29.494842][ T743] ? move_vma (mm/mremap.c:893) 
[   29.500476][  T301]
[ 29.505145][ T743] ? cap_capget (security/commoncap.c:1443) 
[ 29.505148][ T743] ? handle_mm_fault (mm/memory.c:4818) 
[ 29.505150][ T743] ? up_read (arch/x86/include/asm/atomic64_64.h:160 include/linux/atomic/atomic-long.h:71 include/linux/atomic/atomic-instrumented.h:1318 kernel/locking/rwsem.c:1293 kernel/locking/rwsem.c:1557) 
[ 29.524470][ T743] ? do_user_addr_fault (arch/x86/mm/fault.c:1422) 
[ 29.529494][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 29.533740][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   29.539454][  T743] RIP: 0033:0x7fd0b9a9201a
[ 29.543699][ T743] Code: 73 01 c3 48 8b 0d 76 0e 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 19 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 46 0e 0c 00 f7 d8 64 89 01 48
All code
========
   0:	73 01                	jae    0x3
   2:	c3                   	retq   
   3:	48 8b 0d 76 0e 0c 00 	mov    0xc0e76(%rip),%rcx        # 0xc0e80
   a:	f7 d8                	neg    %eax
   c:	64 89 01             	mov    %eax,%fs:(%rcx)
   f:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  13:	c3                   	retq   
  14:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  1b:	00 00 00 
  1e:	66 90                	xchg   %ax,%ax
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 19 00 00 00       	mov    $0x19,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 46 0e 0c 00 	mov    0xc0e46(%rip),%rcx        # 0xc0e80
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 46 0e 0c 00 	mov    0xc0e46(%rip),%rcx        # 0xc0e56
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[   29.563052][  T743] RSP: 002b:00007ffd9c276ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
[   29.571272][  T743] RAX: ffffffffffffffda RBX: 00000000000a1000 RCX: 00007fd0b9a9201a
[   29.579055][  T743] RDX: 00000000000a1000 RSI: 0000000000051000 RDI: 00007fd0b93eb000
[   29.586838][  T743] RBP: 0000000000051000 R08: 0000000000000000 R09: 00007fd0b93eb000
[   29.594633][  T743] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[   29.602431][  T743] R13: 00007fd0b95802d8 R14: 00000000000a0010 R15: 0000000000051000
[   29.610214][  T743]  </TASK>
[   29.613076][  T743]
[   29.615247][  T743] Allocated by task 743:
[ 29.619318][ T743] kasan_save_stack (mm/kasan/common.c:39) 
[ 29.623824][ T743] __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) 
[ 29.628502][ T743] kmem_cache_alloc (mm/slab.h:733 mm/slub.c:3230 mm/slub.c:3238 mm/slub.c:3243) 
[ 29.633180][ T743] vm_area_dup (kernel/fork.c:358) 
[ 29.637348][ T743] __split_vma (mm/mmap.c:2255) 
[ 29.641511][ T743] do_mas_align_munmap (mm/mmap.c:2390) 
[ 29.646456][ T743] do_mas_munmap (mm/mmap.c:2508) 
[ 29.650881][ T743] __vm_munmap (mm/mmap.c:2764) 
[ 29.655133][ T743] __x64_sys_munmap (mm/mmap.c:2786) 
[ 29.659660][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 29.663919][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   29.669633][  T743]
[   29.671805][  T743] Freed by task 743:
[ 29.675531][ T743] kasan_save_stack (mm/kasan/common.c:39) 
[ 29.680034][ T743] kasan_set_track (mm/kasan/common.c:45) 
[ 29.684456][ T743] kasan_set_free_info (mm/kasan/generic.c:372) 
[ 29.689218][ T743] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) 
[ 29.693898][ T743] kmem_cache_free (mm/slub.c:1754 mm/slub.c:3509 mm/slub.c:3526) 
[ 29.698402][ T743] do_mas_align_munmap (mm/mmap.c:2205 mm/mmap.c:2463) 
[ 29.703341][ T743] do_mas_munmap (mm/mmap.c:2508) 
[ 29.707759][ T743] do_munmap (mm/mmap.c:2519) 
[ 29.711747][ T743] move_vma (mm/mremap.c:698) 
[ 29.715734][ T743] __do_sys_mremap (mm/mremap.c:1063) 
[ 29.720410][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 29.724661][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   29.730386][  T743]
[   29.732559][  T743] The buggy address belongs to the object at ffff888805c9e288
[   29.732559][  T743]  which belongs to the cache vm_area_struct of size 152
[   29.746661][  T743] The buggy address is located 32 bytes inside of
[   29.746661][  T743]  152-byte region [ffff888805c9e288, ffff888805c9e320)
[   29.759656][  T743] The buggy address belongs to the page:
[   29.765109][  T743] page:0000000051b8737b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x805c9e
[   29.775143][  T743] memcg:ffff8887f5a57401
[   29.779214][  T743] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[   29.786830][  T743] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff88810021edc0
[   29.795223][  T743] raw: 0000000000000000 0000000080120012 00000001ffffffff ffff8887f5a57401
[   29.803632][  T743] page dumped because: kasan: bad access detected
[   29.809864][  T743]
[   29.812037][  T743] Memory state around the buggy address:
[   29.817491][  T743]  ffff888805c9e180: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
[   29.825364][  T743]  ffff888805c9e200: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[   29.833238][  T743] >ffff888805c9e280: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.841107][  T743]                                   ^
[   29.846300][  T743]  ffff888805c9e300: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb
[   29.854169][  T743]  ffff888805c9e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
[   29.862040][  T743] ==================================================================
[   29.869911][  T743] Disabling lock debugging due to kernel taint
[   29.875935][  T743] general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] SMP KASAN PTI
[   29.887123][  T743] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
[   29.895356][  T743] CPU: 3 PID: 743 Comm: python3.7 Tainted: G    B             5.17.0-rc4-00070-g82e080f31808 #1
[   29.905567][  T743] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 29.913630][ T743] RIP: 0010:move_vma (mm/mremap.c:716) 
[ 29.918398][ T743] Code: 3c 02 00 0f 85 88 06 00 00 48 8b 73 08 4c 89 e7 e8 d6 6c fe ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 4b 06 00 00 48 81 48 20 00 00 10 00 eb 03 4c 63
All code
========
   0:	3c 02                	cmp    $0x2,%al
   2:	00 0f                	add    %cl,(%rdi)
   4:	85 88 06 00 00 48    	test   %ecx,0x48000006(%rax)
   a:	8b 73 08             	mov    0x8(%rbx),%esi
   d:	4c 89 e7             	mov    %r12,%rdi
  10:	e8 d6 6c fe ff       	callq  0xfffffffffffe6ceb
  15:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  1c:	fc ff df 
  1f:	48 8d 78 20          	lea    0x20(%rax),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
  2a:*	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)		<-- trapping instruction
  2e:	0f 85 4b 06 00 00    	jne    0x67f
  34:	48 81 48 20 00 00 10 	orq    $0x100000,0x20(%rax)
  3b:	00 
  3c:	eb 03                	jmp    0x41
  3e:	4c                   	rex.WR
  3f:	63                   	.byte 0x63

Code starting with the faulting instruction
===========================================
   0:	80 3c 11 00          	cmpb   $0x0,(%rcx,%rdx,1)
   4:	0f 85 4b 06 00 00    	jne    0x655
   a:	48 81 48 20 00 00 10 	orq    $0x100000,0x20(%rax)
  11:	00 
  12:	eb 03                	jmp    0x17
  14:	4c                   	rex.WR
  15:	63                   	.byte 0x63


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.17.0-rc4-00070-g82e080f31808" of type "text/plain" (166437 bytes)

View attachment "job-script" of type "text/plain" (5554 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (19976 bytes)

View attachment "blktests" of type "text/plain" (69349 bytes)

View attachment "job.yaml" of type "text/plain" (4479 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ