From: Sasha Levin <levinsasha928@gmail.com>
To: Ming Lei <tom.leiming@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>, Dave Jones <davej@redhat.com>,
Greg Kroah-Hartman <greg@kroah.com>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: use after free in sysfs_find_dirent
Date: Tue, 19 Mar 2013 12:28:50 -0400 [thread overview]
Message-ID: <51489242.9020801@gmail.com> (raw)
In-Reply-To: <CACVXFVPV3mq=k-AZ1bYkAMdxwXD96Ty7DYeh9H9J=yvA4m=rGA@mail.gmail.com>
On 03/19/2013 07:54 AM, Ming Lei wrote:
> Hi Sasha,
>
> On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei <tom.leiming@gmail.com> wrote:
>> Hi Sasha,
>>
>> On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin <levinsasha928@gmail.com> wrote:
>>> [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: vx855(vx855)-bind, 0-25520352
>>
>> Looks filp->f_pos is changed as zero by llseek(), so may leave
>> filp->private_data
>> point to one refcount-balanced sysfs_dirent object, which will be put
>> again afterwards.
>>
>> Hope we are luck this time, please try the attachment patch.
>
> Looks the better and simpler way is to hold the i_mutex for llseek.
> If you haven't test the v2, please ignore it and just test the attachment
> v3 patch.
With v3 of the patch:
[ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: tun(tun)-uevent, 2-1472641949
[ 1275.667234] release_sysfs_dirent-285 sysfs_dirent use after free: tun-uevent
[ 1275.668347] Pid: 13795, comm: trinity-child62 Tainted: G W 3.9.0-rc3-next-20130319-sasha-00041-g22d0dce-dirty #305
[ 1275.696032] Call Trace:
[ 1275.696529] [<ffffffff812fa373>] release_sysfs_dirent+0x53/0x120
[ 1275.697593] [<ffffffff812fa53a>] sysfs_dir_pos+0x9a/0x140
[ 1275.698551] [<ffffffff812fa6fd>] sysfs_readdir+0x11d/0x280
[ 1275.699512] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.700586] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.701482] [<ffffffff8128cd78>] vfs_readdir+0x78/0xc0
[ 1275.702333] [<ffffffff8128cedc>] SyS_getdents+0x8c/0x110
[ 1275.703242] [<ffffffff83da13d8>] tracesys+0xe1/0xe6
[ 1275.710567] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1275.711796] Dumping ftrace buffer:
[ 1275.712423] (ftrace buffer empty)
[ 1275.712993] Modules linked in:
[ 1275.713518] CPU 0
[ 1275.713830] Pid: 13795, comm: trinity-child62 Tainted: G W 3.9.0-rc3-next-20130319-sasha-00041-g22d0dce-dirty #305
[ 1275.717622] RIP: 0010:[<ffffffff819eccf3>] [<ffffffff819eccf3>] rb_next+0x23/0x60
[ 1275.718775] RSP: 0018:ffff880065349e58 EFLAGS: 00010202
[ 1275.719618] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800af811ab0 RCX: ffff8800af811ab0
[ 1275.720046] RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800afff8f40 RDI: ffff8800af811af8
[ 1275.720046] RBP: ffff880065349e58 R08: 2222222222222222 R09: 2222222222222222
[ 1275.720046] R10: 2222222222222222 R11: 0000000000000000 R12: ffff88009c642100
[ 1275.720046] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000009
[ 1275.720046] FS: 00007faf86d64700(0000) GS:ffff8800bb800000(0000) knlGS:0000000000000000
[ 1275.720046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1275.720046] CR2: 0000000001e3b228 CR3: 000000007207e000 CR4: 00000000000406f0
[ 1275.720046] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1275.720046] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1275.720046] Process trinity-child62 (pid: 13795, threadinfo ffff880065348000, task ffff880065240000)
[ 1275.720046] Stack:
[ 1275.720046] ffff880065349ec8 ffffffff812fa7f9 2222222222222222 222222220000000a
[ 1275.720046] 000000000000c3e5 ffffffff8128ca00 ffff880065349f28 ffff8800afff8f40
[ 1275.720046] ffff8800a31c65d8 ffff88009c642100 ffff880065349f28 ffffffff8128ca00
[ 1275.720046] Call Trace:
[ 1275.720046] [<ffffffff812fa7f9>] sysfs_readdir+0x219/0x280
[ 1275.720046] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.720046] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.720046] [<ffffffff8128cd78>] vfs_readdir+0x78/0xc0
[ 1275.720046] [<ffffffff8128cedc>] SyS_getdents+0x8c/0x110
[ 1275.720046] [<ffffffff83da13d8>] tracesys+0xe1/0xe6
[ 1275.720046] Code: 85 d2 75 f4 5d c3 66 90 55 31 c0 48 8b 17 48 89 e5 48 39 d7 74 4a 48 8b 47 08 48 85 c0 75 0c eb 17 0f 1f 80 00
00 00 00 48 89 d0 <48> 8b 50 10 48 85 d2 75 f4 eb 2a 66 90 48 89 d1 48 83 e1 fc 74
[ 1275.720046] RIP [<ffffffff819eccf3>] rb_next+0x23/0x60
[ 1275.720046] RSP <ffff880065349e58>
Thanks,
Sasha
next prev parent reply other threads:[~2013-03-19 16:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-07 5:28 use after free in sysfs_find_dirent Dave Jones
2013-03-07 5:33 ` sysfs_dir_cache slab corruption Dave Jones
2013-03-07 6:03 ` Greg Kroah-Hartman
2013-03-07 6:02 ` use after free in sysfs_find_dirent Greg Kroah-Hartman
2013-03-07 6:26 ` Dave Jones
2013-03-13 11:47 ` Ming Lei
2013-03-15 4:03 ` Sasha Levin
2013-03-15 5:04 ` Sasha Levin
2013-03-15 7:38 ` Ming Lei
2013-03-15 16:27 ` Sasha Levin
2013-03-16 12:39 ` Hillf Danton
2013-03-16 13:30 ` Ming Lei
2013-03-16 15:07 ` Sasha Levin
2013-03-16 15:22 ` Ming Lei
2013-03-16 15:58 ` Ming Lei
2013-03-16 18:33 ` Sasha Levin
2013-03-17 1:02 ` Ming Lei
2013-03-17 14:24 ` Sasha Levin
2013-03-17 16:23 ` Ming Lei
2013-03-19 2:06 ` Sasha Levin
2013-03-19 3:40 ` Ming Lei
2013-03-19 11:54 ` Ming Lei
2013-03-19 16:28 ` Sasha Levin [this message]
2013-03-20 1:02 ` Ming Lei
2013-03-20 14:34 ` Sasha Levin
2013-03-20 17:17 ` Greg Kroah-Hartman
2013-03-16 15:59 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51489242.9020801@gmail.com \
--to=levinsasha928@gmail.com \
--cc=davej@redhat.com \
--cc=dhillf@gmail.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.