| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Mar 2021 08:28:13 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzbot <syzbot+44908bb56d2bfe56b28e@...kaller.appspotmail.com>
Cc: Christian Brauner <christian@...uner.io>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
LKML <linux-kernel@...r.kernel.org>,
Minchan Kim <minchan@...nel.org>,
Oleg Nesterov <oleg@...hat.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, andrii@...nel.org,
bpf <bpf@...r.kernel.org>, netdev <netdev@...r.kernel.org>
Subject: Re: [syzbot] memory leak in copy_process (2)
On Mon, Mar 15, 2021 at 1:48 AM syzbot
<syzbot+44908bb56d2bfe56b28e@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 88fe4924 Merge tag 'char-misc-5.12-rc3' of git://git.kerne..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10252462d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=815a716b5d0a8bdf
> dashboard link: https://syzkaller.appspot.com/bug?extid=44908bb56d2bfe56b28e
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14180dc6d00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167cf68ad00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+44908bb56d2bfe56b28e@...kaller.appspotmail.com
+bpf maintainers
Looking at the reproducer I think it's an issue in bpf_preload.
> Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff888101b41d00 (size 120):
> comm "kworker/u4:0", pid 8, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff8125dc56>] alloc_pid+0x66/0x560 kernel/pid.c:180
> [<ffffffff81226405>] copy_process+0x1465/0x25e0 kernel/fork.c:2115
> [<ffffffff81227943>] kernel_clone+0xf3/0x670 kernel/fork.c:2493
> [<ffffffff812281a1>] kernel_thread+0x61/0x80 kernel/fork.c:2545
> [<ffffffff81253464>] call_usermodehelper_exec_work kernel/umh.c:172 [inline]
> [<ffffffff81253464>] call_usermodehelper_exec_work+0xc4/0x120 kernel/umh.c:158
> [<ffffffff812591c9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
> [<ffffffff81259ab9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
> [<ffffffff812611c8>] kthread+0x178/0x1b0 kernel/kthread.c:292
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110ef5c00 (size 232):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> e0 b7 04 01 81 88 ff ff c0 56 ba 0f 81 88 ff ff .........V......
> backtrace:
> [<ffffffff8154a0cf>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff8154a0cf>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ab22>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
> [<ffffffff81559218>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
> [<ffffffff8126c793>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110cafc90 (size 24):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 24 bytes):
> 00 00 00 00 00 00 00 00 b0 0e 94 00 81 88 ff ff ................
> 00 00 00 00 00 00 00 00 ........
> backtrace:
> [<ffffffff820e15ca>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff820e15ca>] lsm_file_alloc security/security.c:569 [inline]
> [<ffffffff820e15ca>] security_file_alloc+0x2a/0xb0 security/security.c:1470
> [<ffffffff8154a10d>] __alloc_file+0x5d/0xf0 fs/file_table.c:106
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ab22>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
> [<ffffffff81559218>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
> [<ffffffff8126c793>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110ef5e00 (size 232):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> e0 b7 04 01 81 88 ff ff 00 59 ba 0f 81 88 ff ff .........Y......
> backtrace:
> [<ffffffff8154a0cf>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff8154a0cf>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ac22>] alloc_file_clone+0x22/0x70 fs/file_table.c:244
> [<ffffffff81559262>] create_pipe_files+0x182/0x2e0 fs/pipe.c:922
> [<ffffffff8126c80d>] umd_setup+0xad/0x220 kernel/usermode_driver.c:115
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110cafc18 (size 24):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 24 bytes):
> 00 00 00 00 00 00 00 00 b0 0e 94 00 81 88 ff ff ................
> 00 00 00 00 00 00 00 00 ........
> backtrace:
> [<ffffffff820e15ca>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff820e15ca>] lsm_file_alloc security/security.c:569 [inline]
> [<ffffffff820e15ca>] security_file_alloc+0x2a/0xb0 security/security.c:1470
> [<ffffffff8154a10d>] __alloc_file+0x5d/0xf0 fs/file_table.c:106
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ac22>] alloc_file_clone+0x22/0x70 fs/file_table.c:244
> [<ffffffff81559262>] create_pipe_files+0x182/0x2e0 fs/pipe.c:922
> [<ffffffff8126c80d>] umd_setup+0xad/0x220 kernel/usermode_driver.c:115
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000c7910505bd889abc%40google.com.
Powered by blists - more mailing lists