* 4.7-rc7: use-after-free in proc_map_files_readdir
@ 2016-07-18 23:24 Dave Jones
0 siblings, 0 replies; 9+ messages in thread
From: Dave Jones @ 2016-07-18 23:24 UTC (permalink / raw)
To: Linux Kernel; +Cc: linux-fsdevel
Just caught this spew during a fuzz-run.
[ 4971.564511] ==================================================================
[ 4971.570505] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
[ 4971.582570] Read of size 4 by task trinity-main/29845
[ 4971.588672] =============================================================================
[ 4971.594906] BUG filp (Not tainted): kasan: bad access detected
[ 4971.601164] -----------------------------------------------------------------------------
[ 4971.613861] Disabling lock debugging due to kernel taint
[ 4971.620240] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745177006 cpu=2835364724 pid=-1
[ 4971.626727] 0x6b6b6b6b6b6b6b6b
[ 4971.633166] 0x6b6b6b6b6b6b6b6b
[ 4971.639529] 0x6b6b6b6b6b6b6b6b
[ 4971.645834] 0x6b6b6b6b6b6b6b6b
[ 4971.652056] 0xa56b6b6b6b6b6b6b
[ 4971.658252] 0xbbbbbbbbbbbbbbbb
[ 4971.664416] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080
[ 4971.677022] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b
[ 4971.689825] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4971.702934] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4971.716295] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a......
[ 4971.729944] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 4971.743845] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4971.758049] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4971.772553] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4971.787315] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4971.802311] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.817570] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.833204] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.849141] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.865420] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.881880] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.898559] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.915402] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.932477] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.949740] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.967185] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4971.984931] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.002898] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.020815] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.038668] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.056646] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.074806] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.092958] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.111147] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.129424] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.148136] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.167204] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.186682] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.206126] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.225680] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.245233] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.264795] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.284354] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk
[ 4972.303840] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4972.323277] CPU: 2 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2
[ 4972.342984] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b
[ 4972.352730] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195
[ 4972.362394] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff880101e48828
[ 4972.372007] Call Trace:
[ 4972.381463] [<ffffffffa9589f5b>] dump_stack+0x68/0x9d
[ 4972.390913] [<ffffffffa930b195>] print_trailer+0x115/0x1a0
[ 4972.400287] [<ffffffffa9311d04>] object_err+0x34/0x40
[ 4972.409592] [<ffffffffa9313d06>] kasan_report_error+0x216/0x540
[ 4972.418804] [<ffffffffa930f040>] ? kmem_cache_alloc_trace+0x150/0x3c0
[ 4972.427961] [<ffffffffa931341e>] ? kasan_kmalloc+0x5e/0x70
[ 4972.437028] [<ffffffffa95a8679>] ? __fa_get_part.part.1+0x39/0xa0
[ 4972.446036] [<ffffffffa9313541>] ? memset+0x31/0x40
[ 4972.454942] [<ffffffffa93145c8>] kasan_report+0x58/0x60
[ 4972.463762] [<ffffffffa93f38d3>] ? proc_map_files_readdir+0x2e3/0x5a0
[ 4972.472545] [<ffffffffa9312ea1>] __asan_load4+0x61/0x80
[ 4972.481235] [<ffffffffa93f38d3>] proc_map_files_readdir+0x2e3/0x5a0
[ 4972.489878] [<ffffffffa913c555>] ? __lock_is_held+0x25/0xd0
[ 4972.498440] [<ffffffffa93f35f0>] ? proc_fill_cache+0x350/0x350
[ 4972.506913] [<ffffffffa90f9a88>] ? preempt_count_sub+0x18/0xd0
[ 4972.515308] [<ffffffffa934dfae>] ? iterate_dir+0x6e/0x270
[ 4972.523617] [<ffffffffa934e00e>] iterate_dir+0xce/0x270
[ 4972.531835] [<ffffffffa934e889>] SyS_getdents+0xf9/0x1c0
[ 4972.539960] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120
[ 4972.547985] [<ffffffffa934e4b0>] ? fillonedir+0x120/0x120
[ 4972.555937] [<ffffffffa900359d>] ? syscall_trace_enter_phase2+0x12d/0x3d0
[ 4972.563846] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120
[ 4972.571664] [<ffffffffa9003b74>] do_syscall_64+0xf4/0x240
[ 4972.579406] [<ffffffffa9d6d59a>] entry_SYSCALL64_slow_path+0x25/0x25
[ 4972.587084] Memory state around the buggy address:
[ 4972.594716] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4972.602347] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 4972.609910] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4972.617302] ^
[ 4972.624636] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4972.631951] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4972.639157] ==================================================================
[ 4972.646802] ==================================================================
[ 4972.654020] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
[ 4972.668206] Read of size 4 by task trinity-main/29845
[ 4972.675263] =============================================================================
[ 4972.682417] BUG filp (Tainted: G B ): kasan: bad access detected
[ 4972.689458] -----------------------------------------------------------------------------
[ 4972.703585] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745178089 cpu=2835364724 pid=-1
[ 4972.710711] 0x6b6b6b6b6b6b6b6b
[ 4972.717717] 0x6b6b6b6b6b6b6b6b
[ 4972.724561] 0x6b6b6b6b6b6b6b6b
[ 4972.731274] 0x6b6b6b6b6b6b6b6b
[ 4972.737843] 0xa56b6b6b6b6b6b6b
[ 4972.744278] 0xbbbbbbbbbbbbbbbb
[ 4972.750567] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080
[ 4972.763271] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b
[ 4972.775891] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4972.788457] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4972.801134] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a......
[ 4972.813794] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 4972.826504] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4972.839308] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4972.852301] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4972.865378] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................
[ 4972.878776] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.892470] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.906480] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.920803] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.935382] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.950258] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.965469] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.981031] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4972.996940] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.013140] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.029845] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.046768] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.064196] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.081863] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.099761] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.118026] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.136261] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.154560] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.172809] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.191305] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.210307] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.229675] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.249401] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.269100] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.288884] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.308679] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.328658] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 4973.348735] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk
[ 4973.368628] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 4973.388562] CPU: 0 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2
[ 4973.408490] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b
[ 4973.418458] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195
[ 4973.428289] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff88045bbc1660
[ 4973.438053] Call Trace:
[ 4973.447651] [<ffffffffa9589f5b>] dump_stack+0x68/0x9d
[ 4973.457263] [<ffffffffa930b195>] print_trailer+0x115/0x1a0
[ 4973.466793] [<ffffffffa9311d04>] object_err+0x34/0x40
[ 4973.476232] [<ffffffffa9313d06>] kasan_report_error+0x216/0x540
[ 4973.485591] [<ffffffffa959fe21>] ? snprintf+0x91/0xc0
[ 4973.494861] [<ffffffffa959fd90>] ? vsprintf+0x20/0x20
[ 4973.504012] [<ffffffffa93145c8>] kasan_report+0x58/0x60
[ 4973.513100] [<ffffffffa93f38d3>] ? proc_map_files_readdir+0x2e3/0x5a0
[ 4973.522213] [<ffffffffa9312ea1>] __asan_load4+0x61/0x80
[ 4973.531214] [<ffffffffa93f38d3>] proc_map_files_readdir+0x2e3/0x5a0
[ 4973.540194] [<ffffffffa913c555>] ? __lock_is_held+0x25/0xd0
[ 4973.549061] [<ffffffffa93f35f0>] ? proc_fill_cache+0x350/0x350
[ 4973.557882] [<ffffffffa90f9a88>] ? preempt_count_sub+0x18/0xd0
[ 4973.566574] [<ffffffffa934dfae>] ? iterate_dir+0x6e/0x270
[ 4973.575182] [<ffffffffa934e00e>] iterate_dir+0xce/0x270
[ 4973.583497] [<ffffffffa934e889>] SyS_getdents+0xf9/0x1c0
[ 4973.591838] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120
[ 4973.600091] [<ffffffffa934e4b0>] ? fillonedir+0x120/0x120
[ 4973.608254] [<ffffffffa900359d>] ? syscall_trace_enter_phase2+0x12d/0x3d0
[ 4973.616388] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120
[ 4973.624417] [<ffffffffa9003b74>] do_syscall_64+0xf4/0x240
[ 4973.632372] [<ffffffffa9d6d59a>] entry_SYSCALL64_slow_path+0x25/0x25
[ 4973.640253] Memory state around the buggy address:
[ 4973.648082] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 4973.655847] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 4973.663498] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4973.671024] ^
[ 4973.678505] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4973.686031] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 4973.693425] ==================================================================
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
@ 2016-07-19 11:16 Alexey Dobriyan
2016-07-19 15:31 ` Dave Jones
0 siblings, 1 reply; 9+ messages in thread
From: Alexey Dobriyan @ 2016-07-19 11:16 UTC (permalink / raw)
To: davej; +Cc: Linux Kernel
> BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
Just in case can you addr2line this address or post disassembly?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 11:16 4.7-rc7: use-after-free in proc_map_files_readdir Alexey Dobriyan
@ 2016-07-19 15:31 ` Dave Jones
2016-07-19 16:20 ` Al Viro
2016-07-19 19:28 ` Alexey Dobriyan
0 siblings, 2 replies; 9+ messages in thread
From: Dave Jones @ 2016-07-19 15:31 UTC (permalink / raw)
To: Alexey Dobriyan; +Cc: Linux Kernel
On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
>
> Just in case can you addr2line this address or post disassembly?
http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
Which by my math, looks to be..
7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
info.len = snprintf(info.name,
inlined from dir_emit_dots()
Dave
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 15:31 ` Dave Jones
@ 2016-07-19 16:20 ` Al Viro
2016-07-19 18:33 ` Dave Jones
2016-07-19 19:28 ` Alexey Dobriyan
1 sibling, 1 reply; 9+ messages in thread
From: Al Viro @ 2016-07-19 16:20 UTC (permalink / raw)
To: Dave Jones, Alexey Dobriyan, Linux Kernel
On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote:
> On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
> >
> > Just in case can you addr2line this address or post disassembly?
>
> http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
>
> Which by my math, looks to be..
>
> 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
> info.len = snprintf(info.name,
The entire expression is
info.len = snprintf(info.name,
sizeof(info.name), "%lx-%lx",
vma->vm_start, vma->vm_end);
and we have
* address of array field in local structure.
* constant
* string literal
* two longs fetched from *vma, that being done under ->mmap_sem
* call of snprintf
* store into a field of local structure.
The only ways to get use-after-free in that would be to have *vma freed
under you or have the same happen to your stack frame.
Could you dump the relevant part of vmlinux objdump, rather than whatever
you've used on base.o? Having relocations resolved makes it much easier
to figure out... Or just dump that vmlinux on anonftp somewhere...
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 16:20 ` Al Viro
@ 2016-07-19 18:33 ` Dave Jones
2016-07-19 19:38 ` Al Viro
0 siblings, 1 reply; 9+ messages in thread
From: Dave Jones @ 2016-07-19 18:33 UTC (permalink / raw)
To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel
On Tue, Jul 19, 2016 at 05:20:36PM +0100, Al Viro wrote:
> On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote:
> > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
> > >
> > > Just in case can you addr2line this address or post disassembly?
> >
> > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
> >
> > Which by my math, looks to be..
> >
> > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
> > info.len = snprintf(info.name,
>
> The entire expression is
> info.len = snprintf(info.name,
> sizeof(info.name), "%lx-%lx",
> vma->vm_start, vma->vm_end);
> and we have
> * address of array field in local structure.
> * constant
> * string literal
> * two longs fetched from *vma, that being done under ->mmap_sem
> * call of snprintf
> * store into a field of local structure.
> The only ways to get use-after-free in that would be to have *vma freed
> under you or have the same happen to your stack frame.
>
> Could you dump the relevant part of vmlinux objdump, rather than whatever
> you've used on base.o? Having relocations resolved makes it much easier
> to figure out... Or just dump that vmlinux on anonftp somewhere...
http://codemonkey.org.uk/junk/vmlinux.gz
Dave
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 15:31 ` Dave Jones
2016-07-19 16:20 ` Al Viro
@ 2016-07-19 19:28 ` Alexey Dobriyan
1 sibling, 0 replies; 9+ messages in thread
From: Alexey Dobriyan @ 2016-07-19 19:28 UTC (permalink / raw)
To: Dave Jones, Linux Kernel
On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote:
> On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote:
> > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
> >
> > Just in case can you addr2line this address or post disassembly?
>
> http://codemonkey.org.uk/junk/fs_proc_base.dis.txt
>
> Which by my math, looks to be..
>
> 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
> info.len = snprintf(info.name,
>
> inlined from dir_emit_dots()
For those on dialup connections :^)
RIP is ffffffff813f38d3
ffffffff813f35f0 <proc_map_files_readdir>:
ffffffff813f35f0: e8 3b c1 97 00 callq ffffffff81d6f730 <__fentry__>
ffffffff813f35f1: R_X86_64_PC32 __fentry__-0x4
ffffffff813f35f5: 55 push %rbp
ffffffff813f35f6: 48 89 e5 mov %rsp,%rbp
ffffffff813f35f9: 41 57 push %r15
ffffffff813f35fb: 48 8d 85 58 ff ff ff lea -0xa8(%rbp),%rax
ffffffff813f3602: 41 56 push %r14
ffffffff813f3604: 48 c1 e8 03 shr $0x3,%rax
ffffffff813f3608: 41 55 push %r13
ffffffff813f360a: 49 89 fd mov %rdi,%r13
ffffffff813f360d: 48 83 c7 20 add $0x20,%rdi
ffffffff813f3611: 41 54 push %r12
ffffffff813f3613: 48 89 c1 mov %rax,%rcx
ffffffff813f3616: 53 push %rbx
ffffffff813f3617: 48 89 f3 mov %rsi,%rbx
ffffffff813f361a: 48 81 ec d8 00 00 00 sub $0xd8,%rsp
ffffffff813f3621: 48 89 85 50 ff ff ff mov %rax,-0xb0(%rbp)
ffffffff813f3628: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff813f362f: fc ff df
ffffffff813f3632: 48 c7 85 58 ff ff ff movq $0x41b58ab3,-0xa8(%rbp)
ffffffff813f3639: b3 8a b5 41
ffffffff813f363d: 48 01 c8 add %rcx,%rax
ffffffff813f3640: 48 c7 85 60 ff ff ff movq $0xffffffff82361fc9,-0xa0(%rbp)
ffffffff813f3647: c9 1f 36 82
ffffffff813f3647: R_X86_64_32S .rodata+0x561fc9
ffffffff813f364b: 48 c7 85 68 ff ff ff movq $0xffffffff813f35f0,-0x98(%rbp)
ffffffff813f3652: f0 35 3f 81
ffffffff813f3652: R_X86_64_32S .text+0x3f35f0
ffffffff813f3656: c7 00 f1 f1 f1 f1 movl $0xf1f1f1f1,(%rax)
ffffffff813f365c: c7 40 08 00 00 00 f4 movl $0xf4000000,0x8(%rax)
ffffffff813f3663: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
ffffffff813f366a: 00 00
ffffffff813f366c: 48 89 45 d0 mov %rax,-0x30(%rbp)
ffffffff813f3670: 31 c0 xor %eax,%eax
ffffffff813f3672: e8 c9 f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3673: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3677: 4d 8b 65 20 mov 0x20(%r13),%r12
ffffffff813f367b: 49 8d 7c 24 c8 lea -0x38(%r12),%rdi
ffffffff813f3680: e8 bb f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3681: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3685: 49 8b 7c 24 c8 mov -0x38(%r12),%rdi
ffffffff813f368a: 31 f6 xor %esi,%esi
ffffffff813f368c: e8 0f 5e cf ff callq ffffffff810e94a0 <get_pid_task>
ffffffff813f368d: R_X86_64_PC32 get_pid_task-0x4
ffffffff813f3691: 48 85 c0 test %rax,%rax
ffffffff813f3694: 0f 84 29 04 00 00 je ffffffff813f3ac3 <proc_map_files_readdir+0x4d3>
ffffffff813f369a: be 09 00 00 00 mov $0x9,%esi
ffffffff813f369f: 48 89 c7 mov %rax,%rdi
ffffffff813f36a2: 49 89 c4 mov %rax,%r12
ffffffff813f36a5: e8 76 42 cd ff callq ffffffff810c7920 <ptrace_may_access>
ffffffff813f36a6: R_X86_64_PC32 ptrace_may_access-0x4
ffffffff813f36aa: 84 c0 test %al,%al
ffffffff813f36ac: 75 56 jne ffffffff813f3704 <proc_map_files_readdir+0x114>
ffffffff813f36ae: bb f3 ff ff ff mov $0xfffffff3,%ebx
ffffffff813f36b3: f0 41 ff 4c 24 10 lock decl 0x10(%r12)
ffffffff813f36b9: 0f 84 89 02 00 00 je ffffffff813f3948 <proc_map_files_readdir+0x358>
ffffffff813f36bf: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
ffffffff813f36c6: fc ff df
ffffffff813f36c9: 89 d8 mov %ebx,%eax
ffffffff813f36cb: 48 03 95 50 ff ff ff add -0xb0(%rbp),%rdx
ffffffff813f36d2: c7 02 00 00 00 00 movl $0x0,(%rdx)
ffffffff813f36d8: c7 42 08 00 00 00 00 movl $0x0,0x8(%rdx)
ffffffff813f36df: 48 8b 75 d0 mov -0x30(%rbp),%rsi
ffffffff813f36e3: 65 48 33 34 25 28 00 xor %gs:0x28,%rsi
ffffffff813f36ea: 00 00
ffffffff813f36ec: 0f 85 80 04 00 00 jne ffffffff813f3b72 <proc_map_files_readdir+0x582>
ffffffff813f36f2: 48 81 c4 d8 00 00 00 add $0xd8,%rsp
ffffffff813f36f9: 5b pop %rbx
ffffffff813f36fa: 41 5c pop %r12
ffffffff813f36fc: 41 5d pop %r13
ffffffff813f36fe: 41 5e pop %r14
ffffffff813f3700: 41 5f pop %r15
ffffffff813f3702: 5d pop %rbp
ffffffff813f3703: c3 retq
ffffffff813f3704: 48 8d 43 08 lea 0x8(%rbx),%rax
ffffffff813f3708: 48 89 c7 mov %rax,%rdi
ffffffff813f370b: 48 89 85 48 ff ff ff mov %rax,-0xb8(%rbp)
ffffffff813f3712: e8 29 f8 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3713: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3717: 48 8b 43 08 mov 0x8(%rbx),%rax
ffffffff813f371b: 48 85 c0 test %rax,%rax
ffffffff813f371e: 0f 84 50 02 00 00 je ffffffff813f3974 <proc_map_files_readdir+0x384>
ffffffff813f3724: 48 83 f8 01 cmp $0x1,%rax
ffffffff813f3728: 0f 84 4b 04 00 00 je ffffffff813f3b79 <proc_map_files_readdir+0x589>
ffffffff813f372e: 4c 89 e7 mov %r12,%rdi
ffffffff813f3731: e8 5a a4 cb ff callq ffffffff810adb90 <get_task_mm>
ffffffff813f3732: R_X86_64_PC32 get_task_mm-0x4
ffffffff813f3736: 48 85 c0 test %rax,%rax
ffffffff813f3739: 48 89 85 28 ff ff ff mov %rax,-0xd8(%rbp)
ffffffff813f3740: 0f 84 27 02 00 00 je ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f3746: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15
ffffffff813f374d: 4c 89 f8 mov %r15,%rax
ffffffff813f3750: 48 05 b0 00 00 00 add $0xb0,%rax
ffffffff813f3756: 48 89 c7 mov %rax,%rdi
ffffffff813f3759: 48 89 85 30 ff ff ff mov %rax,-0xd0(%rbp)
ffffffff813f3760: e8 bb 62 97 00 callq ffffffff81d69a20 <down_read>
ffffffff813f3761: R_X86_64_PC32 down_read-0x4
ffffffff813f3765: 4c 89 ff mov %r15,%rdi
ffffffff813f3768: e8 d3 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3769: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f376d: 4d 8b 3f mov (%r15),%r15
ffffffff813f3770: 4d 85 ff test %r15,%r15
ffffffff813f3773: 0f 84 dc 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365>
ffffffff813f3779: 4c 89 a5 40 ff ff ff mov %r12,-0xc0(%rbp)
ffffffff813f3780: 4c 8b a5 48 ff ff ff mov -0xb8(%rbp),%r12
ffffffff813f3787: 31 c0 xor %eax,%eax
ffffffff813f3789: 41 be 02 00 00 00 mov $0x2,%r14d
ffffffff813f378f: 4c 89 ad 20 ff ff ff mov %r13,-0xe0(%rbp)
ffffffff813f3796: 4d 89 fd mov %r15,%r13
ffffffff813f3799: 49 89 c7 mov %rax,%r15
ffffffff813f379c: 49 8d bd a0 00 00 00 lea 0xa0(%r13),%rdi
ffffffff813f37a3: e8 98 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37a4: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37a8: 49 83 bd a0 00 00 00 cmpq $0x0,0xa0(%r13)
ffffffff813f37af: 00
ffffffff813f37b0: 74 14 je ffffffff813f37c6 <proc_map_files_readdir+0x1d6>
ffffffff813f37b2: 4c 89 e7 mov %r12,%rdi
ffffffff813f37b5: 49 83 c6 01 add $0x1,%r14
ffffffff813f37b9: e8 82 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37ba: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37be: 4c 39 73 08 cmp %r14,0x8(%rbx)
ffffffff813f37c2: 49 83 d7 00 adc $0x0,%r15
ffffffff813f37c6: 49 8d 7d 10 lea 0x10(%r13),%rdi
ffffffff813f37ca: e8 71 f7 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f37cb: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f37cf: 4d 8b 6d 10 mov 0x10(%r13),%r13
ffffffff813f37d3: 4d 85 ed test %r13,%r13
ffffffff813f37d6: 75 c4 jne ffffffff813f379c <proc_map_files_readdir+0x1ac>
ffffffff813f37d8: 4d 85 ff test %r15,%r15
ffffffff813f37db: 4c 89 bd 38 ff ff ff mov %r15,-0xc8(%rbp)
ffffffff813f37e2: 4c 8b a5 40 ff ff ff mov -0xc0(%rbp),%r12
ffffffff813f37e9: 4c 8b ad 20 ff ff ff mov -0xe0(%rbp),%r13
ffffffff813f37f0: 0f 84 5f 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365>
ffffffff813f37f6: ba c0 00 40 02 mov $0x24000c0,%edx
ffffffff813f37fb: 44 89 fe mov %r15d,%esi
ffffffff813f37fe: bf 38 00 00 00 mov $0x38,%edi
ffffffff813f3803: e8 a8 52 1b 00 callq ffffffff815a8ab0 <flex_array_alloc>
ffffffff813f3804: R_X86_64_PC32 flex_array_alloc-0x4
ffffffff813f3808: 48 85 c0 test %rax,%rax
ffffffff813f380b: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f3812: 0f 84 89 02 00 00 je ffffffff813f3aa1 <proc_map_files_readdir+0x4b1>
ffffffff813f3818: 31 f6 xor %esi,%esi
ffffffff813f381a: b9 c0 00 40 02 mov $0x24000c0,%ecx
ffffffff813f381f: 44 89 fa mov %r15d,%edx
ffffffff813f3822: 48 89 c7 mov %rax,%rdi
ffffffff813f3825: e8 06 50 1b 00 callq ffffffff815a8830 <flex_array_prealloc>
ffffffff813f3826: R_X86_64_PC32 flex_array_prealloc-0x4
ffffffff813f382a: 85 c0 test %eax,%eax
ffffffff813f382c: 0f 85 63 02 00 00 jne ffffffff813f3a95 <proc_map_files_readdir+0x4a5>
ffffffff813f3832: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15
ffffffff813f3839: 4c 89 ff mov %r15,%rdi
ffffffff813f383c: e8 ff f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f383d: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3841: 4d 8b 37 mov (%r15),%r14
ffffffff813f3844: 4d 85 f6 test %r14,%r14
ffffffff813f3847: 0f 84 8e 02 00 00 je ffffffff813f3adb <proc_map_files_readdir+0x4eb>
ffffffff813f384d: 48 8d 85 78 ff ff ff lea -0x88(%rbp),%rax
ffffffff813f3854: 31 d2 xor %edx,%edx
ffffffff813f3856: be 02 00 00 00 mov $0x2,%esi
ffffffff813f385b: 4c 89 a5 10 ff ff ff mov %r12,-0xf0(%rbp)
ffffffff813f3862: 48 89 85 20 ff ff ff mov %rax,-0xe0(%rbp)
ffffffff813f3869: 48 83 c0 10 add $0x10,%rax
ffffffff813f386d: 49 89 f4 mov %rsi,%r12
ffffffff813f3870: 4c 89 ad 08 ff ff ff mov %r13,-0xf8(%rbp)
ffffffff813f3877: 49 89 d5 mov %rdx,%r13
ffffffff813f387a: 48 89 85 18 ff ff ff mov %rax,-0xe8(%rbp)
ffffffff813f3881: eb 16 jmp ffffffff813f3899 <proc_map_files_readdir+0x2a9>
ffffffff813f3883: 49 8d 7e 10 lea 0x10(%r14),%rdi
ffffffff813f3887: e8 b4 f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3888: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f388c: 4d 8b 76 10 mov 0x10(%r14),%r14
ffffffff813f3890: 4d 85 f6 test %r14,%r14
ffffffff813f3893: 0f 84 34 02 00 00 je ffffffff813f3acd <proc_map_files_readdir+0x4dd>
ffffffff813f3899: 49 8d be a0 00 00 00 lea 0xa0(%r14),%rdi
ffffffff813f38a0: e8 9b f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38a1: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38a5: 4d 8b be a0 00 00 00 mov 0xa0(%r14),%r15
ffffffff813f38ac: 4d 85 ff test %r15,%r15
ffffffff813f38af: 74 d2 je ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f38b1: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f38b8: 49 83 c4 01 add $0x1,%r12
ffffffff813f38bc: e8 7f f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38bd: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38c1: 4c 3b 63 08 cmp 0x8(%rbx),%r12
ffffffff813f38c5: 76 bc jbe ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f38c7: 49 8d bf 84 00 00 00 lea 0x84(%r15),%rdi
ffffffff813f38ce: e8 6d f5 f1 ff callq ffffffff81312e40 <__asan_load4>
ffffffff813f38cf: R_X86_64_PC32 __asan_load4_noabort-0x4
ffffffff813f38d3: ***** 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax
ffffffff813f38da: 49 8d 7e 08 lea 0x8(%r14),%rdi
ffffffff813f38de: 89 85 78 ff ff ff mov %eax,-0x88(%rbp)
ffffffff813f38e4: e8 57 f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38e5: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38e9: 4d 8b 7e 08 mov 0x8(%r14),%r15
ffffffff813f38ed: 4c 89 f7 mov %r14,%rdi
ffffffff813f38f0: e8 4b f6 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f38f1: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f38f5: 49 8b 0e mov (%r14),%rcx
ffffffff813f38f8: be 22 00 00 00 mov $0x22,%esi
ffffffff813f38fd: 48 c7 c2 00 72 f1 81 mov $0xffffffff81f17200,%rdx
ffffffff813f3900: R_X86_64_32S .rodata+0x117200
ffffffff813f3904: 48 8b bd 18 ff ff ff mov -0xe8(%rbp),%rdi
ffffffff813f390b: 4d 89 f8 mov %r15,%r8
ffffffff813f390e: 4d 8d 7d 01 lea 0x1(%r13),%r15
ffffffff813f3912: e8 79 c4 1a 00 callq ffffffff8159fd90 <snprintf>
ffffffff813f3913: R_X86_64_PC32 snprintf-0x4
ffffffff813f3917: 48 8b 95 20 ff ff ff mov -0xe0(%rbp),%rdx
ffffffff813f391e: b9 c0 00 40 02 mov $0x24000c0,%ecx
ffffffff813f3923: 44 89 ee mov %r13d,%esi
ffffffff813f3926: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f392d: 48 98 cltq
ffffffff813f392f: 48 89 45 80 mov %rax,-0x80(%rbp)
ffffffff813f3933: e8 a8 4d 1b 00 callq ffffffff815a86e0 <flex_array_put>
ffffffff813f3934: R_X86_64_PC32 flex_array_put-0x4
ffffffff813f3938: 85 c0 test %eax,%eax
ffffffff813f393a: 0f 85 37 02 00 00 jne ffffffff813f3b77 <proc_map_files_readdir+0x587>
ffffffff813f3940: 4d 89 fd mov %r15,%r13
ffffffff813f3943: e9 3b ff ff ff jmpq ffffffff813f3883 <proc_map_files_readdir+0x293>
ffffffff813f3948: 4c 89 e7 mov %r12,%rdi
ffffffff813f394b: e8 20 ba cb ff callq ffffffff810af370 <__put_task_struct>
ffffffff813f394c: R_X86_64_PC32 __put_task_struct-0x4
ffffffff813f3950: e9 6a fd ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf>
ffffffff813f3955: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f395c: e8 4f 63 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f395d: R_X86_64_PC32 up_read-0x4
ffffffff813f3961: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi
ffffffff813f3968: e8 b3 b3 cb ff callq ffffffff810aed20 <mmput>
ffffffff813f3969: R_X86_64_PC32 mmput-0x4
ffffffff813f396d: 31 db xor %ebx,%ebx
ffffffff813f396f: e9 3f fd ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3>
ffffffff813f3974: 4d 8d 7d 18 lea 0x18(%r13),%r15
ffffffff813f3978: 4c 89 ff mov %r15,%rdi
ffffffff813f397b: e8 c0 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f397c: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3980: 4d 8b 75 18 mov 0x18(%r13),%r14
ffffffff813f3984: 48 89 df mov %rbx,%rdi
ffffffff813f3987: e8 b4 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3988: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f398c: 48 8b 03 mov (%rbx),%rax
ffffffff813f398f: 49 8d 7e 68 lea 0x68(%r14),%rdi
ffffffff813f3993: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f399a: e8 a1 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f399b: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f399f: 4d 8b 76 68 mov 0x68(%r14),%r14
ffffffff813f39a3: 49 8d 7e 38 lea 0x38(%r14),%rdi
ffffffff813f39a7: e8 94 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39a8: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39ac: 31 c9 xor %ecx,%ecx
ffffffff813f39ae: 41 b9 04 00 00 00 mov $0x4,%r9d
ffffffff813f39b4: 48 89 df mov %rbx,%rdi
ffffffff813f39b7: 4d 8b 46 38 mov 0x38(%r14),%r8
ffffffff813f39bb: ba 01 00 00 00 mov $0x1,%edx
ffffffff813f39c0: 48 c7 c6 40 74 f1 81 mov $0xffffffff81f17440,%rsi
ffffffff813f39c3: R_X86_64_32S .rodata+0x117440
ffffffff813f39c7: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax
ffffffff813f39ce: ff d0 callq *%rax
ffffffff813f39d0: 85 c0 test %eax,%eax
ffffffff813f39d2: 75 99 jne ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f39d4: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f39db: e8 d0 f5 f1 ff callq ffffffff81312fb0 <__asan_store8>
ffffffff813f39dc: R_X86_64_PC32 __asan_store8_noabort-0x4
ffffffff813f39e0: 48 c7 43 08 01 00 00 movq $0x1,0x8(%rbx)
ffffffff813f39e7: 00
ffffffff813f39e8: 4c 89 ff mov %r15,%rdi
ffffffff813f39eb: e8 50 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39ec: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39f0: 4d 8b 75 18 mov 0x18(%r13),%r14
ffffffff813f39f4: 48 89 df mov %rbx,%rdi
ffffffff813f39f7: e8 44 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f39f8: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f39fc: 48 8b 03 mov (%rbx),%rax
ffffffff813f39ff: 4d 8d be 90 00 00 00 lea 0x90(%r14),%r15
ffffffff813f3a06: 4c 89 ff mov %r15,%rdi
ffffffff813f3a09: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp)
ffffffff813f3a10: e8 1b 8c 97 00 callq ffffffff81d6c630 <_raw_spin_lock>
ffffffff813f3a11: R_X86_64_PC32 _raw_spin_lock-0x4
ffffffff813f3a15: 49 8d 7e 50 lea 0x50(%r14),%rdi
ffffffff813f3a19: e8 22 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a1a: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a1e: 4d 8b 76 50 mov 0x50(%r14),%r14
ffffffff813f3a22: 49 8d 7e 68 lea 0x68(%r14),%rdi
ffffffff813f3a26: e8 15 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a27: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a2b: 4d 8b 76 68 mov 0x68(%r14),%r14
ffffffff813f3a2f: 49 8d 7e 38 lea 0x38(%r14),%rdi
ffffffff813f3a33: e8 08 f5 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a34: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a38: 4c 89 ff mov %r15,%rdi
ffffffff813f3a3b: 4d 8b 76 38 mov 0x38(%r14),%r14
ffffffff813f3a3f: e8 1c 91 97 00 callq ffffffff81d6cb60 <_raw_spin_unlock>
ffffffff813f3a40: R_X86_64_PC32 _raw_spin_unlock-0x4
ffffffff813f3a44: 4c 8b bd 48 ff ff ff mov -0xb8(%rbp),%r15
ffffffff813f3a4b: 4c 89 ff mov %r15,%rdi
ffffffff813f3a4e: e8 ed f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3a4f: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3a53: 48 8b 4b 08 mov 0x8(%rbx),%rcx
ffffffff813f3a57: 4d 89 f0 mov %r14,%r8
ffffffff813f3a5a: 48 89 df mov %rbx,%rdi
ffffffff813f3a5d: 41 b9 04 00 00 00 mov $0x4,%r9d
ffffffff813f3a63: ba 02 00 00 00 mov $0x2,%edx
ffffffff813f3a68: 48 c7 c6 80 74 f1 81 mov $0xffffffff81f17480,%rsi
ffffffff813f3a6b: R_X86_64_32S .rodata+0x117480
ffffffff813f3a6f: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax
ffffffff813f3a76: ff d0 callq *%rax
ffffffff813f3a78: 85 c0 test %eax,%eax
ffffffff813f3a7a: 0f 85 ed fe ff ff jne ffffffff813f396d <proc_map_files_readdir+0x37d>
ffffffff813f3a80: 4c 89 ff mov %r15,%rdi
ffffffff813f3a83: e8 28 f5 f1 ff callq ffffffff81312fb0 <__asan_store8>
ffffffff813f3a84: R_X86_64_PC32 __asan_store8_noabort-0x4
ffffffff813f3a88: 48 c7 43 08 02 00 00 movq $0x2,0x8(%rbx)
ffffffff813f3a8f: 00
ffffffff813f3a90: e9 99 fc ff ff jmpq ffffffff813f372e <proc_map_files_readdir+0x13e>
ffffffff813f3a95: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3a9c: e8 cf 4e 1b 00 callq ffffffff815a8970 <flex_array_free>
ffffffff813f3a9d: R_X86_64_PC32 flex_array_free-0x4
ffffffff813f3aa1: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3aa8: bb f4 ff ff ff mov $0xfffffff4,%ebx
ffffffff813f3aad: e8 fe 61 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f3aae: R_X86_64_PC32 up_read-0x4
ffffffff813f3ab2: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi
ffffffff813f3ab9: e8 62 b2 cb ff callq ffffffff810aed20 <mmput>
ffffffff813f3aba: R_X86_64_PC32 mmput-0x4
ffffffff813f3abe: e9 f0 fb ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3>
ffffffff813f3ac3: bb fe ff ff ff mov $0xfffffffe,%ebx
ffffffff813f3ac8: e9 f2 fb ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf>
ffffffff813f3acd: 4c 8b a5 10 ff ff ff mov -0xf0(%rbp),%r12
ffffffff813f3ad4: 4c 8b ad 08 ff ff ff mov -0xf8(%rbp),%r13
ffffffff813f3adb: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3ae2: 45 31 f6 xor %r14d,%r14d
ffffffff813f3ae5: e8 c6 61 d4 ff callq ffffffff81139cb0 <up_read>
ffffffff813f3ae6: R_X86_64_PC32 up_read-0x4
ffffffff813f3aea: 4c 89 ad 30 ff ff ff mov %r13,-0xd0(%rbp)
ffffffff813f3af1: eb 1e jmp ffffffff813f3b11 <proc_map_files_readdir+0x521>
ffffffff813f3af3: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi
ffffffff813f3afa: 49 83 c6 01 add $0x1,%r14
ffffffff813f3afe: e8 3d f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3aff: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3b03: 48 83 43 08 01 addq $0x1,0x8(%rbx)
ffffffff813f3b08: 4c 39 b5 38 ff ff ff cmp %r14,-0xc8(%rbp)
ffffffff813f3b0f: 74 50 je ffffffff813f3b61 <proc_map_files_readdir+0x571>
ffffffff813f3b11: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3b18: 44 89 f6 mov %r14d,%esi
ffffffff813f3b1b: e8 f0 48 1b 00 callq ffffffff815a8410 <flex_array_get>
ffffffff813f3b1c: R_X86_64_PC32 flex_array_get-0x4
ffffffff813f3b20: 49 89 c5 mov %rax,%r13
ffffffff813f3b23: 48 89 c7 mov %rax,%rdi
ffffffff813f3b26: e8 15 f3 f1 ff callq ffffffff81312e40 <__asan_load4>
ffffffff813f3b27: R_X86_64_PC32 __asan_load4_noabort-0x4
ffffffff813f3b2b: 45 8b 7d 00 mov 0x0(%r13),%r15d
ffffffff813f3b2f: 49 8d 7d 08 lea 0x8(%r13),%rdi
ffffffff813f3b33: e8 08 f4 f1 ff callq ffffffff81312f40 <__asan_load8>
ffffffff813f3b34: R_X86_64_PC32 __asan_load8_noabort-0x4
ffffffff813f3b38: 49 8b 4d 08 mov 0x8(%r13),%rcx
ffffffff813f3b3c: 49 8d 55 10 lea 0x10(%r13),%rdx
ffffffff813f3b40: 4d 89 e1 mov %r12,%r9
ffffffff813f3b43: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi
ffffffff813f3b4a: 49 c7 c0 20 29 3f 81 mov $0xffffffff813f2920,%r8
ffffffff813f3b4d: R_X86_64_32S .text+0x3f2920
ffffffff813f3b51: 48 89 de mov %rbx,%rsi
ffffffff813f3b54: 4c 89 3c 24 mov %r15,(%rsp)
ffffffff813f3b58: e8 43 f7 ff ff callq ffffffff813f32a0 <proc_fill_cache>
ffffffff813f3b59: R_X86_64_PC32 proc_fill_cache-0x4
ffffffff813f3b5d: 84 c0 test %al,%al
ffffffff813f3b5f: 75 92 jne ffffffff813f3af3 <proc_map_files_readdir+0x503>
ffffffff813f3b61: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi
ffffffff813f3b68: e8 03 4e 1b 00 callq ffffffff815a8970 <flex_array_free>
ffffffff813f3b69: R_X86_64_PC32 flex_array_free-0x4
ffffffff813f3b6d: e9 ef fd ff ff jmpq ffffffff813f3961 <proc_map_files_readdir+0x371>
ffffffff813f3b72: e8 89 03 cc ff callq ffffffff810b3f00 <__stack_chk_fail>
ffffffff813f3b73: R_X86_64_PC32 __stack_chk_fail-0x4
ffffffff813f3b77: 0f 0b ud2
ffffffff813f3b79: 4d 8d 7d 18 lea 0x18(%r13),%r15
ffffffff813f3b7d: e9 66 fe ff ff jmpq ffffffff813f39e8 <proc_map_files_readdir+0x3f8>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 18:33 ` Dave Jones
@ 2016-07-19 19:38 ` Al Viro
2016-07-19 19:47 ` Dave Jones
2016-07-20 13:14 ` Dave Jones
0 siblings, 2 replies; 9+ messages in thread
From: Al Viro @ 2016-07-19 19:38 UTC (permalink / raw)
To: Dave Jones, Alexey Dobriyan, Linux Kernel
On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote:
> > Could you dump the relevant part of vmlinux objdump, rather than whatever
> > you've used on base.o? Having relocations resolved makes it much easier
> > to figure out... Or just dump that vmlinux on anonftp somewhere...
>
> http://codemonkey.org.uk/junk/vmlinux.gz
OK, it's actually about fetching ->f_mode in
info.mode = vma->vm_file->f_mode;
%r15 points contains vma->vm_file at that point, and 0x84 is the offset of
f_mode in struct file on your config from hell (due to spinlock_t size
exploding on lockdep et.al.)
Interesting... Do you have a reproducer for that?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 19:38 ` Al Viro
@ 2016-07-19 19:47 ` Dave Jones
2016-07-20 13:14 ` Dave Jones
1 sibling, 0 replies; 9+ messages in thread
From: Dave Jones @ 2016-07-19 19:47 UTC (permalink / raw)
To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel
On Tue, Jul 19, 2016 at 08:38:57PM +0100, Al Viro wrote:
> On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote:
> > > Could you dump the relevant part of vmlinux objdump, rather than whatever
> > > you've used on base.o? Having relocations resolved makes it much easier
> > > to figure out... Or just dump that vmlinux on anonftp somewhere...
> >
> > http://codemonkey.org.uk/junk/vmlinux.gz
>
> OK, it's actually about fetching ->f_mode in
> info.mode = vma->vm_file->f_mode;
>
> %r15 points contains vma->vm_file at that point, and 0x84 is the offset of
> f_mode in struct file on your config from hell (due to spinlock_t size
> exploding on lockdep et.al.)
>
> Interesting... Do you have a reproducer for that?
Will give it another run when I get home. Machine is locked up for unknown
reasons right now..
Dave
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
2016-07-19 19:38 ` Al Viro
2016-07-19 19:47 ` Dave Jones
@ 2016-07-20 13:14 ` Dave Jones
1 sibling, 0 replies; 9+ messages in thread
From: Dave Jones @ 2016-07-20 13:14 UTC (permalink / raw)
To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel
On Tue, Jul 19, 2016 at 08:38:57PM +0100, Al Viro wrote:
> On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote:
> > > Could you dump the relevant part of vmlinux objdump, rather than whatever
> > > you've used on base.o? Having relocations resolved makes it much easier
> > > to figure out... Or just dump that vmlinux on anonftp somewhere...
> >
> > http://codemonkey.org.uk/junk/vmlinux.gz
>
> OK, it's actually about fetching ->f_mode in
> info.mode = vma->vm_file->f_mode;
>
> %r15 points contains vma->vm_file at that point, and 0x84 is the offset of
> f_mode in struct file on your config from hell (due to spinlock_t size
> exploding on lockdep et.al.)
>
> Interesting... Do you have a reproducer for that?
don't waste any more time on this. leaked a task struct in
a local diff to the oom-killer.
Dave
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-07-20 13:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-19 11:16 4.7-rc7: use-after-free in proc_map_files_readdir Alexey Dobriyan
2016-07-19 15:31 ` Dave Jones
2016-07-19 16:20 ` Al Viro
2016-07-19 18:33 ` Dave Jones
2016-07-19 19:38 ` Al Viro
2016-07-19 19:47 ` Dave Jones
2016-07-20 13:14 ` Dave Jones
2016-07-19 19:28 ` Alexey Dobriyan
-- strict thread matches above, loose matches on Subject: below --
2016-07-18 23:24 Dave Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).