lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALm+0cW8HutqzcrfxysLWoOVyzh70RT3G0gaALRbnS=8Lw2f=g@mail.gmail.com>
Date: Mon, 11 Mar 2024 17:46:09 +0800
From: Z qiang <qiang.zhang1211@...il.com>
To: 柳菁峰 <liujingfeng@...nxin.com>
Cc: "richardcochran@...il.com" <richardcochran@...il.com>, 
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>, 
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, 
	"syzkaller@...glegroups.com" <syzkaller@...glegroups.com>, "secalert@...hat.com" <secalert@...hat.com>
Subject: Re: memory leak in posix_clock_open

>
> There is a memory leak in posix_clock_open,it was found by syzkaller when I tested it with linux-6.7(commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a).
>
> When the ptp_open function (in driver/ptp/ptp.chardev. c) is called in posix_clock_open and the ptp_open function returns an error, it appears to crash, posix_clock_release has not been called to free pccontext.
>
> Here is crash info:
>
> BUG: memory leak
> unreferenced object 0xffff8881065327c0 (size 16):
>   comm "syz-executor.7", pid 8994, jiffies 4295144661 (age 17.222s)
>   hex dump (first 16 bytes):
>     00 20 79 01 81 88 ff ff 00 00 00 00 00 00 00 00  . y.............
>   backtrace:
>     [<00000000fba736c4>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
>     [<00000000fba736c4>] slab_post_alloc_hook mm/slab.h:766 [inline]
>     [<00000000fba736c4>] slab_alloc_node mm/slub.c:3478 [inline]
>     [<00000000fba736c4>] __kmem_cache_alloc_node+0x1ee/0x250 mm/slub.c:3517
>     [<00000000f8fcb419>] kmalloc_trace+0x22/0xc0 mm/slab_common.c:1098
>     [<00000000afc910b4>] kmalloc include/linux/slab.h:600 [inline]
>     [<00000000afc910b4>] kzalloc include/linux/slab.h:721 [inline]
>     [<00000000afc910b4>] posix_clock_open+0xd3/0x250 kernel/time/posix-clock.c:126
>     [<00000000b1a43627>] chrdev_open+0x24b/0x6a0 fs/char_dev.c:414
>     [<00000000364febd5>] do_dentry_open+0x630/0x1580 fs/open.c:948
>     [<00000000ac62c8f4>] do_open fs/namei.c:3622 [inline]
>     [<00000000ac62c8f4>] path_openat+0x13f1/0x1c30 fs/namei.c:3779
>     [<0000000087bfc1bc>] do_filp_open+0x1c5/0x410 fs/namei.c:3809
>     [<0000000044db899a>] do_sys_openat2+0x139/0x190 fs/open.c:1437
>     [<00000000ee967f42>] do_sys_open fs/open.c:1452 [inline]
>     [<00000000ee967f42>] __do_sys_openat fs/open.c:1468 [inline]
>     [<00000000ee967f42>] __se_sys_openat fs/open.c:1463 [inline]
>     [<00000000ee967f42>] __x64_sys_openat+0x13d/0x1f0 fs/open.c:1463
>     [<000000004fad64b5>] do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>     [<000000004fad64b5>] do_syscall_64+0x3e/0xf0 arch/x86/entry/common.c:83
>     [<00000000c2701c13>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
>
> BUG: leak checking failed

Hi, jingfeng

Please try the following modifications:

diff --git a/kernel/time/posix-clock.c b/kernel/time/posix-clock.c
index 9de66bbbb3d1..71d9d8c394fa 100644
--- a/kernel/time/posix-clock.c
+++ b/kernel/time/posix-clock.c
@@ -137,6 +137,8 @@ static int posix_clock_open(struct inode *inode,
struct file *fp)

        if (!err) {
                get_device(clk->dev);
+       } else {
+               kfree(pccontext);
        }
 out:
        up_read(&clk->rwsem);

Thanks
Zqiang

>
>
>
>
> Here is the C code reproducer by syzkaller,It used inject fault to make ptp_open returns a error:
>
> // autogenerated by syzkaller (https://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
>
> #include <dirent.h>
> #include <endian.h>
> #include <errno.h>
> #include <fcntl.h>
> #include <signal.h>
> #include <stdarg.h>
> #include <stdbool.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <time.h>
> #include <unistd.h>
>
> static void sleep_ms(uint64_t ms)
> {
>        usleep(ms * 1000);
> }
>
> static uint64_t current_time_ms(void)
> {
>        struct timespec ts;
>        if (clock_gettime(CLOCK_MONOTONIC, &ts))
>        exit(1);
>        return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
> }
>
> static bool write_file(const char* file, const char* what, ...)
> {
>        char buf[1024];
>        va_list args;
>        va_start(args, what);
>        vsnprintf(buf, sizeof(buf), what, args);
>        va_end(args);
>        buf[sizeof(buf) - 1] = 0;
>        int len = strlen(buf);
>        int fd = open(file, O_WRONLY | O_CLOEXEC);
>        if (fd == -1)
>               return false;
>        if (write(fd, buf, len) != len) {
>               int err = errno;
>               close(fd);
>               errno = err;
>               return false;
>        }
>        close(fd);
>        return true;
> }
>
> static int inject_fault(int nth)
> {
>        int fd;
>        fd = open("/proc/thread-self/fail-nth", O_RDWR);
>        if (fd == -1)
>        exit(1);
>        char buf[16];
>        sprintf(buf, "%d", nth);
>        if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf))
>        exit(1);
>        return fd;
> }
>
> static void kill_and_wait(int pid, int* status)
> {
>        kill(-pid, SIGKILL);
>        kill(pid, SIGKILL);
>        for (int i = 0; i < 100; i++) {
>               if (waitpid(-1, status, WNOHANG | __WALL) == pid)
>                      return;
>               usleep(1000);
>        }
>        DIR* dir = opendir("/sys/fs/fuse/connections");
>        if (dir) {
>               for (;;) {
>                      struct dirent* ent = readdir(dir);
>                      if (!ent)
>                             break;
>                      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
>                             continue;
>                      char abort[300];
>                      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
>                      int fd = open(abort, O_WRONLY);
>                      if (fd == -1) {
>                             continue;
>                      }
>                      if (write(fd, abort, 1) < 0) {
>                      }
>                      close(fd);
>               }
>               closedir(dir);
>        } else {
>        }
>        while (waitpid(-1, status, __WALL) != pid) {
>        }
> }
>
> static void setup_test()
> {
>        prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
>        setpgrp();
>        write_file("/proc/self/oom_score_adj", "1000");
> }
>
> static void setup_fault()
> {
>        static struct {
>               const char* file;
>               const char* val;
>               bool fatal;
>        } files[] = {
>            {"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
>            {"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
>           {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
>            {"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
>            {"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
>        };
>        unsigned i;
>        for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
>               if (!write_file(files[i].file, files[i].val)) {
>                      if (files[i].fatal)
>        exit(1);
>               }
>        }
> }
>
> #define KMEMLEAK_FILE "/sys/kernel/debug/kmemleak"
>
> static void setup_leak()
> {
>        if (!write_file(KMEMLEAK_FILE, "scan"))
>        exit(1);
>        sleep(5);
>        if (!write_file(KMEMLEAK_FILE, "scan"))
>        exit(1);
>        if (!write_file(KMEMLEAK_FILE, "clear"))
>        exit(1);
> }
>
> static void check_leaks(void)
> {
>        int fd = open(KMEMLEAK_FILE, O_RDWR);
>        if (fd == -1)
>        exit(1);
>        uint64_t start = current_time_ms();
>        if (write(fd, "scan", 4) != 4)
>        exit(1);
>        sleep(1);
>        while (current_time_ms() - start < 4 * 1000)
>               sleep(1);
>        if (write(fd, "scan", 4) != 4)
>        exit(1);
>        static char buf[128 << 10];
>        ssize_t n = read(fd, buf, sizeof(buf) - 1);
>        if (n < 0)
>        exit(1);
>        int nleaks = 0;
>        if (n != 0) {
>               sleep(1);
>               if (write(fd, "scan", 4) != 4)
>        exit(1);
>               if (lseek(fd, 0, SEEK_SET) < 0)
>        exit(1);
>               n = read(fd, buf, sizeof(buf) - 1);
>               if (n < 0)
>        exit(1);
>               buf[n] = 0;
>               char* pos = buf;
>               char* end = buf + n;
>               while (pos < end) {
>                      char* next = strstr(pos + 1, "unreferenced object");
>                      if (!next)
>                             next = end;
>                      char prev = *next;
>                      *next = 0;
>                      fprintf(stderr, "BUG: memory leak\n%s\n", pos);
>                      *next = prev;
>                      pos = next;
>                      nleaks++;
>               }
>        }
>        if (write(fd, "clear", 5) != 5)
>        exit(1);
>        close(fd);
>        if (nleaks)
>               exit(1);
> }
>
> static void execute_one(void);
>
> #define WAIT_FLAGS __WALL
>
> static void loop(void)
> {
>        int iter = 0;
>        for (;; iter++) {
>               int pid = fork();
>               if (pid < 0)
>        exit(1);
>               if (pid == 0) {
>                      setup_test();
>                      execute_one();
>                      exit(0);
>               }
>               int status = 0;
>               uint64_t start = current_time_ms();
>               for (;;) {
>                      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
>                             break;
>                      sleep_ms(1);
>                      if (current_time_ms() - start < 5000)
>                             continue;
>                      kill_and_wait(pid, &status);
>                      break;
>               }
>               check_leaks();
>        }
> }
>
> void execute_one(void)
> {
> memcpy((void*)0x20001180, "/dev/ptp0\000", 10);
>        inject_fault(7);
>        syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20001180ul, /*flags=*/0ul, /*mode=*/0ul);
>
> }
> int main(void)
> {
>               syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
>        syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
>        syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
>        setup_leak();
>        setup_fault();
>                      loop();
>        return 0;
> }
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ