lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220615142508.mtp65w6tdiurtvcn@revolver>
Date:   Wed, 15 Jun 2022 14:25:18 +0000
From:   Liam Howlett <liam.howlett@...cle.com>
To:     Yu Zhao <yuzhao@...gle.com>
CC:     Qian Cai <quic_qiancai@...cinc.com>,
        "maple-tree@...ts.infradead.org" <maple-tree@...ts.infradead.org>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v9 28/69] mm/mmap: reorganize munmap to use maple states

* Yu Zhao <yuzhao@...gle.com> [220611 17:50]:
> On Sat, Jun 11, 2022 at 2:11 PM Yu Zhao <yuzhao@...gle.com> wrote:
> >
> > On Mon, Jun 6, 2022 at 10:40 AM Qian Cai <quic_qiancai@...cinc.com> wrote:
> > >
> > > On Mon, Jun 06, 2022 at 04:19:52PM +0000, Liam Howlett wrote:
> > > > Does your syscall fuzzer create a reproducer?  This looks like arm64
> > > > and says 5.18.0-next-20220603 again.  Was this bisected to the patch
> > > > above?
> > >
> > > This was triggered by running the fuzzer over the weekend.
> > >
> > > $ trinity -C 160
> > >
> > > No bisection was done. It was only brought up here because the trace
> > > pointed to do_mas_munmap() which was introduced here.
> >
> > Liam,
> >
> > I'm getting a similar crash on arm64 -- the allocator is madvise(),
> > not mprotect(). Please take a look.
> 
> Another crash on x86_64, which seems different:

Thanks for this.  I was able to reproduce the other crashes that you and
Qian reported.  I've sent out a patch set to Andrew to apply to the
branch which includes the fix for them and an unrelated issue discovered
when I wrote the testcases to cover what was going on here.


> 
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in mab_mas_cp+0x2d9/0x6c0
> Write of size 136 at addr ffff88c5a2319c80 by task stress-ng/18461
> 
> CPU: 66 PID: 18461 Comm: stress-ng Tainted: G S        I       5.19.0-smp-DEV #1
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0xc5/0xf4
>  print_address_description+0x7f/0x460
>  print_report+0x10b/0x240
>  ? mab_mas_cp+0x2d9/0x6c0
>  kasan_report+0xe6/0x110
>  ? mab_mas_cp+0x2d9/0x6c0
>  kasan_check_range+0x2ef/0x310
>  ? mab_mas_cp+0x2d9/0x6c0
>  memcpy+0x44/0x70
>  mab_mas_cp+0x2d9/0x6c0
>  mas_spanning_rebalance+0x1a45/0x4d70
>  ? stack_trace_save+0xca/0x160
>  ? stack_trace_save+0xca/0x160
>  mas_wr_spanning_store+0x16a4/0x1ad0
>  mas_wr_spanning_store+0x16a4/0x1ad0
>  mas_wr_store_entry+0xbf9/0x12e0
>  mas_store_prealloc+0x205/0x3c0
>  do_mas_align_munmap+0x6cf/0xd10
>  do_mas_munmap+0x1bb/0x210
>  ? down_write_killable+0xa6/0x110
>  __vm_munmap+0x1c4/0x270
>  __x64_sys_munmap+0x60/0x70
>  do_syscall_64+0x44/0xa0
>  entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x589827
> Code: 00 00 00 48 c7 c2 98 ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff
> ff eb 85 66 2e 0f 1f 84 00 00 00 00 00 90 b8 0b 00 00 00 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 98 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fff9276c518 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
> RAX: ffffffffffffffda RBX: 0000400000000000 RCX: 0000000000589827
> RDX: 0000000000000000 RSI: 00007ffffffff000 RDI: 0000000000000000
> RBP: 00000000004cf000 R08: 00007fff9276c550 R09: 0000000000923bf0
> R10: 0000000000000008 R11: 0000000000000206 R12: 0000000000001000
> R13: 00000000004cf040 R14: 0000000000000004 R15: 00007fff9276c668
>  </TASK>

...

As for this crash, I was unable to reproduce and the code I just sent
out changes this code a lot.  Was this running with "trinity -c madvise"
or another use case/fuzzer?


Thanks,
Liam

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ