Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Feb 2021 00:07:26 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, kernel test robot <oliver.sang@...el.com>,
	LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
	io-uring@...r.kernel.org,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christian Brauner <christian.brauner@...ntu.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>
Subject: f009495a8d: BUG:KASAN:use-after-free_in_user_shm_unlock


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: f009495a8def89a71b9e0b9025a39379d6f9097d ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210215-204524


in testcase: trinity
version: trinity-x86_64-4d2343bd-1_20210105
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------+------------+------------+
|                                             | ebc4144c8c | f009495a8d |
+---------------------------------------------+------------+------------+
| boot_successes                              | 12         | 3          |
| boot_failures                               | 0          | 9          |
| BUG:KASAN:use-after-free_in_user_shm_unlock | 0          | 9          |
+---------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  379.451460] BUG: KASAN: use-after-free in user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) 
[  379.452995] Read of size 8 at addr ffff888117ff7e90 by task trinity-c2/3961
[  379.454626]
[  379.455018] CPU: 0 PID: 3961 Comm: trinity-c2 Tainted: G            E     5.11.0-rc7-00017-gf009495a8def #1
[  379.457212] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  379.459153] Call Trace:
[  379.459777] print_address_description+0x18/0x26f 
[  379.461168] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) 
[  379.462171] kasan_report (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413) 
[  379.463132] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) 
[  379.464053] user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) 
[  379.464986] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247) 
[  379.465741] shmctl_do_lock (kbuild/src/consumer/ipc/shm.c:1124) 
[  379.466611] ksys_shmctl+0x19b/0x1e2 
[  379.467620] ? __x32_compat_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1141) 
[  379.468612] ? lock_acquire (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:5444) 
[  379.469427] ? find_held_lock (kbuild/src/consumer/kernel/locking/lockdep.c:4956) 
[  379.470301] ? __context_tracking_exit (kbuild/src/consumer/kernel/context_tracking.c:161) 
[  379.471508] ? lock_downgrade (kbuild/src/consumer/kernel/locking/lockdep.c:5450) 
[  379.472561] ? kvm_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90) 
[  379.473521] ? account_steal_time (kbuild/src/consumer/kernel/sched/cputime.c:212) 
[  379.474581] ? account_other_time (kbuild/src/consumer/kernel/sched/cputime.c:245 kbuild/src/consumer/kernel/sched/cputime.c:262) 
[  379.475544] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4000 (discriminator 1)) 
[  379.476491] ? lockdep_hardirqs_on_prepare (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:4099) 
[  379.477743] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[  379.478611] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) 
[  379.479768] RIP: 0033:0x7f79708ebf59
[ 379.480640] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
All code
========
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 07 6f 0c 00 	mov    0xc6f07(%rip),%rcx        # 0xc6f41
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 07 6f 0c 00 	mov    0xc6f07(%rip),%rcx        # 0xc6f17
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[  379.484875] RSP: 002b:00007ffd0b8ac428 EFLAGS: 00000246 ORIG_RAX: 000000000000001f
[  379.486602] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007f79708ebf59
[  379.488077] RDX: 0000000000000004 RSI: 000000000000000c RDI: 0000000000000000
[  379.489493] RBP: 000000000000001f R08: 0000a7fc6cf3f14d R09: 0000000008000000
[  379.491020] R10: ffffffffffffff71 R11: 0000000000000246 R12: 0000000000000002
[  379.492661] R13: 00007f796f2bb058 R14: 00007f79707d46c0 R15: 00007f796f2bb000
[  379.494454]
[  379.494871] Allocated by task 0:
[  379.495620] (stack is not available)
[  379.496488]
[  379.496893] Freed by task 10:
[  379.497655] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:38) 
[  379.498658] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46) 
[  379.499609] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358) 
[  379.500681] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364) 
[  379.501725] slab_free_freelist_hook (kbuild/src/consumer/mm/slub.c:1580) 
[  379.502861] kmem_cache_free (kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159) 
[  379.503731] rcu_process_callbacks (kbuild/src/consumer/include/linux/rcupdate.h:264 kbuild/src/consumer/kernel/rcu/tiny.c:99 kbuild/src/consumer/kernel/rcu/tiny.c:130) 
[  379.504755] __do_softirq (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:27 kbuild/src/consumer/include/linux/jump_label.h:254 kbuild/src/consumer/include/linux/jump_label.h:264 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344) 
[  379.505618]
[  379.505979] The buggy address belongs to the object at ffff888117ff7e00
[  379.505979]  which belongs to the cache cred_jar of size 176
[  379.508744] The buggy address is located 144 bytes inside of
[  379.508744]  176-byte region [ffff888117ff7e00, ffff888117ff7eb0)
[  379.511290] The buggy address belongs to the page:
[  379.512399] page:0000000097ece402 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117ff7
[  379.514652] flags: 0x8000000000000200(slab)
[  379.515652] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100372a00
[  379.517377] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  379.519257] page dumped because: kasan: bad access detected
[  379.520478]
[  379.520835] Memory state around the buggy address:
[  379.521953]  ffff888117ff7d80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[  379.523570]  ffff888117ff7e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  379.525357] >ffff888117ff7e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[  379.527029]                          ^
[  379.527887]  ffff888117ff7f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  379.529581]  ffff888117ff7f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[  379.531334] ==================================================================
[  379.533107] Disabling lock debugging due to kernel taint
[  379.755941] [main] kernel became tainted! (8224/8192) Last seed was 782038633
[  379.756009]
[  379.773617] trinity: Detected kernel tainting. Last seed was 782038633
[  379.773690]
[  379.789324] [main] exit_reason=7, but 3 children still running.
[  379.789394]
[  381.812865] [main] Bailing main loop because kernel became tainted..
[  381.812932]
[  382.091273] [main] Ran 93208 syscalls. Successes: 23634  Failures: 67538
[  382.091348]
[  405.279282] /lkp/lkp/src/tests/trinity: 45: kill: No such process
[  405.279354]
[  405.298590]
[  405.298646]
[  405.656613] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/vm-snb-124/trinity-300s-debian-10.4-x86_64-20200603.cgz-f009495a8def89a71b9e0b9025a39379d6f9097d-20210217-33540-1tuu5rt-2.yaml&job_state=post_run -O /dev/null
[  405.656700]
[  407.339684] kill 377 vmstat --timestamp -n 10
[  407.339744]
[  407.453173] kill 375 dmesg --follow --decode
[  407.453237]
[  407.547712] wait for background processes: 379 meminfo
[  407.547783]
[  415.539948] sysrq: Emergency Sync
[  415.540999] Emergency Sync complete
[  415.544090] sysrq: Resetting

Kboot worker: lkp-worker31
Elapsed time: 420

kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-124.cgz
-m 8192
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)

append=(
ip=::::vm-snb-124::dhcp
root=/dev/ram0


To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc7-00017-gf009495a8def .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc7-00017-gf009495a8def" of type "text/plain" (151174 bytes)

View attachment "job-script" of type "text/plain" (4334 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (35376 bytes)

View attachment "trinity" of type "text/plain" (145955 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.