lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20220518143444.GA22659@xsang-OptiPlex-9020>
Date:   Wed, 18 May 2022 22:34:44 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Alexey Gladkov <legion@...nel.org>
Cc:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        kernel test robot <oliver.sang@...el.com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [ucounts]  ddc97dfbb3: BUG:KASAN:use-after-free_in_dec_ucount



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: ddc97dfbb3f12c0a540104d41da1067ac9d38672 ("ucounts: Split rlimit and ucount values and max values")
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git ucount-rlimits-cleanups-for-v5.19

in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220411
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 36.843393][ T24] BUG: KASAN: use-after-free in dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256) 
[   36.844198][   T24] Write of size 8 at addr ffff88816bfce640 by task kworker/u4:1/24
[   36.845191][   T24]
[   36.845449][   T24] CPU: 1 PID: 24 Comm: kworker/u4:1 Not tainted 5.18.0-rc1-00001-gddc97dfbb3f1 #1
[   36.846620][   T24] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[   36.847917][   T24] Workqueue: netns cleanup_net
[   36.848527][   T24] Call Trace:
[   36.848948][   T24]  <TASK>
[ 36.849331][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256) 
[ 36.849848][ T24] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 36.850391][ T24] print_address_description+0x1f/0x200 
[ 36.851198][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256) 
[ 36.851756][ T24] print_report.cold (mm/kasan/report.c:430) 
[ 36.852418][ T24] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 36.853104][ T24] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) 
[ 36.853660][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256) 
[ 36.854248][ T24] kasan_check_range (mm/kasan/generic.c:190) 
[ 36.854859][ T24] dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256) 
[ 36.855349][ T24] cleanup_net (net/core/net_namespace.c:612) 
[ 36.855808][ T24] ? rtnl_valid_dump_net_req+0x580/0x580 
[ 36.856609][ T24] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) 
[ 36.857219][ T24] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) 
[ 36.859714][ T24] ? process_one_work (kernel/workqueue.c:2379) 
[ 36.860350][ T24] kthread (kernel/kthread.c:376) 
[ 36.860849][ T24] ? kthread_complete_and_exit (kernel/kthread.c:331) 
[ 36.861535][ T24] ret_from_fork (arch/x86/entry/entry_64.S:304) 
[   36.862113][   T24]  </TASK>
[   36.864730][   T24]
[   36.867151][   T24] Allocated by task 715:
[ 36.869978][ T24] kasan_save_stack (mm/kasan/common.c:39) 
[ 36.872939][ T24] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524) 
[ 36.875369][ T24] alloc_ucounts (kernel/ucount.c:176) 
[ 36.877899][ T24] inc_ucount (kernel/ucount.c:234) 
[ 36.880495][ T24] alloc_mnt_ns (fs/namespace.c:3390 fs/namespace.c:3422) 
[ 36.883163][ T24] copy_mnt_ns (fs/namespace.c:3471) 
[ 36.885812][ T24] create_new_namespaces (kernel/nsproxy.c:78) 
[ 36.888580][ T24] unshare_nsproxy_namespaces (kernel/nsproxy.c:226 (discriminator 4)) 
[ 36.891337][ T24] ksys_unshare (kernel/fork.c:3132) 
[ 36.893682][ T24] __ia32_sys_unshare (kernel/fork.c:3201) 
[ 36.896155][ T24] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132) 
[ 36.899100][ T24] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419) 
[   36.901532][   T24]
[   36.903311][   T24] Freed by task 746:
[ 36.905192][ T24] kasan_save_stack (mm/kasan/common.c:39) 
[ 36.907098][ T24] kasan_set_track (mm/kasan/common.c:45) 
[ 36.908924][ T24] kasan_set_free_info (mm/kasan/generic.c:372) 
[ 36.910758][ T24] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) 
[ 36.912918][ T24] kfree (mm/slub.c:1754 mm/slub.c:3510 mm/slub.c:4552) 
[ 36.915052][ T24] put_ucounts (kernel/ucount.c:204) 
[ 36.917096][ T24] put_cred_rcu (kernel/cred.c:125) 
[ 36.919155][ T24] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2542) 
[ 36.921116][ T24] rcu_core (kernel/rcu/tree.c:2788) 
[ 36.923065][ T24] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/irq.h:142 kernel/softirq.c:559) 
[   36.925008][   T24]
[   36.926517][   T24] The buggy address belongs to the object at ffff88816bfce600
[   36.926517][   T24]  which belongs to the cache kmalloc-192 of size 192
[   36.930826][   T24] The buggy address is located 64 bytes inside of
[   36.930826][   T24]  192-byte region [ffff88816bfce600, ffff88816bfce6c0)
[   36.935420][   T24]
[   36.937090][   T24] The buggy address belongs to the physical page:
[   36.939221][   T24] page:0000000000dfd912 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16bfce
[   36.941604][   T24] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[   36.943685][   T24] raw: 0017ffffc0000200 ffffea0005aff680 dead000000000004 ffff888100041a00
[   36.945718][   T24] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[   36.947908][   T24] page dumped because: kasan: bad access detected
[   36.949905][   T24] page_owner tracks the page as allocated
[   36.951784][   T24] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 169, tgid 169 (udevadm), ts 20403518274, free_ts 0
[ 36.956103][ T24] get_page_from_freelist (mm/page_alloc.c:2452 mm/page_alloc.c:4182) 
[ 36.958207][ T24] __alloc_pages (mm/page_alloc.c:5408) 
[ 36.960331][ T24] allocate_slab (mm/slub.c:1799 mm/slub.c:1944) 
[ 36.962405][ T24] ___slab_alloc (mm/slub.c:3005) 
[ 36.964428][ T24] kmem_cache_alloc_trace (mm/slub.c:3092 mm/slub.c:3183 mm/slub.c:3225 mm/slub.c:3256) 
[ 36.966569][ T24] kernfs_fop_open (include/linux/slab.h:581 include/linux/slab.h:714 fs/kernfs/file.c:623) 
[ 36.968649][ T24] do_dentry_open (fs/open.c:825) 
[ 36.970687][ T24] do_open (fs/namei.c:3477) 
[ 36.972629][ T24] path_openat (fs/namei.c:3609) 
[ 36.974515][ T24] do_filp_open (fs/namei.c:3636) 
[ 36.976282][ T24] do_sys_openat2 (fs/open.c:1213) 
[ 36.978071][ T24] __x64_sys_openat (fs/open.c:1240) 
[ 36.979981][ T24] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 36.981852][ T24] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
[   36.983829][   T24] page_owner free stack trace missing
[   36.985592][   T24]
[   36.987060][   T24] Memory state around the buggy address:
[   36.988818][   T24]  ffff88816bfce500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.990894][   T24]  ffff88816bfce580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   36.992890][   T24] >ffff88816bfce600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.994928][   T24]                                            ^
[   36.996702][   T24]  ffff88816bfce680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   36.998765][   T24]  ffff88816bfce700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.000806][   T24] ==================================================================
[   37.003027][   T24] Disabling lock debugging due to kernel taint
[   39.233643][  T270] LKP: stdout: 257: HOSTNAME vm-snb-90, MAC 52:54:00:12:34:56, kernel 5.18.0-rc1-00001-gddc97dfbb3f1 1
[   39.233664][  T270]
[   39.485271][  T270] install debs round one: dpkg -i --force-confdef --force-depends /opt/deb/gawk_1%3a4.2.1+dfsg-1_amd64.deb
[   39.485681][  T270]
[   39.498197][  T270] Selecting previously unselected package gawk.
[   39.498216][  T270]
[   39.508832][  T270] (Reading database ... 16553 files and directories currently installed.)
[   39.508850][  T270]
[   39.517994][  T270] Preparing to unpack .../gawk_1%3a4.2.1+dfsg-1_amd64.deb ...


To reproduce:

        # build kernel
	cd linux
	cp config-5.18.0-rc1-00001-gddc97dfbb3f1 .config
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.18.0-rc1-00001-gddc97dfbb3f1" of type "text/plain" (166083 bytes)

View attachment "job-script" of type "text/plain" (4672 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (16904 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ