lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_B6C93CB489F178301772C9B805EC5198ED09@qq.com>
Date: Wed, 5 Mar 2025 10:03:11 -0500
From: "ffhgfv" <744439878@...com>
To: "minchan" <minchan@...nel.org>, "senozhatsky" <senozhatsky@...omium.org>, "akpm" <akpm@...ux-foundation.org>, "linux-mm" <linux-mm@...ck.org>, "linux-kernel" <linux-kernel@...r.kernel.org>
Subject: 回复:kernel bug found and suggestions for fixing it

Sorry I provided the crash log for 6.9-rc7, but after analysis it seems likely that this issue also exists in the latest version of the kernel (v6.14-rc5).






------------------ Original email ------------------
Hello, I found a bug titled "  BUG: corrupted list in fix_fullness_group " with modified syzkaller in the lasted upstream related to  ZSMALLOC.
If you fix this issue, please add the following tag to the commit:  Reported-by: Jianzhou Zhao <xnxc22xnxc22@...com>,    xingwei lee <xrivendell7@...il.com>, Zhizhuo Tang <strforexctzzchange@...mail.com>

------------[ cut here ]-----------------------------------------
 BUG: corrupted list in fix_fullness_group
==================================================================
list_add corruption. next-&gt;prev should be prev (ffff8880436a4020), but was ffff8881436a4020. (next=ffff8880436a4020).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:29!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 86 Comm: kswapd0 Not tainted 6.9.0-rc7 #51
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xb7/0x110 lib/list_debug.c:29
Code: 02 bd 8a e8 7b f3 22 fd 90 0f 0b 48 c7 c7 60 03 bd 8a e8 6c f3 22 fd 90 0f 0b 4c 89 e1 48 c7 c7 c0 03 bd 8a e8 5a f3 22 fd 90 &lt;0f&gt; 0b 48 89 f1 48 c7 c7 40 04 bd 8a 4c 89 e6 e8 45 f3 22 fd 90 0f
RSP: 0018:ffff888011886c88 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff88802348c688 RCX: ffffffff8164b313
RDX: 0000000000000000 RSI: ffffffff81652eae RDI: 0000000000000001
RBP: ffff888011886ca0 R08: ffff888011890000 R09: ffffed1002310d51
R10: ffffed1002310d50 R11: ffff888011886a87 R12: ffff8880436a4020
R13: ffff88802348c6a0 R14: ffff8880436a4020 R15: ffff88802348c6a0
FS:  0000000000000000(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd266fc6018 CR3: 000000001fc46000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <task>
 __list_add_valid include/linux/list.h:88 [inline]
 __list_add include/linux/list.h:150 [inline]
 list_add include/linux/list.h:169 [inline]
 insert_zspage mm/zsmalloc.c:672 [inline]
 fix_fullness_group+0x3f8/0x540 mm/zsmalloc.c:708
 zs_malloc+0x588/0x13b0 mm/zsmalloc.c:1355
 zs_zpool_malloc+0x35/0xa0 mm/zsmalloc.c:366
 zpool_malloc+0x8b/0xc0 mm/zpool.c:258
 zswap_compress mm/zswap.c:1049 [inline]
 zswap_store+0xaaa/0x26c0 mm/zswap.c:1580
 swap_writepage+0x99/0x2b0 mm/page_io.c:198
 pageout+0x384/0x810 mm/vmscan.c:660
 shrink_folio_list+0x12f3/0x3bd0 mm/vmscan.c:1323
 evict_folios+0x753/0x1890 mm/vmscan.c:4537
 try_to_shrink_lruvec+0x6be/0xa20 mm/vmscan.c:4733
 shrink_one+0x41e/0x7d0 mm/vmscan.c:4772
 shrink_many mm/vmscan.c:4835 [inline]
 lru_gen_shrink_node+0x6f6/0xe60 mm/vmscan.c:4935
 shrink_node+0x1a70/0x23a0 mm/vmscan.c:5894
 kswapd_shrink_node mm/vmscan.c:6704 [inline]
 balance_pgdat+0x974/0x15d0 mm/vmscan.c:6895
 kswapd+0x513/0xaf0 mm/vmscan.c:7164
 kthread+0x313/0x410 kernel/kthread.c:388
 ret_from_fork+0x56/0x90 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </task>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0xb7/0x110 lib/list_debug.c:29
Code: 02 bd 8a e8 7b f3 22 fd 90 0f 0b 48 c7 c7 60 03 bd 8a e8 6c f3 22 fd 90 0f 0b 4c 89 e1 48 c7 c7 c0 03 bd 8a e8 5a f3 22 fd 90 &lt;0f&gt; 0b 48 89 f1 48 c7 c7 40 04 bd 8a 4c 89 e6 e8 45 f3 22 fd 90 0f
RSP: 0018:ffff888011886c88 EFLAGS: 00010282
RAX: 0000000000000075 RBX: ffff88802348c688 RCX: ffffffff8164b313
RDX: 0000000000000000 RSI: ffffffff81652eae RDI: 0000000000000001
RBP: ffff888011886ca0 R08: ffff888011890000 R09: ffffed1002310d51
R10: ffffed1002310d50 R11: ffff888011886a87 R12: ffff8880436a4020
R13: ffff88802348c6a0 R14: ffff8880436a4020 R15: ffff88802348c6a0
FS:  0000000000000000(0000) GS:ffff88802d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd266fc6018 CR3: 000000001fc46000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554

==================================================================
I use the same kernel as syzbot instance upstream: 7eb172143d5508b4da468ed59ee857c6e5e01da6
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&amp;x=da4b04ae798b7ef6
compiler: gcc version 11.4.0
===============================================================================
Unfortunately, the modified syzkaller does not generate an effective repeat program.
The following is my analysis of the bug and repair suggestions, hoping to help with the repair of the bug:
## Root cause analysis
The crash was caused by a list node corruption while the zsmalloc memory allocator was adjusting the memory page's fullness list. The specific cause could be:

Concurrent access is not synchronized correctly. The fix_fullness_group() did not hold the zspool lock correctly when manipulating the class-&gt;fullness_list linked list, causing multiple CPU cores (such as kswapd and memory allocation threads) to modify the linked list node simultaneously.
Memory overreach /UAF (Use-After-Free).In the zs_malloc path, the linked list pointer may be abnormal because the object metadata is overwritten.

### Repair suggestions
Hardening lock mechanism. Ensure that the correct pool locks are held in zs_malloc and page migration paths.
Patch example:
mm/zsmalloc.c:
static int fix_fullness_group(struct size_class *class, struct zspage *zspage)
{
int newfg;

newfg = get_fullness_group(class, zspage);
if (newfg == zspage-&gt;fullness)
goto out;
++  spin_lock(&amp;class-&gt;lock);
remove_zspage(class, zspage);
insert_zspage(class, zspage, newfg);
++  spin_unlock(&amp;class-&gt;lock);
out:
return newfg;
}

=========================================================================
I hope it helps.
Best regards
Jianzhou Zhao
xingwei lee
Zhizhuo Tang</strforexctzzchange@...mail.com></xrivendell7@...il.com></xnxc22xnxc22@...com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ