| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH2r5mvoS8Py_M95+i0hB2iP06Uqz5JQbb13schBfdmJ6NzL3g@mail.gmail.com> Date: Mon, 19 May 2025 10:41:33 -0500 From: Steve French <smfrench@...il.com> To: Wang Zhaolong <wangzhaolong1@...wei.com> Cc: Paulo Alcantara <pc@...guebit.com>, sfrench@...ibm.com, linux-cifs@...r.kernel.org, samba-technical@...ts.samba.org, linux-kernel@...r.kernel.org, chengzhihao1@...wei.com, yi.zhang@...wei.com, yangerkun@...wei.com Subject: Re: [PATCH V2 0/2] smb: client: Fix use-after-free in readdir I was able to reproduce it by running the reproducer poc much longer [189335.643181] Key type cifs.idmap unregistered [189335.643203] Key type cifs.spnego unregistered [189335.649519] CIFS: VFS: kmem_cache_destroy small req cachep [189335.656316] ============================================================================= [189335.656320] BUG cifs_small_rq (Tainted: G B W OE ): Objects remaining on __kmem_cache_shutdown() [189335.656322] ----------------------------------------------------------------------------- [189335.656324] Object 0x000000001a39cfef @offset=15232 [189335.656326] Slab 0x00000000479475fe objects=36 used=1 fp=0x0000000090941d36 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) [189335.656334] ------------[ cut here ]------------ [189335.656335] WARNING: CPU: 1 PID: 84118 at mm/slub.c:1135 __slab_err+0x1d/0x30 .... [189335.656512] [last unloaded: cifs(OE)] [189335.656516] CPU: 1 UID: 0 PID: 84118 Comm: rmmod Tainted: G B W OE 6.15.0-061500rc4-generic #202504272253 PREEMPT(voluntary) [189335.656520] Tainted: [B]=BAD_PAGE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [189335.656521] Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET70W (1.53 ) 03/11/2024 [189335.656522] RIP: 0010:__slab_err+0x1d/0x30 [189335.656525] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33 b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 [189335.656527] RSP: 0018:ffffcf3041b33a18 EFLAGS: 00010046 [189335.656529] RAX: 0000000000000000 RBX: ffffcf3041b33a60 RCX: 0000000000000000 [189335.656530] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [189335.656531] RBP: ffffcf3041b33a18 R08: 0000000000000000 R09: 0000000000000000 [189335.656533] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8c1b49eb7600 [189335.656534] R13: ffff8c1b4ccd9580 R14: dead000000000122 R15: ffff8c1b4ccd9580 [189335.656535] FS: 00007d912677e080(0000) GS:ffff8c2312b1b000(0000) knlGS:0000000000000000 [189335.656537] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [189335.656538] CR2: 000061c8bedf4778 CR3: 00000003f2b4a001 CR4: 00000000003726f0 [189335.656540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [189335.656541] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [189335.656542] Call Trace: [189335.656543] <TASK> [189335.656546] free_partial.cold+0x137/0x191 [189335.656550] __kmem_cache_shutdown+0x46/0xa0 [189335.656553] kmem_cache_destroy+0x3e/0x1c0 [189335.656558] cifs_destroy_request_bufs+0x5c/0x70 [cifs] [189335.656618] exit_cifs+0x3a/0xef0 [cifs] [189335.656666] __do_sys_delete_module.isra.0+0x19d/0x2e0 [189335.656671] __x64_sys_delete_module+0x12/0x20 [189335.656674] x64_sys_call+0x1765/0x2320 [189335.656677] do_syscall_64+0x7e/0x210 [189335.656679] ? __fput+0x1a2/0x2d0 [189335.656681] ? kmem_cache_free+0x408/0x470 [189335.656684] ? __fput+0x1a2/0x2d0 [189335.656686] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 [189335.656689] ? syscall_exit_to_user_mode+0x38/0x1d0 [189335.656692] ? do_syscall_64+0x8a/0x210 [189335.656695] ? do_read_fault+0xfb/0x230 [189335.656698] ? do_fault+0x15d/0x220 [189335.656699] ? handle_pte_fault+0x140/0x210 [189335.656702] ? __handle_mm_fault+0x3cd/0x790 [189335.656705] ? __count_memcg_events+0xd3/0x1a0 [189335.656708] ? count_memcg_events.constprop.0+0x2a/0x50 [189335.656710] ? handle_mm_fault+0x1ca/0x2e0 [189335.656713] ? do_user_addr_fault+0x2f8/0x830 [189335.656716] ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0 [189335.656719] ? irqentry_exit_to_user_mode+0x2d/0x1d0 [189335.656722] ? irqentry_exit+0x43/0x50 [189335.656724] ? exc_page_fault+0x96/0x1e0 [189335.656727] entry_SYSCALL_64_after_hwframe+0x76/0x7e [189335.656729] RIP: 0033:0x7d9125f2ac9b [189335.656731] Code: 73 01 c3 48 8b 0d 7d 81 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4d 81 0d 00 f7 d8 64 89 01 48 [189335.656732] RSP: 002b:00007ffe9b9656f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 [189335.656735] RAX: ffffffffffffffda RBX: 00005eb63e457720 RCX: 00007d9125f2ac9b [189335.656736] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005eb63e457788 [189335.656737] RBP: 00007ffe9b965720 R08: 1999999999999999 R09: 0000000000000000 [189335.656738] R10: 00007d9125fb1fc0 R11: 0000000000000206 R12: 0000000000000000 [189335.656740] R13: 00007ffe9b965970 R14: 00005eb63e457720 R15: 0000000000000000 [189335.656743] </TASK> [189335.656744] ---[ end trace 0000000000000000 ]--- [189335.656803] ------------[ cut here ]------------ [189335.656804] kmem_cache_destroy cifs_small_rq: Slab cache still has objects when called from cifs_destroy_request_bufs+0x5c/0x70 [cifs] [189335.656861] WARNING: CPU: 1 PID: 84118 at mm/slab_common.c:525 kmem_cache_destroy+0x152/0x1c0 .... On Sun, May 18, 2025 at 9:56 PM Wang Zhaolong <wangzhaolong1@...wei.com> wrote: > > > > > > > Merged into cifs-2.6.git for-next > > > > I was only able to reproduce the rmmod problem once though (without > > the patch) so been tricky to test. What server were you testing > > against (I tried current Samba and ksmbd)? > > > > I initialized the Samba server using the `samba` package provided by the > Debian Trixie distribution. > > Best regards, > Wang Zhaolong -- Thanks, Steve
Powered by blists - more mailing lists