lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 7 Dec 2017 20:51:27 -0800
From:   Jakub Kicinski <kubakici@...pl>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     Roman Kapl <code@...pl.cz>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Jiri Pirko <jiri@...nulli.us>
Subject: BUG: KASAN: use-after-free in tcf_block_put_ext+0x5cf/0x5e0

Running the netdevsim test after a week and a bit of not trying it:

$ make -C tools/testing/selftests/bpf/ CLANG=clang LLC=llc
# ./tools/testing/selftests/bpf/test_offload.py

[  284.174418] ==================================================================
[  284.182655] BUG: KASAN: use-after-free in tcf_block_put_ext+0x5cf/0x5e0
[  284.190160] Read of size 8 at addr ffff8803152f4d08 by task tc/1652

[  284.199033] CPU: 13 PID: 1652 Comm: tc Not tainted 4.15.0-rc2-debug-00310-g227cf4846533 #386
[  284.199043] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.3.4 11/08/2016
[  284.199053] Call Trace:
[  284.199068]  dump_stack+0xb3/0x140
[  284.199081]  ? _atomic_dec_and_lock+0x2b0/0x2b0
[  284.199094]  ? show_regs_print_info+0x6d/0x6d
[  284.199109]  ? tcf_chain_destroy+0x29b/0x3d0
[  284.199125]  print_address_description+0x7a/0x440
[  284.199140]  ? tcf_block_put_ext+0x5cf/0x5e0
[  284.199153]  kasan_report+0x1b8/0x430
[  284.199170]  ? tcf_block_put_ext+0x5cf/0x5e0
[  284.199186]  tcf_block_put_ext+0x5cf/0x5e0
[  284.199198]  ? tcf_chain_flush+0x370/0x370
[  284.199226]  ingress_destroy+0x47/0x80 [sch_ingress]
[  284.199242]  qdisc_destroy+0x141/0x430
[  284.199256]  qdisc_graft+0x315/0xcd0
[  284.199280]  tc_get_qdisc+0x3d5/0xad0
[  284.199298]  ? tc_ctl_tclass+0xcb0/0xcb0
[  284.199310]  ? rtnl_dump_all+0x4e0/0x4e0
[  284.199342]  rtnetlink_rcv_msg+0x555/0xb80
[  284.199359]  ? validate_linkmsg+0xb00/0xb00
[  284.199369]  ? netlink_deliver_tap+0x163/0xd30
[  284.199384]  ? lock_acquire+0x169/0x590
[  284.199396]  ? netlink_lookup+0x5/0x170
[  284.199418]  netlink_rcv_skb+0x210/0x4a0
[  284.199428]  ? validate_linkmsg+0xb00/0xb00
[  284.199443]  ? rcu_is_watching+0x59/0x1f0
[  284.199456]  ? netlink_ack+0xd00/0xd00
[  284.199466]  ? rcu_gpnum_ovf+0x310/0x310
[  284.199495]  netlink_unicast+0x435/0x660
[  284.199513]  ? netlink_attachskb+0xa90/0xa90
[  284.199528]  ? push_pipe+0xf10/0xf10
[  284.199549]  netlink_sendmsg+0x9b4/0x1060
[  284.199567]  ? netlink_unicast+0x660/0x660
[  284.199578]  ? SYSC_sendto+0x5f0/0x5f0
[  284.199600]  ? netlink_unicast+0x660/0x660
[  284.199612]  sock_sendmsg+0xd9/0x160
[  284.199627]  ___sys_sendmsg+0x72d/0xcc0
[  284.199646]  ? copy_msghdr_from_user+0x460/0x460
[  284.199659]  ? ___sys_sendmsg+0xcc0/0xcc0
[  284.199692]  ? handle_mm_fault+0x348/0xa70
[  284.199707]  ? downgrade_write+0x180/0x180
[  284.199721]  ? fget_raw+0x10/0x10
[  284.199743]  ? __do_page_fault+0x554/0xd30
[  284.199764]  ? bad_area_access_error+0x280/0x280
[  284.199786]  ? __sys_sendmsg+0xb8/0x210
[  284.199797]  __sys_sendmsg+0xb8/0x210
[  284.199811]  ? SyS_shutdown+0x290/0x290
[  284.199824]  ? rcu_read_lock_sched_held+0x114/0x130
[  284.199835]  ? kmem_cache_free+0x3e9/0x5a0
[  284.199855]  ? do_sys_open+0x24d/0x660
[  284.199878]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  284.199900]  entry_SYSCALL_64_fastpath+0x1c/0x89
[  284.199912] RIP: 0033:0x7fd870caa450
[  284.199921] RSP: 002b:00007ffdf1bec428 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  284.199941] RAX: ffffffffffffffda RBX: 00007fd870f66b20 RCX: 00007fd870caa450
[  284.199950] RDX: 0000000000000000 RSI: 00007ffdf1bec480 RDI: 0000000000000003
[  284.199960] RBP: 0000000000000a11 R08: 0000000000000000 R09: 000000000000000f
[  284.199969] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007fd870f66b78
[  284.199979] R13: 00007fd870f66b78 R14: 000000000000270f R15: 00007fd870f66b78

[  284.201768] Allocated by task 1640:
[  284.205766]  kasan_kmalloc+0xa0/0xd0
[  284.205777]  kmem_cache_alloc_trace+0x1ad/0x5b0
[  284.205786]  tcf_block_get_ext+0xb0/0x790
[  284.205797]  ingress_init+0x122/0x200 [sch_ingress]
[  284.205807]  qdisc_create+0x2c1/0xff0
[  284.205817]  tc_modify_qdisc+0x49f/0x1870
[  284.205827]  rtnetlink_rcv_msg+0x555/0xb80
[  284.205837]  netlink_rcv_skb+0x210/0x4a0
[  284.205847]  netlink_unicast+0x435/0x660
[  284.205857]  netlink_sendmsg+0x9b4/0x1060
[  284.205868]  sock_sendmsg+0xd9/0x160
[  284.205878]  ___sys_sendmsg+0x72d/0xcc0
[  284.205887]  __sys_sendmsg+0xb8/0x210
[  284.205898]  entry_SYSCALL_64_fastpath+0x1c/0x89

[  284.207664] Freed by task 1652:
[  284.211272]  kasan_slab_free+0x71/0xc0
[  284.211282]  kfree+0x120/0x580
[  284.211292]  tcf_chain_destroy+0x29b/0x3d0
[  284.211302]  tcf_block_put_ext+0x3ef/0x5e0
[  284.211312]  ingress_destroy+0x47/0x80 [sch_ingress]
[  284.211322]  qdisc_destroy+0x141/0x430
[  284.211332]  qdisc_graft+0x315/0xcd0
[  284.211342]  tc_get_qdisc+0x3d5/0xad0
[  284.211352]  rtnetlink_rcv_msg+0x555/0xb80
[  284.211362]  netlink_rcv_skb+0x210/0x4a0
[  284.211372]  netlink_unicast+0x435/0x660
[  284.211382]  netlink_sendmsg+0x9b4/0x1060
[  284.211392]  sock_sendmsg+0xd9/0x160
[  284.211403]  ___sys_sendmsg+0x72d/0xcc0
[  284.211412]  __sys_sendmsg+0xb8/0x210
[  284.211423]  entry_SYSCALL_64_fastpath+0x1c/0x89

[  284.213190] The buggy address belongs to the object at ffff8803152f4d08
                which belongs to the cache kmalloc-64 of size 64
[  284.227124] The buggy address is located 0 bytes inside of
                64-byte region [ffff8803152f4d08, ffff8803152f4d48)
[  284.240083] The buggy address belongs to the page:
[  284.245542] page:000000001aa42e32 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[  284.256662] flags: 0x2ffff0000008100(slab|head)
[  284.261830] raw: 02ffff0000008100 0000000000000000 0000000000000000 0000000100270027
[  284.270600] raw: ffffea000d7a7020 ffff88036e400778 ffff88036e4173c0 0000000000000000
[  284.279410] page dumped because: kasan: bad access detected

[  284.287543] Memory state around the buggy address:
[  284.293022]  ffff8803152f4c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  284.301247]  ffff8803152f4c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  284.309473] >ffff8803152f4d00: fc fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[  284.317697]                       ^
[  284.321714]  ffff8803152f4d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  284.329941]  ffff8803152f4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  284.338166] ==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ