lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1453481401.1223.396.camel@edumazet-glaptop2.roam.corp.google.com>
Date:	Fri, 22 Jan 2016 08:50:01 -0800
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>,
	netdev <netdev@...r.kernel.org>, willy tarreau <w@....eu>,
	Rainer Weikusat <rweikusat@...ileactivedefense.com>
Cc:	Michal Hocko <mhocko@...e.cz>,
	Andrew Morton <akpm@...ux-foundation.org>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Vladimir Davydov <vdavydov@...tuozzo.com>,
	Johannes Weiner <hannes@...xchg.org>,
	Eric Dumazet <edumazet@...gle.com>,
	LKML <linux-kernel@...r.kernel.org>,
	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>
Subject: Re: struct pid memory leak

CC netdev, as it looks some af_unix issue ...

On Fri, 2016-01-22 at 16:08 +0100, Dmitry Vyukov wrote:
> Hello,
> 
> The following program causes struct pid memory leak:
> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <pthread.h>
> #include <stdint.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
> 
> long r[37];
> 
> void* thr(void* arg)
> {
>   switch ((long)arg) {
>   case 0:
>     r[0] = syscall(SYS_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul,
>                    0xfffffffffffffffful, 0x0ul);
>     break;
>   case 1:
>     r[1] = syscall(SYS_socketpair, 0x1ul, 0x2ul, 0x0ul, 0x20000ffcul, 0,
>                    0);
>     if (r[1] != -1)
>       r[2] = *(uint32_t*)0x20001000;
>     break;
>   case 2:
>     r[3] =
>         syscall(SYS_accept, r[2], 0x20000ffbul, 0x20000ffful, 0, 0, 0);
>     break;
>   case 3:
>     r[4] = syscall(SYS_socketpair, 0x1ul, 0x1ul, 0x0ul, 0x20001ff8ul, 0,
>                    0);
>     if (r[4] != -1)
>       r[5] = *(uint32_t*)0x20001ff8;
>     if (r[4] != -1)
>       r[6] = *(uint32_t*)0x20001ffc;
>     break;
>   case 4:
>     memcpy((void*)0x2000bf5c,
>            "\xd4\x37\x4c\x81\xff\x25\x00\xf7\x44\x0d\x1a\xe2\x4d\xae"
>            "\x17\x36\xb0\xef\x85\xd0\xb6\xa2\x0a\x4c\x29\xf0\x43\x3c"
>            "\x2b\xab\xdf\x9f\x3e\x4b\x9c\x1b\xb0\x36\xce\xe7\x14\x2b"
>            "\xa4\x33\x47\xd5\x58\x76\x63\x83\x71\xb3\x95\x37\xca\x25"
>            "\x93\x3f\x46\xd7\xc0\x8f\x8e\x2a\xcf\x0d\x60\xb7\x62\xac"
>            "\xd9\xaf\x6e\x88\x3f\xe0\xbf\x94\xc3\x57\x74\x8d\x22\xed"
>            "\x61\x71\x85\x10\x64\x2d\x50\xdf\xae\x9a\xdd\xa2\x5e\x28"
>            "\xa3\xf8\x14\xf0\x94\x4a\xac\x82\x45\xed\x85\x7a\xb6\x2b"
>            "\xef\xb4\x0b\x78\xb8\x92\x30\xcc\x5d\xcc\x07\xbf\x70\x4e"
>            "\x1c\x10\x38\xde\x89\x58\x8b\x87\x97\xc9\x6a\x62\x84\x3b"
>            "\xcd\x37\xbb\x8d\x41\x50\x65\x24\xa8\x90\x85\xa7\x51\x32"
>            "\x58\xf9\x71\xb3\x0b\xf0\x0f\xe6\xc4\x81",
>            164);
>     r[8] = syscall(SYS_write, r[5], 0x2000bf5cul, 0xa4ul, 0, 0, 0);
>     break;
>   case 5:
>     *(uint32_t*)0x2000cb16 = (uint32_t)0x20;
>     *(uint32_t*)0x2000cb1a = (uint32_t)0xfffffffffffffffd;
>     *(uint64_t*)0x2000cb1e = (uint64_t)0x1;
>     *(uint32_t*)0x2000cb26 = (uint32_t)0xd51;
>     *(uint32_t*)0x2000cb2a = (uint32_t)0x3;
>     *(uint32_t*)0x2000cb2e = (uint32_t)0x9;
>     *(uint32_t*)0x2000cb32 = (uint32_t)0x9;
>     r[16] = syscall(SYS_write, r[5], 0x2000cb16ul, 0x20ul, 0, 0, 0);
>     break;
>   case 6:
>     *(uint32_t*)0x20005ffc = (uint32_t)0x7;
>     r[18] = syscall(SYS_setsockopt, r[6], 0x1ul, 0x10ul, 0x20005ffcul,
>                     0x4ul, 0);
>     break;
>   case 7:
>     memcpy((void*)0x20003000,
>            "\xad\xd4\xf6\xb6\x5d\x21\x41\x96\x29\xc7\x46\x59\xb5\x12"
>            "\x13\x1f\xc2\xab\x18\x66\x38\x2f\x01\xd0\x78\x07\x19\xe4"
>            "\x2f\xac\xa5\x81\xc9\x01\x6f\x8d\xeb\x2f\x06\x23\xc8\x42"
>            "\xf8\x6e\x04\xf6\xcf\x7e\x76\x1a\xb8\xe3\xff\x45\x30\x9b"
>            "\x0a\x9a\x0d\x1a\x6d\xfe\x01\x94\xc3\xc6\xfb\xc7\xd2\x7d"
>            "\xe3\x5f\xc9\xdb\xa8\xfc\x9a\x0c\xdf\x4a\xf9\x6c\xf5\xcd"
>            "\x20\x90\x16\xd6\x2a\xec\x79\xac\x6a\x04\x9d\x92\xd3\x7d"
>            "\x2c\xf5\x24\x60\xcc\x57\xb1\x1e\x2a\xf9\x33\x54\x7b\xd8"
>            "\x5b\x23\x26\x79\xdb\x89\x72\xf7\x17\xe0\x1c\x1f\x2e\xc0"
>            "\x23\x94\xc5\xb1\x7d\xea\x84\xd1\x40\x43\x8a\xc1\x89\xa2"
>            "\x72\xd8\x8a\xff\xf7\x30\xc9\x96\x5c\x84\x58\x4f\x7e\x04"
>            "\x84\x45\x1b\x83\x51\xb6\x90\x4a\x17\x4e\x95\x09\xb9\x37"
>            "\x6e\xe6\xb0\x5e\xb5\x11\xb6\x2f\x06\x75\x31\x57\xda\xc2"
>            "\xfe\x5d\x84\x0e\x6a\x29\xb7\xe6\x22\xf2\xc9\x00\xa5\x80"
>            "\x0f\x48\x42\x38\x5a\x66\x32\x91\x5a\xe5\x5e\xfe\xce\xc0"
>            "\x98\x16\x19\x39\x21\x4b\x60\xe1\xa5\x7a\xba\x62\xd4\x38"
>            "\x96\x2d\x79\x09\x30\x2c\x75\x54\x68\xca",
>            234);
>     r[20] = syscall(SYS_sendto, r[5], 0x20003000ul, 0xeaul, 0x4000ul,
>                     0x20003000ul, 0x0ul);
>     break;
>   case 8:
>     *(uint64_t*)0x2000a000 = (uint64_t)0x2000a000;
>     *(uint32_t*)0x2000a008 = (uint32_t)0x1c;
>     *(uint64_t*)0x2000a010 = (uint64_t)0x2000ac60;
>     *(uint64_t*)0x2000a018 = (uint64_t)0x4;
>     *(uint64_t*)0x2000a020 = (uint64_t)0x2000a8b3;
>     *(uint64_t*)0x2000a028 = (uint64_t)0x1000;
>     *(uint32_t*)0x2000a030 = (uint32_t)0x0;
>     *(uint64_t*)0x2000ac60 = (uint64_t)0x2000afb4;
>     *(uint64_t*)0x2000ac68 = (uint64_t)0x7a;
>     *(uint64_t*)0x2000ac70 = (uint64_t)0x2000affe;
>     *(uint64_t*)0x2000ac78 = (uint64_t)0x10;
>     *(uint64_t*)0x2000ac80 = (uint64_t)0x2000afe2;
>     *(uint64_t*)0x2000ac88 = (uint64_t)0x2f;
>     *(uint64_t*)0x2000ac90 = (uint64_t)0x2000afdb;
>     *(uint64_t*)0x2000ac98 = (uint64_t)0xd4;
>     r[36] =
>         syscall(SYS_recvmsg, r[6], 0x2000a000ul, 0x12100ul, 0, 0, 0);
>     break;
>   }
>   return 0;
> }
> 
> int main()
> {
>   long i;
>   pthread_t th[9];
> 
>   memset(r, -1, sizeof(r));
>   for (i = 0; i < 9; i++) {
>     pthread_create(&th[i], 0, thr, (void*)i);
>     usleep(10000);
>   }
>   for (i = 0; i < 9; i++) {
>     pthread_create(&th[i], 0, thr, (void*)i);
>     if (i % 2 == 0)
>       usleep(10000);
>   }
>   usleep(100000);
>   return 0;
> }
> 
> unreferenced object 0xffff8800324af200 (size 112):
>   comm "syz-executor", pid 18413, jiffies 4295500287 (age 14.321s)
>   hex dump (first 32 bytes):
>     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff86315673>] kmemleak_alloc+0x63/0xa0 mm/kmemleak.c:916
>     [<     inline     >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
>     [<     inline     >] slab_post_alloc_hook mm/slub.c:1337
>     [<     inline     >] slab_alloc_node mm/slub.c:2596
>     [<     inline     >] slab_alloc mm/slub.c:2604
>     [<ffffffff81758b49>] kmem_cache_alloc+0x149/0x2d0 mm/slub.c:2609
>     [<ffffffff813adabd>] alloc_pid+0x5d/0xc90 kernel/pid.c:306
>     [<ffffffff8134de09>] copy_process.part.35+0x3759/0x57a0 kernel/fork.c:1462
>     [<     inline     >] copy_process kernel/fork.c:1274
>     [<ffffffff8135017c>] _do_fork+0x1bc/0xcb0 kernel/fork.c:1723
>     [<     inline     >] SYSC_clone kernel/fork.c:1832
>     [<ffffffff81350d47>] SyS_clone+0x37/0x50 kernel/fork.c:1826
>     [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>     [<ffffffffffffffff>] 0xffffffffffffffff
> 
> 
> # cat /proc/slabinfo | grep pid
> pid                  297    532    576   28    4 : tunables    0    0
>   0 : slabdata     19     19      0
> ...
> pid                  412    532    576   28    4 : tunables    0    0
>   0 : slabdata     19     19      0
> ...
> pid                 1107   1176    576   28    4 : tunables    0    0
>   0 : slabdata     42     42      0
> ...
> pid                 1545   1652    576   28    4 : tunables    0    0
>   0 : slabdata     59     59      0
> 
> 
> On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ