From: bugzilla-daemon@bugzilla.kernel.org
To: linux-scsi@vger.kernel.org
Subject: [Bug 108771] New: scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28
Date: Wed, 02 Dec 2015 10:57:34 +0000 [thread overview]
Message-ID: <bug-108771-11613@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=108771
Bug ID: 108771
Summary: scsi: ses: kasan: ses_enclosure_data_process use after
free on boot SAS2X28
Product: SCSI Drivers
Version: 2.5
Kernel Version: 4.3
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: scsi_drivers-other@kernel-bugs.osdl.org
Reporter: ptikhomirov@virtuozzo.com
Regression: No
Created attachment 196301
--> https://bugzilla.kernel.org/attachment.cgi?id=196301&action=edit
Full /var/log/messagess log and module ses.ko
Here is my setup:
Kernel: Linux 4.3 (tag:v4.3 commit:6a13feb9c8)
SCSI ses device: Host: scsi0 Channel: 00 Id: 16 Lun: 00 Vendor: LSI Model:
SAS2X28 Rev: 0e12 Type: Enclosure ANSI SCSI revision: 05
Full /var/log/messagess log in archive attached:
debug-kernel-kasan-system-log.txt
Module in archive attached: ses.ko
On debug kernel on boot when attaching enclosure scsi device, KASan detects use
after free in ses_enclosure_data_process+0xbe5(see kasan report in the end).
nm -A ./drivers/scsi/ses.ko | grep ses_enclosure_data_process
./drivers/scsi/ses.ko:0000000000002570 t ses_enclosure_data_process
objdump -D -S -l ./drivers/scsi/ses.ko --start-address=0x0000000000002570
On offset 0x3155(0x2570+0xbe5) there is code generated by kasan:
> 3144: 4c 89 5d a0 mov %r11,-0x60(%rbp)
3148: 44 89 45 a8 mov %r8d,-0x58(%rbp)
314c: 44 89 4d b0 mov %r9d,-0x50(%rbp)
/vzt/linux/drivers/scsi/ses.c:545
}
if (desc_ptr)
desc_ptr += len;
if (addl_desc_ptr)
addl_desc_ptr += addl_desc_ptr[1] + 2;
3150: e8 00 00 00 00 callq 3155
<ses_enclosure_data_process+0xbe5>
3155: 4c 8b 5d a0 mov -0x60(%rbp),%r11
3159: 44 8b 45 a8 mov -0x58(%rbp),%r8d
315d: 44 8b 4d b0 mov -0x50(%rbp),%r9d
3161: e9 34 f7 ff ff jmpq 289a
<ses_enclosure_data_process+0x32a>
To witch we jump from:
/vzt/linux/drivers/scsi/ses.c:545
addl_desc_ptr += addl_desc_ptr[1] + 2;
2877: 49 8d 7c 24 01 lea 0x1(%r12),%rdi
287c: 48 89 f8 mov %rdi,%rax
287f: 48 89 fa mov %rdi,%rdx
2882: 48 c1 e8 03 shr $0x3,%rax
2886: 83 e2 07 and $0x7,%edx
2889: 42 0f b6 04 28 movzbl (%rax,%r13,1),%eax
288e: 38 d0 cmp %dl,%al
2890: 7f 08 jg 289a
<ses_enclosure_data_process+0x32a>
2892: 84 c0 test %al,%al
> 2894: 0f 85 aa 08 00 00 jne 3144 <ses_enclosure_data_process+0xbd4>
289a: 41 0f b6 44 24 01 movzbl 0x1(%r12),%eax
28a0: 4d 8d 64 04 02 lea 0x2(%r12,%rax,1),%r12
Address addl_desc_ptr[1] is not allocated here but we want to read it. Actualy
we iterate through ses_dev->page10 here and it ends unexpectedly. We get number
of iterations from ses_dev->page1_num_types and ses_dev->page1_types, so it
seam that meta-data given by device is not consistent for page 1 and page 10.
My ideas on this:
a) In ses_process_descriptor we get enclosure_component->addr from
addl_desc_ptr only for ENCLOSURE_COMPONENT_DEVICE and
ENCLOSURE_COMPONENT_ARRAY_DEVICE but iterate for all entries of all types, may
be we need to move to next entry in addl_desc_ptr for only those types?
b) May be we need same check as we have for page 7, to stop when we hit a bufer
end.
Sorry I'm not too common with SCSI Enclosure Services specification and how it
should work.
Thanks in advance for your help, Pavel.
Here is KASan output:
==================================================================
BUG: KASan: use after free in ses_enclosure_data_process+0xbe5/0xe40 [ses] at
addr ffff881fed1c8c01
Read of size 1 by task systemd-udevd/1348
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Slab 0xffffea007fb47200 objects=32 used=30 fp=0xffff881fed1c8800
flags=0x2fffff80004080
INFO: Object 0xffff881fed1c8c00 @offset=3072 fp=0xffff881fed1c8e00
Bytes b4 ffff881fed1c8bf0: 0a 08 0b 09 0c 0a 0d 0b ff ff ff ff ff ff ff ff
................
Object ffff881fed1c8c00: 00 8e 1c ed 1f 88 ff ff 08 8c 1c ed 1f 88 ff ff
................
Object ffff881fed1c8c10: 08 8c 1c ed 1f 88 ff ff 18 8c 1c ed 1f 88 ff ff
................
Object ffff881fed1c8c20: 18 8c 1c ed 1f 88 ff ff c0 ff ff ff 1f 00 00 00
................
Object ffff881fed1c8c30: 30 8c 1c ed 1f 88 ff ff 30 8c 1c ed 1f 88 ff ff
0.......0.......
Object ffff881fed1c8c40: 70 9e dc 81 ff ff ff ff c0 aa 8a 84 ff ff ff ff
p...............
Object ffff881fed1c8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c60: c0 dc 79 82 ff ff ff ff 00 00 00 00 00 00 00 00
..y.............
Object ffff881fed1c8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8c90: b0 a0 1b 81 ff ff ff ff 28 8c 1c ed 1f 88 ff ff
........(.......
Object ffff881fed1c8ca0: 00 00 20 00 ff ff ff ff ff ff ff ff 00 00 00 00 ..
.............
Object ffff881fed1c8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8cc0: 00 00 00 00 00 00 00 00 80 aa 8a 84 ff ff ff ff
................
Object ffff881fed1c8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8ce0: 00 dd 79 82 ff ff ff ff 00 00 00 00 00 00 00 00
..y.............
Object ffff881fed1c8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d10: 00 00 00 00 00 00 00 00 ab 9e fb ff 00 00 00 00
................
Object ffff881fed1c8d20: 00 00 00 00 03 00 00 00 00 00 00 00 06 00 00 00
................
Object ffff881fed1c8d30: 02 00 00 00 00 00 00 00 08 81 9a ea 1f 88 ff ff
................
Object ffff881fed1c8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d60: 00 00 00 00 c4 00 00 00 00 80 9a ea 1f 88 ff ff
................
Object ffff881fed1c8d70: 00 19 b4 ef 37 88 ff ff a0 66 dd 81 ff ff ff ff
....7....f......
Object ffff881fed1c8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
Object ffff881fed1c8dd0: ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
Object ffff881fed1c8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
CPU: 0 PID: 1348 Comm: systemd-udevd Tainted: G B 4.3.0 #3
Hardware name: DEPO Computers X9DRi-LN4+/X9DR3-LN4+/X9DRi-LN4+/X9DR3-LN4+, BIOS
3.2 03/04/2015
ffff881fed1c8c00 000000002924ed40 ffff8837ea77f6f8 ffffffff8199df07
ffff881ffd007340 ffff8837ea77f728 ffffffff815af4e9 ffff881ffd007340
ffffea007fb47200 ffff881fed1c8c00 ffff881fe85340c1 ffff8837ea77f750
Call Trace:
[<ffffffff8199df07>] dump_stack+0x4b/0x64
[<ffffffff815af4e9>] print_trailer+0xf9/0x150
[<ffffffff815b5e94>] object_err+0x34/0x40
[<ffffffff815b8a28>] kasan_report_error+0x1e8/0x3f0
[<ffffffff8125a53f>] ? __init_waitqueue_head+0x3f/0xa0
[<ffffffff81d675a9>] ? pm_runtime_init+0x399/0x450
[<ffffffff815b8c91>] __asan_report_load1_noabort+0x61/0x70
[<ffffffffa11fb155>] ? ses_enclosure_data_process+0xbe5/0xe40 [ses]
[<ffffffffa11fb155>] ses_enclosure_data_process+0xbe5/0xe40 [ses]
[<ffffffffa11fc1ce>] ses_intf_add+0x9ae/0xdf0 [ses]
[<ffffffff8127c100>] ? trace_hardirqs_on_caller+0x360/0x580
[<ffffffff81d4d1bf>] class_interface_register+0x1ef/0x300
[<ffffffff81d4cfd0>] ? class_dev_iter_exit+0x10/0x10
[<ffffffff81a021a0>] ? debug_object_active_state+0x370/0x370
[<ffffffff815b3b76>] ? kfree+0xe6/0x2a0
[<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[<ffffffffa1208000>] ? 0xffffffffa1208000
[<ffffffff81de57b8>] scsi_register_interface+0x38/0x50
[<ffffffffa1208013>] ses_init+0x13/0x1000 [ses]
[<ffffffff810021b1>] do_one_initcall+0x141/0x300
[<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[<ffffffff815b8156>] ? kasan_unpoison_shadow+0x36/0x50
[<ffffffff815b8156>] ? kasan_unpoison_shadow+0x36/0x50
[<ffffffff815b8267>] ? __asan_register_globals+0x87/0xa0
[<ffffffff814b00ee>] do_init_module+0x1d0/0x5aa
[<ffffffff81332b8f>] load_module+0x409f/0x61e0
[<ffffffff81325e50>] ? __symbol_put+0xc0/0xc0
[<ffffffff8132eaf0>] ? layout_and_allocate+0x3c80/0x3c80
[<ffffffff81619ee0>] ? open_exec+0x50/0x50
[<ffffffff813267ad>] ? copy_module_from_fd.isra.46+0x1dd/0x2f0
[<ffffffff8133502b>] SyS_finit_module+0x12b/0x160
[<ffffffff81334f00>] ? SyS_init_module+0x230/0x230
[<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[<ffffffff82523bb2>] entry_SYSCALL_64_fastpath+0x12/0x76
Memory state around the buggy address:
ffff881fed1c8b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff881fed1c8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff881fed1c8c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff881fed1c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff881fed1c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
```
--
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2015-12-02 10:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 10:57 bugzilla-daemon [this message]
2015-12-03 14:05 ` [Bug 108771] scsi: ses: kasan: ses_enclosure_data_process use after free on boot SAS2X28 bugzilla-daemon
2015-12-07 14:01 ` bugzilla-daemon
2015-12-08 16:16 ` James Bottomley
2015-12-09 12:35 ` Pavel Tikhomirov
2015-12-10 0:43 ` James Bottomley
2015-12-11 8:03 ` Pavel Tikhomirov
2015-12-09 12:35 ` bugzilla-daemon
2015-12-11 8:03 ` bugzilla-daemon
2016-12-30 9:54 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-108771-11613@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.