lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87frqi76ns.ffs@tglx>
Date: Mon, 02 Sep 2024 11:21:11 +0200
From: Thomas Gleixner <tglx@...utronix.de>
To: Xingyu Li <xli399@....edu>, akpm@...ux-foundation.org,
 linux-kernel@...r.kernel.org
Cc: Yu Hao <yhao016@....edu>
Subject: Re: BUG: general protection fault in __free_object

On Wed, Aug 28 2024 at 16:27, Xingyu Li wrote:
> We found a bug in Linux 6.10 using syzkaller. It is possibly a null
> pointer dereference  bug.
> The reproducer is
> https://gist.github.com/freexxxyyy/5aefd53c6567415e9fe8c76cc2ad390c

Reproducer alone is not really helpful. This needs the corresponding
kernel config, the exact kernel version and a description of the
reproduction environment (compiler, qemu command line ....)

It does not reproduce here at all.

Also if it really reproduces, then have you checked against current
mainline as well?

> RIP: 0010:hlist_add_head include/linux/list.h:1032 [inline]
> RIP: 0010:__free_object+0x903/0xaa0 lib/debugobjects.c:396
>  __debug_check_no_obj_freed lib/debugobjects.c:994 [inline]
>  debug_check_no_obj_freed+0x135/0x530 lib/debugobjects.c:1019
>  slab_free_hook mm/slub.c:2163 [inline]
>  slab_free_freelist_hook mm/slub.c:2225 [inline]
>  slab_free_bulk mm/slub.c:4462 [inline]
>  kmem_cache_free_bulk+0x1bf/0x360 mm/slub.c:4676

The code in question is serialized against objpool modifications with
pool_lock. So nothing can change any of the related data.

    if (obj_pool_free > debug_objects_pool_size &&
        obj_nr_tofree < ODEBUG_FREE_WORK_MAX) {

	for (i = 0; i < ODEBUG_BATCH_SIZE; i++) {
		obj = __alloc_object(&obj_pool);
		hlist_add_head(&obj->node, &obj_to_free); <- fail

debug_objects_pool_size is initialized to:

        ODEBUG_POOL_SIZE + num_possible_cpus() * ODEBUG_BATCH_SIZE;
=
        1024 + num_possible_cpus() * 16

The minimum size is 1040, so there are at least 1040 objects in
obj_pool. The loop allocates at max 16 objects, which means

             __alloc_object(&obj_pool);

is guaranteed to return an object and cannot return NULL.

So the only reason why this can result in a NULL pointer dereference is
that the obj_to_free list is corrupted. No idea how that should happen.

Maybe some proper reproducer instructions shed some light to it.

Thanks,

        tglx





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ