| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Jan 2016 08:50:01 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Dmitry Vyukov <dvyukov@...gle.com>,
netdev <netdev@...r.kernel.org>, willy tarreau <w@....eu>,
Rainer Weikusat <rweikusat@...ileactivedefense.com>
Cc: Michal Hocko <mhocko@...e.cz>,
Andrew Morton <akpm@...ux-foundation.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Vladimir Davydov <vdavydov@...tuozzo.com>,
Johannes Weiner <hannes@...xchg.org>,
Eric Dumazet <edumazet@...gle.com>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>
Subject: Re: struct pid memory leak
CC netdev, as it looks some af_unix issue ...
On Fri, 2016-01-22 at 16:08 +0100, Dmitry Vyukov wrote:
> Hello,
>
> The following program causes struct pid memory leak:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <pthread.h>
> #include <stdint.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
>
> long r[37];
>
> void* thr(void* arg)
> {
> switch ((long)arg) {
> case 0:
> r[0] = syscall(SYS_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul,
> 0xfffffffffffffffful, 0x0ul);
> break;
> case 1:
> r[1] = syscall(SYS_socketpair, 0x1ul, 0x2ul, 0x0ul, 0x20000ffcul, 0,
> 0);
> if (r[1] != -1)
> r[2] = *(uint32_t*)0x20001000;
> break;
> case 2:
> r[3] =
> syscall(SYS_accept, r[2], 0x20000ffbul, 0x20000ffful, 0, 0, 0);
> break;
> case 3:
> r[4] = syscall(SYS_socketpair, 0x1ul, 0x1ul, 0x0ul, 0x20001ff8ul, 0,
> 0);
> if (r[4] != -1)
> r[5] = *(uint32_t*)0x20001ff8;
> if (r[4] != -1)
> r[6] = *(uint32_t*)0x20001ffc;
> break;
> case 4:
> memcpy((void*)0x2000bf5c,
> "\xd4\x37\x4c\x81\xff\x25\x00\xf7\x44\x0d\x1a\xe2\x4d\xae"
> "\x17\x36\xb0\xef\x85\xd0\xb6\xa2\x0a\x4c\x29\xf0\x43\x3c"
> "\x2b\xab\xdf\x9f\x3e\x4b\x9c\x1b\xb0\x36\xce\xe7\x14\x2b"
> "\xa4\x33\x47\xd5\x58\x76\x63\x83\x71\xb3\x95\x37\xca\x25"
> "\x93\x3f\x46\xd7\xc0\x8f\x8e\x2a\xcf\x0d\x60\xb7\x62\xac"
> "\xd9\xaf\x6e\x88\x3f\xe0\xbf\x94\xc3\x57\x74\x8d\x22\xed"
> "\x61\x71\x85\x10\x64\x2d\x50\xdf\xae\x9a\xdd\xa2\x5e\x28"
> "\xa3\xf8\x14\xf0\x94\x4a\xac\x82\x45\xed\x85\x7a\xb6\x2b"
> "\xef\xb4\x0b\x78\xb8\x92\x30\xcc\x5d\xcc\x07\xbf\x70\x4e"
> "\x1c\x10\x38\xde\x89\x58\x8b\x87\x97\xc9\x6a\x62\x84\x3b"
> "\xcd\x37\xbb\x8d\x41\x50\x65\x24\xa8\x90\x85\xa7\x51\x32"
> "\x58\xf9\x71\xb3\x0b\xf0\x0f\xe6\xc4\x81",
> 164);
> r[8] = syscall(SYS_write, r[5], 0x2000bf5cul, 0xa4ul, 0, 0, 0);
> break;
> case 5:
> *(uint32_t*)0x2000cb16 = (uint32_t)0x20;
> *(uint32_t*)0x2000cb1a = (uint32_t)0xfffffffffffffffd;
> *(uint64_t*)0x2000cb1e = (uint64_t)0x1;
> *(uint32_t*)0x2000cb26 = (uint32_t)0xd51;
> *(uint32_t*)0x2000cb2a = (uint32_t)0x3;
> *(uint32_t*)0x2000cb2e = (uint32_t)0x9;
> *(uint32_t*)0x2000cb32 = (uint32_t)0x9;
> r[16] = syscall(SYS_write, r[5], 0x2000cb16ul, 0x20ul, 0, 0, 0);
> break;
> case 6:
> *(uint32_t*)0x20005ffc = (uint32_t)0x7;
> r[18] = syscall(SYS_setsockopt, r[6], 0x1ul, 0x10ul, 0x20005ffcul,
> 0x4ul, 0);
> break;
> case 7:
> memcpy((void*)0x20003000,
> "\xad\xd4\xf6\xb6\x5d\x21\x41\x96\x29\xc7\x46\x59\xb5\x12"
> "\x13\x1f\xc2\xab\x18\x66\x38\x2f\x01\xd0\x78\x07\x19\xe4"
> "\x2f\xac\xa5\x81\xc9\x01\x6f\x8d\xeb\x2f\x06\x23\xc8\x42"
> "\xf8\x6e\x04\xf6\xcf\x7e\x76\x1a\xb8\xe3\xff\x45\x30\x9b"
> "\x0a\x9a\x0d\x1a\x6d\xfe\x01\x94\xc3\xc6\xfb\xc7\xd2\x7d"
> "\xe3\x5f\xc9\xdb\xa8\xfc\x9a\x0c\xdf\x4a\xf9\x6c\xf5\xcd"
> "\x20\x90\x16\xd6\x2a\xec\x79\xac\x6a\x04\x9d\x92\xd3\x7d"
> "\x2c\xf5\x24\x60\xcc\x57\xb1\x1e\x2a\xf9\x33\x54\x7b\xd8"
> "\x5b\x23\x26\x79\xdb\x89\x72\xf7\x17\xe0\x1c\x1f\x2e\xc0"
> "\x23\x94\xc5\xb1\x7d\xea\x84\xd1\x40\x43\x8a\xc1\x89\xa2"
> "\x72\xd8\x8a\xff\xf7\x30\xc9\x96\x5c\x84\x58\x4f\x7e\x04"
> "\x84\x45\x1b\x83\x51\xb6\x90\x4a\x17\x4e\x95\x09\xb9\x37"
> "\x6e\xe6\xb0\x5e\xb5\x11\xb6\x2f\x06\x75\x31\x57\xda\xc2"
> "\xfe\x5d\x84\x0e\x6a\x29\xb7\xe6\x22\xf2\xc9\x00\xa5\x80"
> "\x0f\x48\x42\x38\x5a\x66\x32\x91\x5a\xe5\x5e\xfe\xce\xc0"
> "\x98\x16\x19\x39\x21\x4b\x60\xe1\xa5\x7a\xba\x62\xd4\x38"
> "\x96\x2d\x79\x09\x30\x2c\x75\x54\x68\xca",
> 234);
> r[20] = syscall(SYS_sendto, r[5], 0x20003000ul, 0xeaul, 0x4000ul,
> 0x20003000ul, 0x0ul);
> break;
> case 8:
> *(uint64_t*)0x2000a000 = (uint64_t)0x2000a000;
> *(uint32_t*)0x2000a008 = (uint32_t)0x1c;
> *(uint64_t*)0x2000a010 = (uint64_t)0x2000ac60;
> *(uint64_t*)0x2000a018 = (uint64_t)0x4;
> *(uint64_t*)0x2000a020 = (uint64_t)0x2000a8b3;
> *(uint64_t*)0x2000a028 = (uint64_t)0x1000;
> *(uint32_t*)0x2000a030 = (uint32_t)0x0;
> *(uint64_t*)0x2000ac60 = (uint64_t)0x2000afb4;
> *(uint64_t*)0x2000ac68 = (uint64_t)0x7a;
> *(uint64_t*)0x2000ac70 = (uint64_t)0x2000affe;
> *(uint64_t*)0x2000ac78 = (uint64_t)0x10;
> *(uint64_t*)0x2000ac80 = (uint64_t)0x2000afe2;
> *(uint64_t*)0x2000ac88 = (uint64_t)0x2f;
> *(uint64_t*)0x2000ac90 = (uint64_t)0x2000afdb;
> *(uint64_t*)0x2000ac98 = (uint64_t)0xd4;
> r[36] =
> syscall(SYS_recvmsg, r[6], 0x2000a000ul, 0x12100ul, 0, 0, 0);
> break;
> }
> return 0;
> }
>
> int main()
> {
> long i;
> pthread_t th[9];
>
> memset(r, -1, sizeof(r));
> for (i = 0; i < 9; i++) {
> pthread_create(&th[i], 0, thr, (void*)i);
> usleep(10000);
> }
> for (i = 0; i < 9; i++) {
> pthread_create(&th[i], 0, thr, (void*)i);
> if (i % 2 == 0)
> usleep(10000);
> }
> usleep(100000);
> return 0;
> }
>
> unreferenced object 0xffff8800324af200 (size 112):
> comm "syz-executor", pid 18413, jiffies 4295500287 (age 14.321s)
> hex dump (first 32 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff86315673>] kmemleak_alloc+0x63/0xa0 mm/kmemleak.c:916
> [< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
> [< inline >] slab_post_alloc_hook mm/slub.c:1337
> [< inline >] slab_alloc_node mm/slub.c:2596
> [< inline >] slab_alloc mm/slub.c:2604
> [<ffffffff81758b49>] kmem_cache_alloc+0x149/0x2d0 mm/slub.c:2609
> [<ffffffff813adabd>] alloc_pid+0x5d/0xc90 kernel/pid.c:306
> [<ffffffff8134de09>] copy_process.part.35+0x3759/0x57a0 kernel/fork.c:1462
> [< inline >] copy_process kernel/fork.c:1274
> [<ffffffff8135017c>] _do_fork+0x1bc/0xcb0 kernel/fork.c:1723
> [< inline >] SYSC_clone kernel/fork.c:1832
> [<ffffffff81350d47>] SyS_clone+0x37/0x50 kernel/fork.c:1826
> [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
> [<ffffffffffffffff>] 0xffffffffffffffff
>
>
> # cat /proc/slabinfo | grep pid
> pid 297 532 576 28 4 : tunables 0 0
> 0 : slabdata 19 19 0
> ...
> pid 412 532 576 28 4 : tunables 0 0
> 0 : slabdata 19 19 0
> ...
> pid 1107 1176 576 28 4 : tunables 0 0
> 0 : slabdata 42 42 0
> ...
> pid 1545 1652 576 28 4 : tunables 0 0
> 0 : slabdata 59 59 0
>
>
> On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).
Powered by blists - more mailing lists