lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ccdc2bc3-ce71-1faa-c83f-cd3b0eaf963d@csgroup.eu>
Date:   Tue, 1 Dec 2020 15:03:30 +0100
From:   Christophe Leroy <christophe.leroy@...roup.eu>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        bpf@...r.kernel.org, "Naveen N. Rao" <naveen.n.rao@...ux.ibm.com>,
        Sandipan Das <sandipan@...ux.ibm.com>
Subject: powerpc32: BUG: KASAN: use-after-free in test_bpf_init+0x6f8/0xde8
 [test_bpf]

I've got the following KASAN error while running test_bpf module on a powerpc 8xx (32 bits).

That's reproductible, happens each time at the same test.

Can someone help me to investigate and fix that ?

[  209.381037] test_bpf: #298 LD_IND byte frag
[  209.383041] Pass 1: shrink = 0, seen = 0x30000
[  209.383284] Pass 2: shrink = 0, seen = 0x30000
[  209.383562] flen=3 proglen=104 pass=3 image=8166dc91 from=modprobe pid=380
[  209.383805] JIT code: 00000000: 7c 08 02 a6 90 01 00 04 91 c1 ff b8 91 e1 ff bc
[  209.384044] JIT code: 00000010: 94 21 ff 70 80 e3 00 58 81 e3 00 54 7d e7 78 50
[  209.384279] JIT code: 00000020: 81 c3 00 a0 38 a0 00 00 38 80 00 00 38 a0 00 40
[  209.384516] JIT code: 00000030: 3c e0 c0 02 60 e7 62 14 7c e8 03 a6 38 c5 00 00
[  209.384753] JIT code: 00000040: 4e 80 00 21 41 80 00 0c 60 00 00 00 7c 83 23 78
[  209.384990] JIT code: 00000050: 38 21 00 90 80 01 00 04 7c 08 03 a6 81 c1 ff b8
[  209.385207] JIT code: 00000060: 81 e1 ff bc 4e 80 00 20
[  209.385442] jited:1
[  209.385762] ==================================================================
[  209.386272] BUG: KASAN: use-after-free in test_bpf_init+0x6f8/0xde8 [test_bpf]
[  209.386503] Read of size 4 at addr c2de70c0 by task modprobe/380
[  209.386622]
[  209.386881] CPU: 0 PID: 380 Comm: modprobe Not tainted 5.10.0-rc5-s3k-dev-01341-g72d20eec3f8b #4178
[  209.387032] Call Trace:
[  209.387404] [cad6b878] [c020e0d4] print_address_description.constprop.0+0x70/0x4e0 (unreliable)
[  209.387920] [cad6b8f8] [c020dc98] kasan_report+0x118/0x1c0
[  209.388503] [cad6b938] [cb0e0c98] test_bpf_init+0x6f8/0xde8 [test_bpf]
[  209.388918] [cad6ba58] [c0004084] do_one_initcall+0xa4/0x33c
[  209.389377] [cad6bb28] [c00f9144] do_init_module+0x158/0x7f4
[  209.389820] [cad6bbc8] [c00fccb0] load_module+0x3394/0x38d8
[  209.390273] [cad6be38] [c00fd4e0] sys_finit_module+0x118/0x17c
[  209.390700] [cad6bf38] [c00170d0] ret_from_syscall+0x0/0x34
[  209.391020] --- interrupt: c01 at 0xfd5e7c0
[  209.395301]
[  209.395472] Allocated by task 276:
[  209.395767]  __kasan_kmalloc.constprop.0+0xe8/0x134
[  209.396029]  kmem_cache_alloc+0x150/0x290
[  209.396281]  __alloc_skb+0x58/0x28c
[  209.396563]  alloc_skb_with_frags+0x74/0x314
[  209.396872]  sock_alloc_send_pskb+0x404/0x424
[  209.397205]  unix_dgram_sendmsg+0x200/0xbf0
[  209.397473]  __sys_sendto+0x17c/0x21c
[  209.397754]  ret_from_syscall+0x0/0x34
[  209.397877]
[  209.398039] Freed by task 274:
[  209.398308]  kasan_set_track+0x34/0x6c
[  209.398608]  kasan_set_free_info+0x28/0x48
[  209.398878]  __kasan_slab_free+0x10c/0x19c
[  209.399141]  kmem_cache_free+0x68/0x390
[  209.399433]  skb_free_datagram+0x20/0x8c
[  209.399759]  unix_dgram_recvmsg+0x474/0x710
[  209.400084]  sock_read_iter+0x17c/0x228
[  209.400348]  vfs_read+0x3c8/0x4f4
[  209.400603]  ksys_read+0x17c/0x1cc
[  209.400878]  ret_from_syscall+0x0/0x34
[  209.401001]
[  209.401222] The buggy address belongs to the object at c2de70c0
[  209.401222]  which belongs to the cache skbuff_head_cache of size 176
[  209.401462] The buggy address is located 0 bytes inside of
[  209.401462]  176-byte region [c2de70c0, c2de7170)
[  209.401604] The buggy address belongs to the page:
[  209.401867] page:464e6411 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0xb79
[  209.402080] flags: 0x200(slab)
[  209.402477] raw: 00000200 00000100 00000122 c2004a90 00000000 00440088 ffffffff 00000001
[  209.402646] page dumped because: kasan: bad access detected
[  209.402765]
[  209.402897] Memory state around the buggy address:
[  209.403142]  c2de6f80: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
[  209.403388]  c2de7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  209.403639] >c2de7080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  209.403798]                                    ^
[  209.404048]  c2de7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[  209.404304]  c2de7180: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb
[  209.404456] ==================================================================
[  209.404591] Disabling lock debugging due to kernel taint


Thanks
Christophe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ