lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1511976722.16595.22.camel@gmail.com>
Date:   Wed, 29 Nov 2017 09:32:02 -0800
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     netdev <netdev@...r.kernel.org>
Subject: [BUG] net/sched: use after free

Hi

Running the following script twice gave me a KASAN splat on net tree,
(this is on commit f6454f80e8a965fca203dab28723f68ec78db608 )


ETH=eth0

tc qdisc del dev $ETH ingress 2>/dev/null
tc qdisc add dev $ETH ingress

tc filter add dev eth0 parent ffff: \
               matchall action sample rate 12 group 4

[  118.517005] ==================================================================
[  118.524253] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0xb8/0xe0
[  118.530779] Read of size 8 at addr ffff881056a38f60 by task swapper/29/0

[  118.538996] CPU: 29 PID: 0 Comm: swapper/29 Not tainted 4.14.0-smp-DEV #2
[  118.538997] Hardware name: Intel RML,PCH/Ibis_QC_18, BIOS 2.40.0 06/22/2016
[  118.538998] Call Trace:
[  118.539000]  <IRQ>
[  118.539006]  dump_stack+0x46/0x67
[  118.539010]  print_address_description+0x6a/0x260
[  118.539012]  ? rcu_cblist_dequeue+0xb8/0xe0
[  118.539014]  kasan_report+0x228/0x340
[  118.539016]  rcu_cblist_dequeue+0xb8/0xe0
[  118.539018]  rcu_process_callbacks+0x2d8/0x1430
[  118.539020]  ? __hrtimer_run_queues+0x2c3/0x620
[  118.539022]  ? note_gp_changes+0x190/0x190
[  118.539025]  __do_softirq+0x1d7/0x5c8
[  118.539028]  irq_exit+0x14e/0x180
[  118.539030]  smp_apic_timer_interrupt+0xbc/0x310
[  118.539032]  apic_timer_interrupt+0x89/0x90
[  118.539041]  </IRQ>
[  118.539044] RIP: 0010:cpuidle_enter_state+0xfa/0x740
[  118.539045] RSP: 0018:ffff88105aa07eb0 EFLAGS: 00000212 ORIG_RAX: ffffffffffffff11
[  118.539048] RAX: dffffc0000000000 RBX: ffffe8ffffd553d0 RCX: 000000000000001f
[  118.539049] RDX: 1ffff1020ffac84d RSI: fff3b038d885714d RDI: ffff88107fd64268
[  118.539050] RBP: 00000000000f27d5 R08: ffff88107fd60704 R09: ffff88107fd606a0
[  118.539051] R10: 071c71c71c71c71c R11: ffff88107fd606e4 R12: 0000000000000005
[  118.539052] R13: 0000000000000005 R14: 0000000000000005 R15: 0000001b981aba1d
[  118.539055]  ? rcu_eqs_exit_common.isra.51+0x26/0x140
[  118.539058]  do_idle+0x226/0x2a0
[  118.539059]  cpu_startup_entry+0x19/0x20
[  118.539061]  secondary_startup_64+0xa5/0xb0

[  118.540556] Allocated by task 10820:
[  118.544135]  kasan_kmalloc+0xa0/0xd0
[  118.544137]  __kmalloc+0xd4/0x570
[  118.544139]  tcf_idr_create+0xa2/0x6e0
[  118.544142]  tcf_sample_init+0x4bc/0x830 [act_sample]
[  118.544144]  tcf_action_init_1+0x5c6/0x8f0
[  118.544145]  tcf_action_init+0x1ff/0x3e0
[  118.544147]  tcf_exts_validate+0x27c/0x500
[  118.544149]  mall_change+0x3c5/0xcbf [cls_matchall]
[  118.544150]  tc_ctl_tfilter+0x1104/0x1c70
[  118.544152]  rtnetlink_rcv_msg+0x35a/0x680
[  118.544153]  netlink_rcv_skb+0x2a5/0x3d0
[  118.544155]  netlink_unicast+0x3f4/0x580
[  118.544156]  netlink_sendmsg+0x738/0xae0
[  118.544159]  sock_sendmsg+0xb1/0xe0
[  118.544160]  ___sys_sendmsg+0x658/0x870
[  118.544162]  __sys_sendmsg+0xb0/0x130
[  118.544163]  entry_SYSCALL_64_fastpath+0x13/0x6c

[  118.545658] Freed by task 5:
[  118.548537]  kasan_slab_free+0x71/0xc0
[  118.548538]  kfree+0x75/0xe0
[  118.548540]  __tcf_idr_release+0x16e/0x220
[  118.548541]  tcf_action_destroy+0xcb/0x160
[  118.548543]  tcf_exts_destroy+0x177/0x350
[  118.548544]  __mall_destroy+0xe/0x60 [cls_matchall]
[  118.548546]  mall_destroy_work+0x17/0x20 [cls_matchall]
[  118.548548]  process_one_work+0x785/0x11c0
[  118.548549]  worker_thread+0xdf/0x12f0
[  118.548551]  kthread+0x29e/0x390
[  118.548552]  ret_from_fork+0x1f/0x30

[  118.550044] The buggy address belongs to the object at ffff881056a38e80
                which belongs to the cache kmalloc-256 of size 256
[  118.562564] The buggy address is located 224 bytes inside of
                256-byte region [ffff881056a38e80, ffff881056a38f80)
[  118.574281] The buggy address belongs to the page:
[  118.579074] page:ffffea00415a8e00 count:1 mapcount:0 mapping:ffff881056a380c0 index:0x0
[  118.587075] flags: 0x2800000000000100(slab)
[  118.591262] raw: 2800000000000100 ffff881056a380c0 0000000000000000 000000010000000c
[  118.599000] raw: ffffea00414151e0 ffffea004126a520 ffff88081f400680 0000000000000000
[  118.606737] page dumped because: kasan: bad access detected

[  118.613793] Memory state around the buggy address:
[  118.618575]  ffff881056a38e00: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc
[  118.625793]  ffff881056a38e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.633006] >ffff881056a38f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  118.640225]                                                        ^
[  118.646578]  ffff881056a38f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  118.653808]  ffff881056a39000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  118.661035] ==================================================================
[  118.668254] Disabling lock debugging due to kernel taint

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ