lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 26 Aug 2020 16:57:54 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Roman Gushchin <guro@...com>
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>, kernel-team@...com,
        linux-kernel@...r.kernel.org, Johannes Weiner <hannes@...xchg.org>,
        Shakeel Butt <shakeelb@...gle.com>, linux-mm@...ck.org,
        Roman Gushchin <guro@...com>, 0day robot <lkp@...el.com>,
        lkp@...ts.01.org
Subject: [bpf] 3ebc0a7f46: BUG:KASAN:use-after-free_in_b

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 3ebc0a7f460e4f73f8c9ab9dca89a57dc32c1602 ("[PATCH bpf-next v4 03/30] bpf: memcg-based memory accounting for bpf maps")
url: https://github.com/0day-ci/linux/commits/Roman-Gushchin/bpf-switch-to-memcg-based-memory-accounting/20200821-233104
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master

in testcase: locktorture
with following parameters:

	runtime: 300s
	test: cpuhotplug

test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors.
test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+-------------------------------------------------------------------------------+------------+------------+
|                                                                               | e96c019fb3 | 3ebc0a7f46 |
+-------------------------------------------------------------------------------+------------+------------+
| boot_successes                                                                | 0          | 0          |
| boot_failures                                                                 | 6          | 4          |
| WARNING:suspicious_RCU_usage                                                  | 6          |            |
| security/device_cgroup.c:#RCU-list_traversed_in_non-reader_section            | 6          |            |
| drivers/char/ipmi/ipmi_msghandler.c:#RCU-list_traversed_in_non-reader_section | 6          |            |
| BUG:KASAN:use-after-free_in_b                                                 | 0          | 4          |
+-------------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>


[   41.560152] BUG: KASAN: use-after-free in bpf_map_free_deferred+0x117/0x38b
[   41.560762] Read of size 8 at addr ffff8881e4114858 by task kworker/0:1/15
[   41.561528] 
[   41.561737] CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 5.9.0-rc1-00133-g3ebc0a7f460e4 #1
[   41.562648] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   41.563562] Workqueue: events bpf_map_free_deferred
[   41.563937] Call Trace:
[   41.564147]  ? dump_stack+0x31/0x40
[   41.564423]  ? print_address_description+0x2c/0x6d8
[   41.564851]  ? rcu_read_unlock_sched_notrace+0x52/0x52
[   41.565243]  ? bpf_map_free_deferred+0x117/0x38b
[   41.565582]  ? kasan_report+0x1b1/0x222
[   41.565872]  ? bpf_map_free_deferred+0x117/0x38b
[   41.566214]  ? __asan_report_load8_noabort+0x1e/0x26
[   41.566570]  ? bpf_map_free_deferred+0x117/0x38b
[   41.566906]  ? bpf_map_charge_move+0x8d/0x8d
[   41.567234]  ? process_one_work+0x819/0xe1c
[   41.567570]  ? __lock_acquired+0x46e/0x5f6
[   41.567885]  ? pwq_dec_nr_in_flight+0x363/0x363
[   41.568224]  ? preempt_count_add+0x1b/0x24
[   41.568535]  ? __kasan_check_write+0x1e/0x26
[   41.568843]  ? worker_clr_flags+0x192/0x1b7
[   41.569168]  ? worker_thread+0x787/0x9e7
[   41.569480]  ? kthread+0x47e/0x494
[   41.569730]  ? create_worker+0x523/0x523
[   41.570017]  ? kthread_create_worker+0xc3/0xc3
[   41.570345]  ? ret_from_fork+0x1f/0x30
[   41.570657] 
[   41.570781] Allocated by task 0:
[   41.571016] (stack is not available)
[   41.571290] 
[   41.571414] Freed by task 15:
[   41.571640]  arch_stack_walk+0xbc/0xd0
[   41.571914]  stack_trace_save+0x85/0xa6
[   41.572203]  kasan_save_stack+0x22/0x58
[   41.572484]  kasan_set_track+0x22/0x2e
[   41.572762]  kasan_set_free_info+0x29/0x3f
[   41.573056]  __kasan_slab_free+0x165/0x192
[   41.573377]  kasan_slab_free+0x11/0x19
[   41.573649]  slab_free_freelist_hook+0x1e5/0x29c
[   41.573976]  kfree+0x3b7/0x57a
[   41.574202]  trie_free+0x8d/0x14e
[   41.574444]  bpf_map_free_deferred+0xd2/0x38b
[   41.574762]  process_one_work+0x819/0xe1c
[   41.575060]  worker_thread+0x787/0x9e7
[   41.575330]  kthread+0x47e/0x494
[   41.575566]  ret_from_fork+0x1f/0x30
[   41.575822] 
[   41.575945] The buggy address belongs to the object at ffff8881e4114800
[   41.575945]  which belongs to the cache kmalloc-512 of size 512
[   41.576811] The buggy address is located 88 bytes inside of
[   41.576811]  512-byte region [ffff8881e4114800, ffff8881e4114a00)
[   41.577626] The buggy address belongs to the page:
[   41.577971] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e4114
[   41.578627] head:(____ptrval____) order:1 compound_mapcount:0
[   41.579029] flags: 0x4000000000010200(slab|head)
[   41.579358] raw: 4000000000010200 dead000000000100 dead000000000122 ffff8881f5c41280
[   41.579921] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[   41.580490] page dumped because: kasan: bad access detected
[   41.580907] 
[   41.581029] Memory state around the buggy address:
[   41.581366]  ffff8881e4114700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.581860]  ffff8881e4114780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   41.582369] >ffff8881e4114800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.582866]                                                     ^
[   41.583292]  ffff8881e4114880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.583787]  ffff8881e4114900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.585494] ==================================================================
[   41.586196] Disabling lock debugging due to kernel taint
[   42.162717] rcu-perf: rcu_perf_writer 0 has 100 measurements
[   42.199609] Dumping ftrace buffer:
[   42.200080]    (ftrace buffer empty)
[   42.202418] rcu-perf: Test complete
[   42.490753] random: systemd: uninitialized urandom read (16 bytes read)
[   42.496513] random: systemd: uninitialized urandom read (16 bytes read)
[  OK  ] Listening on RPCbind Server Activation Socket.
[   42.503401] random: systemd: uninitialized urandom read (16 bytes read)
[  OK  ] Created slice system-serial\x2dgetty.slice.
[  OK  ] Created slice User and Session Slice.
[  OK  ] Listening on udev Control Socket.
[  OK  ] Listening on Syslog Socket.
[  OK  ] Listening on udev Kernel Socket.
[  OK  ] Listening on initctl Compatibility Named Pipe.
[  OK  ] Reached target Swap.
[  OK  ] Listening on Journal Socket.
         Mounting POSIX Message Queue File System...
         Starting Remount Root and Kernel File Systems...
         Mounting Kernel Debug File System...
         Starting udev Coldplug all Devices...
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Listening on Journal Socket (/dev/log).
[  OK  ] Reached target Slices.
         Mounting RPC Pipe File System...
         Starting Load Kernel Modules...
[  OK  ] Reached target Paths.
[  OK  ] Listening on Journal Audit Socket.
[   43.278865] random: fast init done

         Starting Journal Service...
[  OK  ] Created slice system-getty.slice.
[  OK  ] Mounted POSIX Message Queue File System.


To reproduce:

        # build kernel
	cd linux
	cp config-5.9.0-rc1-00133-g3ebc0a7f460e4 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email



Thanks,
Rong Chen


View attachment "config-5.9.0-rc1-00133-g3ebc0a7f460e4" of type "text/plain" (136482 bytes)

View attachment "job-script" of type "text/plain" (4866 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14472 bytes)

Powered by blists - more mailing lists