lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+aBDLfk4Dr3nwLteuPAYkxp_nkDHQxXrUz=hEvNr6U-og@mail.gmail.com>
Date:	Thu, 4 Feb 2016 10:53:51 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Jon Maloy <jon.maloy@...csson.com>,
	Ying Xue <ying.xue@...driver.com>,
	"David S. Miller" <davem@...emloft.net>,
	netdev <netdev@...r.kernel.org>,
	tipc-discussion@...ts.sourceforge.net,
	LKML <linux-kernel@...r.kernel.org>,
	Allan Stephens <allan.stephens@...driver.com>,
	Per Liden <per.liden@...pam.ericsson.com>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	Eric Dumazet <edumazet@...gle.com>
Subject: Re: net/tipc: memory leak in tipc_release

On Thu, Dec 31, 2015 at 11:35 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> Hello,
>
> The following program, if run a parallel loop, leads to a leak of 2
> objects allocated in tipc_release:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <unistd.h>
> #include <sys/syscall.h>
> #include <string.h>
> #include <stdint.h>
> #include <pthread.h>
>
> long r[86];
>
> int main()
> {
>         memset(r, -1, sizeof(r));
>         r[0] = syscall(SYS_mmap, 0x20000000ul, 0x11000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
>         r[1] = syscall(SYS_eventfd, 0x7ul, 0, 0, 0, 0, 0);
>         r[2] = syscall(SYS_close, r[1], 0, 0, 0, 0, 0);
>         r[3] = syscall(SYS_socket, 0x1eul, 0x2ul, 0x0ul, 0, 0, 0);
>         r[4] = syscall(SYS_io_setup, 0x5ul, 0x20001d8bul, 0, 0, 0, 0);
>         if (r[4] != -1)
>                 r[5] = *(uint64_t*)0x20001d8b;
>         r[6] = syscall(SYS_fcntl, r[1], 0x406ul, r[3], 0, 0, 0);
>         *(uint16_t*)0x20007000 = (uint16_t)0x27;
>         *(uint32_t*)0x20007002 = (uint32_t)0x3;
>         *(uint32_t*)0x20007006 = (uint32_t)0x6;
>         *(uint32_t*)0x2000700a = (uint32_t)0x1;
>         r[11] = syscall(SYS_connect, r[6], 0x20007000ul, 0x10ul, 0, 0, 0);
>         r[12] = syscall(SYS_dup3, r[6], r[1], 0x80000ul, 0, 0, 0);
>         *(uint64_t*)0x20002000 = (uint64_t)0x20002fc0;
>         *(uint64_t*)0x20002008 = (uint64_t)0x20002fd8;
>         *(uint64_t*)0x20002010 = (uint64_t)0x2000246d;
>         *(uint64_t*)0x20002fc0 = (uint64_t)0x8;
>         *(uint32_t*)0x20002fc8 = (uint32_t)0x0;
>         *(uint32_t*)0x20002fcc = (uint32_t)0x9;
>         *(uint16_t*)0x20002fd0 = (uint16_t)0x5;
>         *(uint16_t*)0x20002fd2 = (uint16_t)0x0;
>         *(uint32_t*)0x20002fd4 = r[1];
>         *(uint64_t*)0x20002fd8 = (uint64_t)0x20002934;
>         *(uint64_t*)0x20002fe0 = (uint64_t)0x5e;
>         *(uint64_t*)0x20002fe8 = (uint64_t)0xfffffffffffffff7;
>         *(uint64_t*)0x20002ff0 = (uint64_t)0x20002000;
>         *(uint32_t*)0x20002ff8 = (uint32_t)0x0;
>         *(uint32_t*)0x20002ffc = r[1];
>         *(uint64_t*)0x20002000 = (uint64_t)0x20003000;
>         *(uint32_t*)0x20002008 = (uint32_t)0x5;
>         *(uint32_t*)0x2000200c = (uint32_t)0x2;
>         *(uint64_t*)0x20002010 = (uint64_t)0x1;
>         *(uint64_t*)0x20002018 = (uint64_t)0x7;
>         *(uint64_t*)0x20002020 = (uint64_t)0x2;
>         *(uint64_t*)0x20002028 = (uint64_t)0x4;
>         *(uint64_t*)0x20002030 = (uint64_t)0x0;
>         *(uint64_t*)0x20002038 = (uint64_t)0x1;
>         *(uint64_t*)0x20002040 = (uint64_t)0x4;
>         *(uint64_t*)0x20002048 = (uint64_t)0x9;
>         *(uint64_t*)0x20002fd8 = (uint64_t)0x5;
>         *(uint32_t*)0x20002fe0 = (uint32_t)0x0;
>         *(uint32_t*)0x20002fe4 = (uint32_t)0x8;
>         *(uint16_t*)0x20002fe8 = (uint16_t)0x7;
>         *(uint16_t*)0x20002fea = (uint16_t)0xffffffffffffffff;
>         *(uint32_t*)0x20002fec = (uint32_t)0xffffffffffffffff;
>         *(uint64_t*)0x20002ff0 = (uint64_t)0x20005fe3;
>         *(uint64_t*)0x20002ff8 = (uint64_t)0x2e;
>         *(uint64_t*)0x20003000 = (uint64_t)0x8;
>         *(uint64_t*)0x20003008 = (uint64_t)0x20002a50;
>         *(uint32_t*)0x20003010 = (uint32_t)0x1;
>         *(uint32_t*)0x20003014 = r[1];
>         *(uint64_t*)0x20002a50 = (uint64_t)0x20003000;
>         *(uint32_t*)0x20002a58 = (uint32_t)0xb;
>         *(uint32_t*)0x20002a5c = (uint32_t)0x1;
>         *(uint64_t*)0x20002a60 = (uint64_t)0x5;
>         *(uint64_t*)0x20002a68 = (uint64_t)0xacf;
>         *(uint64_t*)0x20002a70 = (uint64_t)0x8a;
>         *(uint64_t*)0x20002a78 = (uint64_t)0x3;
>         *(uint64_t*)0x20002a80 = (uint64_t)0x8d;
>         *(uint64_t*)0x20002a88 = (uint64_t)0xf5a;
>         *(uint64_t*)0x20002a90 = (uint64_t)0xd94;
>         *(uint64_t*)0x20002a98 = (uint64_t)0x9;
>         *(uint64_t*)0x2000246d = (uint64_t)0x0;
>         *(uint32_t*)0x20002475 = (uint32_t)0x0;
>         *(uint32_t*)0x20002479 = (uint32_t)0x2;
>         *(uint16_t*)0x2000247d = (uint16_t)0x2;
>         *(uint16_t*)0x2000247f = (uint16_t)0x0;
>         *(uint32_t*)0x20002481 = r[1];
>         *(uint64_t*)0x20002485 = (uint64_t)0x20002d52;
>         *(uint64_t*)0x2000248d = (uint64_t)0x11;
>         *(uint64_t*)0x20002495 = (uint64_t)0x4;
>         *(uint64_t*)0x2000249d = (uint64_t)0x20002fb0;
>         *(uint32_t*)0x200024a5 = (uint32_t)0x1;
>         *(uint32_t*)0x200024a9 = r[1];
>         *(uint64_t*)0x20002fb0 = (uint64_t)0x20003000;
>         *(uint32_t*)0x20002fb8 = (uint32_t)0x4;
>         *(uint32_t*)0x20002fbc = (uint32_t)0x2;
>         *(uint64_t*)0x20002fc0 = (uint64_t)0x3;
>         *(uint64_t*)0x20002fc8 = (uint64_t)0x6;
>         *(uint64_t*)0x20002fd0 = (uint64_t)0xe3;
>         *(uint64_t*)0x20002fd8 = (uint64_t)0xee;
>         *(uint64_t*)0x20002fe0 = (uint64_t)0x8;
>         *(uint64_t*)0x20002fe8 = (uint64_t)0x1;
>         *(uint64_t*)0x20002ff0 = (uint64_t)0x4;
>         *(uint64_t*)0x20002ff8 = (uint64_t)0x8;
>         r[85] = syscall(SYS_io_submit, r[5], 0x3ul, 0x20002000ul, 0, 0, 0);
>         return 0;
> }
>
>
> unreferenced object 0xffff88004be2cf00 (size 456):
>   comm "syz-executor", pid 26609, jiffies 4295874528 (age 578.093s)
>   hex dump (first 32 bytes):
>     f8 7a f3 4b 00 88 ff ff f8 7a f3 4b 00 88 ff ff  .z.K.....z.K....
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
>     [<     inline     >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
>     [<     inline     >] slab_post_alloc_hook mm/slub.c:1335
>     [<     inline     >] slab_alloc_node mm/slub.c:2594
>     [<ffffffff816cc44d>] kmem_cache_alloc_node+0x16d/0x2e0 mm/slub.c:2630
>     [<ffffffff84b782ba>] __alloc_skb+0xba/0x5f0 net/core/skbuff.c:216
>     [<     inline     >] alloc_skb_fclone include/linux/skbuff.h:855
>     [<ffffffff85a1a70e>] tipc_buf_acquire+0x2e/0xf0 net/tipc/msg.c:64
>     [<ffffffff85a1a9d1>] tipc_msg_create+0x31/0x280 net/tipc/msg.c:96
>     [<ffffffff85a4ab85>] tipc_release+0x8c5/0x10c0 net/tipc/socket.c:466
>     [<ffffffff84b5923d>] sock_release+0x8d/0x1d0 net/socket.c:571
>     [<ffffffff84b59396>] sock_close+0x16/0x20 net/socket.c:1022
>     [<ffffffff81719833>] __fput+0x233/0x780 fs/file_table.c:208
>     [<ffffffff81719e05>] ____fput+0x15/0x20 fs/file_table.c:244
>     [<ffffffff8134679b>] task_work_run+0x16b/0x200 kernel/task_work.c:115
>     [<     inline     >] exit_task_work include/linux/task_work.h:21
>     [<ffffffff812f4d3b>] do_exit+0x8bb/0x2b20 kernel/exit.c:750
>     [<ffffffff812f7118>] do_group_exit+0x108/0x320 kernel/exit.c:880
>     [<     inline     >] SYSC_exit_group kernel/exit.c:891
>     [<ffffffff812f734d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
>     [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>     [<ffffffffffffffff>] 0xffffffffffffffff
> unreferenced object 0xffff88004be2a670 (size 512):
>   comm "syz-executor", pid 26609, jiffies 4295874528 (age 578.093s)
>   hex dump (first 32 bytes):
>     98 a2 e2 4b 00 88 ff ff 00 00 00 00 00 00 00 00  ...K............
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915
>     [<     inline     >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
>     [<     inline     >] slab_post_alloc_hook mm/slub.c:1335
>     [<     inline     >] slab_alloc_node mm/slub.c:2594
>     [<ffffffff816d0b77>] __kmalloc_node_track_caller+0x217/0x3e0 mm/slub.c:4096
>     [<ffffffff84b75f71>] __kmalloc_reserve.isra.31+0x41/0xe0
> net/core/skbuff.c:135
>     [<ffffffff84b782f0>] __alloc_skb+0xf0/0x5f0 net/core/skbuff.c:228
>     [<     inline     >] alloc_skb_fclone include/linux/skbuff.h:855
>     [<ffffffff85a1a70e>] tipc_buf_acquire+0x2e/0xf0 net/tipc/msg.c:64
>     [<ffffffff85a1a9d1>] tipc_msg_create+0x31/0x280 net/tipc/msg.c:96
>     [<ffffffff85a4ab85>] tipc_release+0x8c5/0x10c0 net/tipc/socket.c:466
>     [<ffffffff84b5923d>] sock_release+0x8d/0x1d0 net/socket.c:571
>     [<ffffffff84b59396>] sock_close+0x16/0x20 net/socket.c:1022
>     [<ffffffff81719833>] __fput+0x233/0x780 fs/file_table.c:208
>     [<ffffffff81719e05>] ____fput+0x15/0x20 fs/file_table.c:244
>     [<ffffffff8134679b>] task_work_run+0x16b/0x200 kernel/task_work.c:115
>     [<     inline     >] exit_task_work include/linux/task_work.h:21
>     [<ffffffff812f4d3b>] do_exit+0x8bb/0x2b20 kernel/exit.c:750
>     [<ffffffff812f7118>] do_group_exit+0x108/0x320 kernel/exit.c:880
>     [<     inline     >] SYSC_exit_group kernel/exit.c:891
>     [<ffffffff812f734d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:889
>     [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a
> arch/x86/entry/entry_64.S:185
>
>
> On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).

+Allan, Per

Can somebody from tipc maintainers please take a look at this? I am
still hitting this leak.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ