* Re: 4.7-rc7: use-after-free in proc_map_files_readdir
@ 2016-07-19 11:16 Alexey Dobriyan
2016-07-19 15:31 ` Dave Jones
0 siblings, 1 reply; 9+ messages in thread
From: Alexey Dobriyan @ 2016-07-19 11:16 UTC (permalink / raw)
To: davej; +Cc: Linux Kernel
> BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044
Just in case can you addr2line this address or post disassembly?
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 11:16 4.7-rc7: use-after-free in proc_map_files_readdir Alexey Dobriyan @ 2016-07-19 15:31 ` Dave Jones 2016-07-19 16:20 ` Al Viro 2016-07-19 19:28 ` Alexey Dobriyan 0 siblings, 2 replies; 9+ messages in thread From: Dave Jones @ 2016-07-19 15:31 UTC (permalink / raw) To: Alexey Dobriyan; +Cc: Linux Kernel On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote: > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 > > Just in case can you addr2line this address or post disassembly? http://codemonkey.org.uk/junk/fs_proc_base.dis.txt Which by my math, looks to be.. 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax info.len = snprintf(info.name, inlined from dir_emit_dots() Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 15:31 ` Dave Jones @ 2016-07-19 16:20 ` Al Viro 2016-07-19 18:33 ` Dave Jones 2016-07-19 19:28 ` Alexey Dobriyan 1 sibling, 1 reply; 9+ messages in thread From: Al Viro @ 2016-07-19 16:20 UTC (permalink / raw) To: Dave Jones, Alexey Dobriyan, Linux Kernel On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote: > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote: > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 > > > > Just in case can you addr2line this address or post disassembly? > > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt > > Which by my math, looks to be.. > > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax > info.len = snprintf(info.name, The entire expression is info.len = snprintf(info.name, sizeof(info.name), "%lx-%lx", vma->vm_start, vma->vm_end); and we have * address of array field in local structure. * constant * string literal * two longs fetched from *vma, that being done under ->mmap_sem * call of snprintf * store into a field of local structure. The only ways to get use-after-free in that would be to have *vma freed under you or have the same happen to your stack frame. Could you dump the relevant part of vmlinux objdump, rather than whatever you've used on base.o? Having relocations resolved makes it much easier to figure out... Or just dump that vmlinux on anonftp somewhere... ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 16:20 ` Al Viro @ 2016-07-19 18:33 ` Dave Jones 2016-07-19 19:38 ` Al Viro 0 siblings, 1 reply; 9+ messages in thread From: Dave Jones @ 2016-07-19 18:33 UTC (permalink / raw) To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel On Tue, Jul 19, 2016 at 05:20:36PM +0100, Al Viro wrote: > On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote: > > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote: > > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 > > > > > > Just in case can you addr2line this address or post disassembly? > > > > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt > > > > Which by my math, looks to be.. > > > > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax > > info.len = snprintf(info.name, > > The entire expression is > info.len = snprintf(info.name, > sizeof(info.name), "%lx-%lx", > vma->vm_start, vma->vm_end); > and we have > * address of array field in local structure. > * constant > * string literal > * two longs fetched from *vma, that being done under ->mmap_sem > * call of snprintf > * store into a field of local structure. > The only ways to get use-after-free in that would be to have *vma freed > under you or have the same happen to your stack frame. > > Could you dump the relevant part of vmlinux objdump, rather than whatever > you've used on base.o? Having relocations resolved makes it much easier > to figure out... Or just dump that vmlinux on anonftp somewhere... http://codemonkey.org.uk/junk/vmlinux.gz Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 18:33 ` Dave Jones @ 2016-07-19 19:38 ` Al Viro 2016-07-19 19:47 ` Dave Jones 2016-07-20 13:14 ` Dave Jones 0 siblings, 2 replies; 9+ messages in thread From: Al Viro @ 2016-07-19 19:38 UTC (permalink / raw) To: Dave Jones, Alexey Dobriyan, Linux Kernel On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote: > > Could you dump the relevant part of vmlinux objdump, rather than whatever > > you've used on base.o? Having relocations resolved makes it much easier > > to figure out... Or just dump that vmlinux on anonftp somewhere... > > http://codemonkey.org.uk/junk/vmlinux.gz OK, it's actually about fetching ->f_mode in info.mode = vma->vm_file->f_mode; %r15 points contains vma->vm_file at that point, and 0x84 is the offset of f_mode in struct file on your config from hell (due to spinlock_t size exploding on lockdep et.al.) Interesting... Do you have a reproducer for that? ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 19:38 ` Al Viro @ 2016-07-19 19:47 ` Dave Jones 2016-07-20 13:14 ` Dave Jones 1 sibling, 0 replies; 9+ messages in thread From: Dave Jones @ 2016-07-19 19:47 UTC (permalink / raw) To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel On Tue, Jul 19, 2016 at 08:38:57PM +0100, Al Viro wrote: > On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote: > > > Could you dump the relevant part of vmlinux objdump, rather than whatever > > > you've used on base.o? Having relocations resolved makes it much easier > > > to figure out... Or just dump that vmlinux on anonftp somewhere... > > > > http://codemonkey.org.uk/junk/vmlinux.gz > > OK, it's actually about fetching ->f_mode in > info.mode = vma->vm_file->f_mode; > > %r15 points contains vma->vm_file at that point, and 0x84 is the offset of > f_mode in struct file on your config from hell (due to spinlock_t size > exploding on lockdep et.al.) > > Interesting... Do you have a reproducer for that? Will give it another run when I get home. Machine is locked up for unknown reasons right now.. Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 19:38 ` Al Viro 2016-07-19 19:47 ` Dave Jones @ 2016-07-20 13:14 ` Dave Jones 1 sibling, 0 replies; 9+ messages in thread From: Dave Jones @ 2016-07-20 13:14 UTC (permalink / raw) To: Al Viro; +Cc: Alexey Dobriyan, Linux Kernel On Tue, Jul 19, 2016 at 08:38:57PM +0100, Al Viro wrote: > On Tue, Jul 19, 2016 at 02:33:27PM -0400, Dave Jones wrote: > > > Could you dump the relevant part of vmlinux objdump, rather than whatever > > > you've used on base.o? Having relocations resolved makes it much easier > > > to figure out... Or just dump that vmlinux on anonftp somewhere... > > > > http://codemonkey.org.uk/junk/vmlinux.gz > > OK, it's actually about fetching ->f_mode in > info.mode = vma->vm_file->f_mode; > > %r15 points contains vma->vm_file at that point, and 0x84 is the offset of > f_mode in struct file on your config from hell (due to spinlock_t size > exploding on lockdep et.al.) > > Interesting... Do you have a reproducer for that? don't waste any more time on this. leaked a task struct in a local diff to the oom-killer. Dave ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: 4.7-rc7: use-after-free in proc_map_files_readdir 2016-07-19 15:31 ` Dave Jones 2016-07-19 16:20 ` Al Viro @ 2016-07-19 19:28 ` Alexey Dobriyan 1 sibling, 0 replies; 9+ messages in thread From: Alexey Dobriyan @ 2016-07-19 19:28 UTC (permalink / raw) To: Dave Jones, Linux Kernel On Tue, Jul 19, 2016 at 11:31:45AM -0400, Dave Jones wrote: > On Tue, Jul 19, 2016 at 02:16:36PM +0300, Alexey Dobriyan wrote: > > > BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 > > > > Just in case can you addr2line this address or post disassembly? > > http://codemonkey.org.uk/junk/fs_proc_base.dis.txt > > Which by my math, looks to be.. > > 7253: 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax > info.len = snprintf(info.name, > > inlined from dir_emit_dots() For those on dialup connections :^) RIP is ffffffff813f38d3 ffffffff813f35f0 <proc_map_files_readdir>: ffffffff813f35f0: e8 3b c1 97 00 callq ffffffff81d6f730 <__fentry__> ffffffff813f35f1: R_X86_64_PC32 __fentry__-0x4 ffffffff813f35f5: 55 push %rbp ffffffff813f35f6: 48 89 e5 mov %rsp,%rbp ffffffff813f35f9: 41 57 push %r15 ffffffff813f35fb: 48 8d 85 58 ff ff ff lea -0xa8(%rbp),%rax ffffffff813f3602: 41 56 push %r14 ffffffff813f3604: 48 c1 e8 03 shr $0x3,%rax ffffffff813f3608: 41 55 push %r13 ffffffff813f360a: 49 89 fd mov %rdi,%r13 ffffffff813f360d: 48 83 c7 20 add $0x20,%rdi ffffffff813f3611: 41 54 push %r12 ffffffff813f3613: 48 89 c1 mov %rax,%rcx ffffffff813f3616: 53 push %rbx ffffffff813f3617: 48 89 f3 mov %rsi,%rbx ffffffff813f361a: 48 81 ec d8 00 00 00 sub $0xd8,%rsp ffffffff813f3621: 48 89 85 50 ff ff ff mov %rax,-0xb0(%rbp) ffffffff813f3628: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax ffffffff813f362f: fc ff df ffffffff813f3632: 48 c7 85 58 ff ff ff movq $0x41b58ab3,-0xa8(%rbp) ffffffff813f3639: b3 8a b5 41 ffffffff813f363d: 48 01 c8 add %rcx,%rax ffffffff813f3640: 48 c7 85 60 ff ff ff movq $0xffffffff82361fc9,-0xa0(%rbp) ffffffff813f3647: c9 1f 36 82 ffffffff813f3647: R_X86_64_32S .rodata+0x561fc9 ffffffff813f364b: 48 c7 85 68 ff ff ff movq $0xffffffff813f35f0,-0x98(%rbp) ffffffff813f3652: f0 35 3f 81 ffffffff813f3652: R_X86_64_32S .text+0x3f35f0 ffffffff813f3656: c7 00 f1 f1 f1 f1 movl $0xf1f1f1f1,(%rax) ffffffff813f365c: c7 40 08 00 00 00 f4 movl $0xf4000000,0x8(%rax) ffffffff813f3663: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax ffffffff813f366a: 00 00 ffffffff813f366c: 48 89 45 d0 mov %rax,-0x30(%rbp) ffffffff813f3670: 31 c0 xor %eax,%eax ffffffff813f3672: e8 c9 f8 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3673: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3677: 4d 8b 65 20 mov 0x20(%r13),%r12 ffffffff813f367b: 49 8d 7c 24 c8 lea -0x38(%r12),%rdi ffffffff813f3680: e8 bb f8 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3681: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3685: 49 8b 7c 24 c8 mov -0x38(%r12),%rdi ffffffff813f368a: 31 f6 xor %esi,%esi ffffffff813f368c: e8 0f 5e cf ff callq ffffffff810e94a0 <get_pid_task> ffffffff813f368d: R_X86_64_PC32 get_pid_task-0x4 ffffffff813f3691: 48 85 c0 test %rax,%rax ffffffff813f3694: 0f 84 29 04 00 00 je ffffffff813f3ac3 <proc_map_files_readdir+0x4d3> ffffffff813f369a: be 09 00 00 00 mov $0x9,%esi ffffffff813f369f: 48 89 c7 mov %rax,%rdi ffffffff813f36a2: 49 89 c4 mov %rax,%r12 ffffffff813f36a5: e8 76 42 cd ff callq ffffffff810c7920 <ptrace_may_access> ffffffff813f36a6: R_X86_64_PC32 ptrace_may_access-0x4 ffffffff813f36aa: 84 c0 test %al,%al ffffffff813f36ac: 75 56 jne ffffffff813f3704 <proc_map_files_readdir+0x114> ffffffff813f36ae: bb f3 ff ff ff mov $0xfffffff3,%ebx ffffffff813f36b3: f0 41 ff 4c 24 10 lock decl 0x10(%r12) ffffffff813f36b9: 0f 84 89 02 00 00 je ffffffff813f3948 <proc_map_files_readdir+0x358> ffffffff813f36bf: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx ffffffff813f36c6: fc ff df ffffffff813f36c9: 89 d8 mov %ebx,%eax ffffffff813f36cb: 48 03 95 50 ff ff ff add -0xb0(%rbp),%rdx ffffffff813f36d2: c7 02 00 00 00 00 movl $0x0,(%rdx) ffffffff813f36d8: c7 42 08 00 00 00 00 movl $0x0,0x8(%rdx) ffffffff813f36df: 48 8b 75 d0 mov -0x30(%rbp),%rsi ffffffff813f36e3: 65 48 33 34 25 28 00 xor %gs:0x28,%rsi ffffffff813f36ea: 00 00 ffffffff813f36ec: 0f 85 80 04 00 00 jne ffffffff813f3b72 <proc_map_files_readdir+0x582> ffffffff813f36f2: 48 81 c4 d8 00 00 00 add $0xd8,%rsp ffffffff813f36f9: 5b pop %rbx ffffffff813f36fa: 41 5c pop %r12 ffffffff813f36fc: 41 5d pop %r13 ffffffff813f36fe: 41 5e pop %r14 ffffffff813f3700: 41 5f pop %r15 ffffffff813f3702: 5d pop %rbp ffffffff813f3703: c3 retq ffffffff813f3704: 48 8d 43 08 lea 0x8(%rbx),%rax ffffffff813f3708: 48 89 c7 mov %rax,%rdi ffffffff813f370b: 48 89 85 48 ff ff ff mov %rax,-0xb8(%rbp) ffffffff813f3712: e8 29 f8 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3713: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3717: 48 8b 43 08 mov 0x8(%rbx),%rax ffffffff813f371b: 48 85 c0 test %rax,%rax ffffffff813f371e: 0f 84 50 02 00 00 je ffffffff813f3974 <proc_map_files_readdir+0x384> ffffffff813f3724: 48 83 f8 01 cmp $0x1,%rax ffffffff813f3728: 0f 84 4b 04 00 00 je ffffffff813f3b79 <proc_map_files_readdir+0x589> ffffffff813f372e: 4c 89 e7 mov %r12,%rdi ffffffff813f3731: e8 5a a4 cb ff callq ffffffff810adb90 <get_task_mm> ffffffff813f3732: R_X86_64_PC32 get_task_mm-0x4 ffffffff813f3736: 48 85 c0 test %rax,%rax ffffffff813f3739: 48 89 85 28 ff ff ff mov %rax,-0xd8(%rbp) ffffffff813f3740: 0f 84 27 02 00 00 je ffffffff813f396d <proc_map_files_readdir+0x37d> ffffffff813f3746: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15 ffffffff813f374d: 4c 89 f8 mov %r15,%rax ffffffff813f3750: 48 05 b0 00 00 00 add $0xb0,%rax ffffffff813f3756: 48 89 c7 mov %rax,%rdi ffffffff813f3759: 48 89 85 30 ff ff ff mov %rax,-0xd0(%rbp) ffffffff813f3760: e8 bb 62 97 00 callq ffffffff81d69a20 <down_read> ffffffff813f3761: R_X86_64_PC32 down_read-0x4 ffffffff813f3765: 4c 89 ff mov %r15,%rdi ffffffff813f3768: e8 d3 f7 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3769: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f376d: 4d 8b 3f mov (%r15),%r15 ffffffff813f3770: 4d 85 ff test %r15,%r15 ffffffff813f3773: 0f 84 dc 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365> ffffffff813f3779: 4c 89 a5 40 ff ff ff mov %r12,-0xc0(%rbp) ffffffff813f3780: 4c 8b a5 48 ff ff ff mov -0xb8(%rbp),%r12 ffffffff813f3787: 31 c0 xor %eax,%eax ffffffff813f3789: 41 be 02 00 00 00 mov $0x2,%r14d ffffffff813f378f: 4c 89 ad 20 ff ff ff mov %r13,-0xe0(%rbp) ffffffff813f3796: 4d 89 fd mov %r15,%r13 ffffffff813f3799: 49 89 c7 mov %rax,%r15 ffffffff813f379c: 49 8d bd a0 00 00 00 lea 0xa0(%r13),%rdi ffffffff813f37a3: e8 98 f7 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f37a4: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f37a8: 49 83 bd a0 00 00 00 cmpq $0x0,0xa0(%r13) ffffffff813f37af: 00 ffffffff813f37b0: 74 14 je ffffffff813f37c6 <proc_map_files_readdir+0x1d6> ffffffff813f37b2: 4c 89 e7 mov %r12,%rdi ffffffff813f37b5: 49 83 c6 01 add $0x1,%r14 ffffffff813f37b9: e8 82 f7 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f37ba: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f37be: 4c 39 73 08 cmp %r14,0x8(%rbx) ffffffff813f37c2: 49 83 d7 00 adc $0x0,%r15 ffffffff813f37c6: 49 8d 7d 10 lea 0x10(%r13),%rdi ffffffff813f37ca: e8 71 f7 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f37cb: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f37cf: 4d 8b 6d 10 mov 0x10(%r13),%r13 ffffffff813f37d3: 4d 85 ed test %r13,%r13 ffffffff813f37d6: 75 c4 jne ffffffff813f379c <proc_map_files_readdir+0x1ac> ffffffff813f37d8: 4d 85 ff test %r15,%r15 ffffffff813f37db: 4c 89 bd 38 ff ff ff mov %r15,-0xc8(%rbp) ffffffff813f37e2: 4c 8b a5 40 ff ff ff mov -0xc0(%rbp),%r12 ffffffff813f37e9: 4c 8b ad 20 ff ff ff mov -0xe0(%rbp),%r13 ffffffff813f37f0: 0f 84 5f 01 00 00 je ffffffff813f3955 <proc_map_files_readdir+0x365> ffffffff813f37f6: ba c0 00 40 02 mov $0x24000c0,%edx ffffffff813f37fb: 44 89 fe mov %r15d,%esi ffffffff813f37fe: bf 38 00 00 00 mov $0x38,%edi ffffffff813f3803: e8 a8 52 1b 00 callq ffffffff815a8ab0 <flex_array_alloc> ffffffff813f3804: R_X86_64_PC32 flex_array_alloc-0x4 ffffffff813f3808: 48 85 c0 test %rax,%rax ffffffff813f380b: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp) ffffffff813f3812: 0f 84 89 02 00 00 je ffffffff813f3aa1 <proc_map_files_readdir+0x4b1> ffffffff813f3818: 31 f6 xor %esi,%esi ffffffff813f381a: b9 c0 00 40 02 mov $0x24000c0,%ecx ffffffff813f381f: 44 89 fa mov %r15d,%edx ffffffff813f3822: 48 89 c7 mov %rax,%rdi ffffffff813f3825: e8 06 50 1b 00 callq ffffffff815a8830 <flex_array_prealloc> ffffffff813f3826: R_X86_64_PC32 flex_array_prealloc-0x4 ffffffff813f382a: 85 c0 test %eax,%eax ffffffff813f382c: 0f 85 63 02 00 00 jne ffffffff813f3a95 <proc_map_files_readdir+0x4a5> ffffffff813f3832: 4c 8b bd 28 ff ff ff mov -0xd8(%rbp),%r15 ffffffff813f3839: 4c 89 ff mov %r15,%rdi ffffffff813f383c: e8 ff f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f383d: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3841: 4d 8b 37 mov (%r15),%r14 ffffffff813f3844: 4d 85 f6 test %r14,%r14 ffffffff813f3847: 0f 84 8e 02 00 00 je ffffffff813f3adb <proc_map_files_readdir+0x4eb> ffffffff813f384d: 48 8d 85 78 ff ff ff lea -0x88(%rbp),%rax ffffffff813f3854: 31 d2 xor %edx,%edx ffffffff813f3856: be 02 00 00 00 mov $0x2,%esi ffffffff813f385b: 4c 89 a5 10 ff ff ff mov %r12,-0xf0(%rbp) ffffffff813f3862: 48 89 85 20 ff ff ff mov %rax,-0xe0(%rbp) ffffffff813f3869: 48 83 c0 10 add $0x10,%rax ffffffff813f386d: 49 89 f4 mov %rsi,%r12 ffffffff813f3870: 4c 89 ad 08 ff ff ff mov %r13,-0xf8(%rbp) ffffffff813f3877: 49 89 d5 mov %rdx,%r13 ffffffff813f387a: 48 89 85 18 ff ff ff mov %rax,-0xe8(%rbp) ffffffff813f3881: eb 16 jmp ffffffff813f3899 <proc_map_files_readdir+0x2a9> ffffffff813f3883: 49 8d 7e 10 lea 0x10(%r14),%rdi ffffffff813f3887: e8 b4 f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3888: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f388c: 4d 8b 76 10 mov 0x10(%r14),%r14 ffffffff813f3890: 4d 85 f6 test %r14,%r14 ffffffff813f3893: 0f 84 34 02 00 00 je ffffffff813f3acd <proc_map_files_readdir+0x4dd> ffffffff813f3899: 49 8d be a0 00 00 00 lea 0xa0(%r14),%rdi ffffffff813f38a0: e8 9b f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f38a1: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f38a5: 4d 8b be a0 00 00 00 mov 0xa0(%r14),%r15 ffffffff813f38ac: 4d 85 ff test %r15,%r15 ffffffff813f38af: 74 d2 je ffffffff813f3883 <proc_map_files_readdir+0x293> ffffffff813f38b1: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi ffffffff813f38b8: 49 83 c4 01 add $0x1,%r12 ffffffff813f38bc: e8 7f f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f38bd: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f38c1: 4c 3b 63 08 cmp 0x8(%rbx),%r12 ffffffff813f38c5: 76 bc jbe ffffffff813f3883 <proc_map_files_readdir+0x293> ffffffff813f38c7: 49 8d bf 84 00 00 00 lea 0x84(%r15),%rdi ffffffff813f38ce: e8 6d f5 f1 ff callq ffffffff81312e40 <__asan_load4> ffffffff813f38cf: R_X86_64_PC32 __asan_load4_noabort-0x4 ffffffff813f38d3: ***** 41 8b 87 84 00 00 00 mov 0x84(%r15),%eax ffffffff813f38da: 49 8d 7e 08 lea 0x8(%r14),%rdi ffffffff813f38de: 89 85 78 ff ff ff mov %eax,-0x88(%rbp) ffffffff813f38e4: e8 57 f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f38e5: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f38e9: 4d 8b 7e 08 mov 0x8(%r14),%r15 ffffffff813f38ed: 4c 89 f7 mov %r14,%rdi ffffffff813f38f0: e8 4b f6 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f38f1: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f38f5: 49 8b 0e mov (%r14),%rcx ffffffff813f38f8: be 22 00 00 00 mov $0x22,%esi ffffffff813f38fd: 48 c7 c2 00 72 f1 81 mov $0xffffffff81f17200,%rdx ffffffff813f3900: R_X86_64_32S .rodata+0x117200 ffffffff813f3904: 48 8b bd 18 ff ff ff mov -0xe8(%rbp),%rdi ffffffff813f390b: 4d 89 f8 mov %r15,%r8 ffffffff813f390e: 4d 8d 7d 01 lea 0x1(%r13),%r15 ffffffff813f3912: e8 79 c4 1a 00 callq ffffffff8159fd90 <snprintf> ffffffff813f3913: R_X86_64_PC32 snprintf-0x4 ffffffff813f3917: 48 8b 95 20 ff ff ff mov -0xe0(%rbp),%rdx ffffffff813f391e: b9 c0 00 40 02 mov $0x24000c0,%ecx ffffffff813f3923: 44 89 ee mov %r13d,%esi ffffffff813f3926: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi ffffffff813f392d: 48 98 cltq ffffffff813f392f: 48 89 45 80 mov %rax,-0x80(%rbp) ffffffff813f3933: e8 a8 4d 1b 00 callq ffffffff815a86e0 <flex_array_put> ffffffff813f3934: R_X86_64_PC32 flex_array_put-0x4 ffffffff813f3938: 85 c0 test %eax,%eax ffffffff813f393a: 0f 85 37 02 00 00 jne ffffffff813f3b77 <proc_map_files_readdir+0x587> ffffffff813f3940: 4d 89 fd mov %r15,%r13 ffffffff813f3943: e9 3b ff ff ff jmpq ffffffff813f3883 <proc_map_files_readdir+0x293> ffffffff813f3948: 4c 89 e7 mov %r12,%rdi ffffffff813f394b: e8 20 ba cb ff callq ffffffff810af370 <__put_task_struct> ffffffff813f394c: R_X86_64_PC32 __put_task_struct-0x4 ffffffff813f3950: e9 6a fd ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf> ffffffff813f3955: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi ffffffff813f395c: e8 4f 63 d4 ff callq ffffffff81139cb0 <up_read> ffffffff813f395d: R_X86_64_PC32 up_read-0x4 ffffffff813f3961: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi ffffffff813f3968: e8 b3 b3 cb ff callq ffffffff810aed20 <mmput> ffffffff813f3969: R_X86_64_PC32 mmput-0x4 ffffffff813f396d: 31 db xor %ebx,%ebx ffffffff813f396f: e9 3f fd ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3> ffffffff813f3974: 4d 8d 7d 18 lea 0x18(%r13),%r15 ffffffff813f3978: 4c 89 ff mov %r15,%rdi ffffffff813f397b: e8 c0 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f397c: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3980: 4d 8b 75 18 mov 0x18(%r13),%r14 ffffffff813f3984: 48 89 df mov %rbx,%rdi ffffffff813f3987: e8 b4 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3988: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f398c: 48 8b 03 mov (%rbx),%rax ffffffff813f398f: 49 8d 7e 68 lea 0x68(%r14),%rdi ffffffff813f3993: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp) ffffffff813f399a: e8 a1 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f399b: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f399f: 4d 8b 76 68 mov 0x68(%r14),%r14 ffffffff813f39a3: 49 8d 7e 38 lea 0x38(%r14),%rdi ffffffff813f39a7: e8 94 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f39a8: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f39ac: 31 c9 xor %ecx,%ecx ffffffff813f39ae: 41 b9 04 00 00 00 mov $0x4,%r9d ffffffff813f39b4: 48 89 df mov %rbx,%rdi ffffffff813f39b7: 4d 8b 46 38 mov 0x38(%r14),%r8 ffffffff813f39bb: ba 01 00 00 00 mov $0x1,%edx ffffffff813f39c0: 48 c7 c6 40 74 f1 81 mov $0xffffffff81f17440,%rsi ffffffff813f39c3: R_X86_64_32S .rodata+0x117440 ffffffff813f39c7: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax ffffffff813f39ce: ff d0 callq *%rax ffffffff813f39d0: 85 c0 test %eax,%eax ffffffff813f39d2: 75 99 jne ffffffff813f396d <proc_map_files_readdir+0x37d> ffffffff813f39d4: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi ffffffff813f39db: e8 d0 f5 f1 ff callq ffffffff81312fb0 <__asan_store8> ffffffff813f39dc: R_X86_64_PC32 __asan_store8_noabort-0x4 ffffffff813f39e0: 48 c7 43 08 01 00 00 movq $0x1,0x8(%rbx) ffffffff813f39e7: 00 ffffffff813f39e8: 4c 89 ff mov %r15,%rdi ffffffff813f39eb: e8 50 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f39ec: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f39f0: 4d 8b 75 18 mov 0x18(%r13),%r14 ffffffff813f39f4: 48 89 df mov %rbx,%rdi ffffffff813f39f7: e8 44 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f39f8: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f39fc: 48 8b 03 mov (%rbx),%rax ffffffff813f39ff: 4d 8d be 90 00 00 00 lea 0x90(%r14),%r15 ffffffff813f3a06: 4c 89 ff mov %r15,%rdi ffffffff813f3a09: 48 89 85 40 ff ff ff mov %rax,-0xc0(%rbp) ffffffff813f3a10: e8 1b 8c 97 00 callq ffffffff81d6c630 <_raw_spin_lock> ffffffff813f3a11: R_X86_64_PC32 _raw_spin_lock-0x4 ffffffff813f3a15: 49 8d 7e 50 lea 0x50(%r14),%rdi ffffffff813f3a19: e8 22 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3a1a: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3a1e: 4d 8b 76 50 mov 0x50(%r14),%r14 ffffffff813f3a22: 49 8d 7e 68 lea 0x68(%r14),%rdi ffffffff813f3a26: e8 15 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3a27: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3a2b: 4d 8b 76 68 mov 0x68(%r14),%r14 ffffffff813f3a2f: 49 8d 7e 38 lea 0x38(%r14),%rdi ffffffff813f3a33: e8 08 f5 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3a34: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3a38: 4c 89 ff mov %r15,%rdi ffffffff813f3a3b: 4d 8b 76 38 mov 0x38(%r14),%r14 ffffffff813f3a3f: e8 1c 91 97 00 callq ffffffff81d6cb60 <_raw_spin_unlock> ffffffff813f3a40: R_X86_64_PC32 _raw_spin_unlock-0x4 ffffffff813f3a44: 4c 8b bd 48 ff ff ff mov -0xb8(%rbp),%r15 ffffffff813f3a4b: 4c 89 ff mov %r15,%rdi ffffffff813f3a4e: e8 ed f4 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3a4f: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3a53: 48 8b 4b 08 mov 0x8(%rbx),%rcx ffffffff813f3a57: 4d 89 f0 mov %r14,%r8 ffffffff813f3a5a: 48 89 df mov %rbx,%rdi ffffffff813f3a5d: 41 b9 04 00 00 00 mov $0x4,%r9d ffffffff813f3a63: ba 02 00 00 00 mov $0x2,%edx ffffffff813f3a68: 48 c7 c6 80 74 f1 81 mov $0xffffffff81f17480,%rsi ffffffff813f3a6b: R_X86_64_32S .rodata+0x117480 ffffffff813f3a6f: 48 8b 85 40 ff ff ff mov -0xc0(%rbp),%rax ffffffff813f3a76: ff d0 callq *%rax ffffffff813f3a78: 85 c0 test %eax,%eax ffffffff813f3a7a: 0f 85 ed fe ff ff jne ffffffff813f396d <proc_map_files_readdir+0x37d> ffffffff813f3a80: 4c 89 ff mov %r15,%rdi ffffffff813f3a83: e8 28 f5 f1 ff callq ffffffff81312fb0 <__asan_store8> ffffffff813f3a84: R_X86_64_PC32 __asan_store8_noabort-0x4 ffffffff813f3a88: 48 c7 43 08 02 00 00 movq $0x2,0x8(%rbx) ffffffff813f3a8f: 00 ffffffff813f3a90: e9 99 fc ff ff jmpq ffffffff813f372e <proc_map_files_readdir+0x13e> ffffffff813f3a95: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi ffffffff813f3a9c: e8 cf 4e 1b 00 callq ffffffff815a8970 <flex_array_free> ffffffff813f3a9d: R_X86_64_PC32 flex_array_free-0x4 ffffffff813f3aa1: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi ffffffff813f3aa8: bb f4 ff ff ff mov $0xfffffff4,%ebx ffffffff813f3aad: e8 fe 61 d4 ff callq ffffffff81139cb0 <up_read> ffffffff813f3aae: R_X86_64_PC32 up_read-0x4 ffffffff813f3ab2: 48 8b bd 28 ff ff ff mov -0xd8(%rbp),%rdi ffffffff813f3ab9: e8 62 b2 cb ff callq ffffffff810aed20 <mmput> ffffffff813f3aba: R_X86_64_PC32 mmput-0x4 ffffffff813f3abe: e9 f0 fb ff ff jmpq ffffffff813f36b3 <proc_map_files_readdir+0xc3> ffffffff813f3ac3: bb fe ff ff ff mov $0xfffffffe,%ebx ffffffff813f3ac8: e9 f2 fb ff ff jmpq ffffffff813f36bf <proc_map_files_readdir+0xcf> ffffffff813f3acd: 4c 8b a5 10 ff ff ff mov -0xf0(%rbp),%r12 ffffffff813f3ad4: 4c 8b ad 08 ff ff ff mov -0xf8(%rbp),%r13 ffffffff813f3adb: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi ffffffff813f3ae2: 45 31 f6 xor %r14d,%r14d ffffffff813f3ae5: e8 c6 61 d4 ff callq ffffffff81139cb0 <up_read> ffffffff813f3ae6: R_X86_64_PC32 up_read-0x4 ffffffff813f3aea: 4c 89 ad 30 ff ff ff mov %r13,-0xd0(%rbp) ffffffff813f3af1: eb 1e jmp ffffffff813f3b11 <proc_map_files_readdir+0x521> ffffffff813f3af3: 48 8b bd 48 ff ff ff mov -0xb8(%rbp),%rdi ffffffff813f3afa: 49 83 c6 01 add $0x1,%r14 ffffffff813f3afe: e8 3d f4 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3aff: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3b03: 48 83 43 08 01 addq $0x1,0x8(%rbx) ffffffff813f3b08: 4c 39 b5 38 ff ff ff cmp %r14,-0xc8(%rbp) ffffffff813f3b0f: 74 50 je ffffffff813f3b61 <proc_map_files_readdir+0x571> ffffffff813f3b11: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi ffffffff813f3b18: 44 89 f6 mov %r14d,%esi ffffffff813f3b1b: e8 f0 48 1b 00 callq ffffffff815a8410 <flex_array_get> ffffffff813f3b1c: R_X86_64_PC32 flex_array_get-0x4 ffffffff813f3b20: 49 89 c5 mov %rax,%r13 ffffffff813f3b23: 48 89 c7 mov %rax,%rdi ffffffff813f3b26: e8 15 f3 f1 ff callq ffffffff81312e40 <__asan_load4> ffffffff813f3b27: R_X86_64_PC32 __asan_load4_noabort-0x4 ffffffff813f3b2b: 45 8b 7d 00 mov 0x0(%r13),%r15d ffffffff813f3b2f: 49 8d 7d 08 lea 0x8(%r13),%rdi ffffffff813f3b33: e8 08 f4 f1 ff callq ffffffff81312f40 <__asan_load8> ffffffff813f3b34: R_X86_64_PC32 __asan_load8_noabort-0x4 ffffffff813f3b38: 49 8b 4d 08 mov 0x8(%r13),%rcx ffffffff813f3b3c: 49 8d 55 10 lea 0x10(%r13),%rdx ffffffff813f3b40: 4d 89 e1 mov %r12,%r9 ffffffff813f3b43: 48 8b bd 30 ff ff ff mov -0xd0(%rbp),%rdi ffffffff813f3b4a: 49 c7 c0 20 29 3f 81 mov $0xffffffff813f2920,%r8 ffffffff813f3b4d: R_X86_64_32S .text+0x3f2920 ffffffff813f3b51: 48 89 de mov %rbx,%rsi ffffffff813f3b54: 4c 89 3c 24 mov %r15,(%rsp) ffffffff813f3b58: e8 43 f7 ff ff callq ffffffff813f32a0 <proc_fill_cache> ffffffff813f3b59: R_X86_64_PC32 proc_fill_cache-0x4 ffffffff813f3b5d: 84 c0 test %al,%al ffffffff813f3b5f: 75 92 jne ffffffff813f3af3 <proc_map_files_readdir+0x503> ffffffff813f3b61: 48 8b bd 40 ff ff ff mov -0xc0(%rbp),%rdi ffffffff813f3b68: e8 03 4e 1b 00 callq ffffffff815a8970 <flex_array_free> ffffffff813f3b69: R_X86_64_PC32 flex_array_free-0x4 ffffffff813f3b6d: e9 ef fd ff ff jmpq ffffffff813f3961 <proc_map_files_readdir+0x371> ffffffff813f3b72: e8 89 03 cc ff callq ffffffff810b3f00 <__stack_chk_fail> ffffffff813f3b73: R_X86_64_PC32 __stack_chk_fail-0x4 ffffffff813f3b77: 0f 0b ud2 ffffffff813f3b79: 4d 8d 7d 18 lea 0x18(%r13),%r15 ffffffff813f3b7d: e9 66 fe ff ff jmpq ffffffff813f39e8 <proc_map_files_readdir+0x3f8> ^ permalink raw reply [flat|nested] 9+ messages in thread
* 4.7-rc7: use-after-free in proc_map_files_readdir @ 2016-07-18 23:24 Dave Jones 0 siblings, 0 replies; 9+ messages in thread From: Dave Jones @ 2016-07-18 23:24 UTC (permalink / raw) To: Linux Kernel; +Cc: linux-fsdevel Just caught this spew during a fuzz-run. [ 4971.564511] ================================================================== [ 4971.570505] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 [ 4971.582570] Read of size 4 by task trinity-main/29845 [ 4971.588672] ============================================================================= [ 4971.594906] BUG filp (Not tainted): kasan: bad access detected [ 4971.601164] ----------------------------------------------------------------------------- [ 4971.613861] Disabling lock debugging due to kernel taint [ 4971.620240] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745177006 cpu=2835364724 pid=-1 [ 4971.626727] 0x6b6b6b6b6b6b6b6b [ 4971.633166] 0x6b6b6b6b6b6b6b6b [ 4971.639529] 0x6b6b6b6b6b6b6b6b [ 4971.645834] 0x6b6b6b6b6b6b6b6b [ 4971.652056] 0xa56b6b6b6b6b6b6b [ 4971.658252] 0xbbbbbbbbbbbbbbbb [ 4971.664416] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080 [ 4971.677022] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b [ 4971.689825] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4971.702934] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4971.716295] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a...... [ 4971.729944] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 4971.743845] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.758049] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.772553] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.787315] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4971.802311] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.817570] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.833204] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.849141] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.865420] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.881880] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.898559] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.915402] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.932477] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.949740] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.967185] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4971.984931] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.002898] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.020815] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.038668] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.056646] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.074806] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.092958] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.111147] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.129424] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.148136] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.167204] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.186682] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.206126] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.225680] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.245233] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.264795] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.284354] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk [ 4972.303840] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.323277] CPU: 2 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2 [ 4972.342984] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b [ 4972.352730] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195 [ 4972.362394] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff880101e48828 [ 4972.372007] Call Trace: [ 4972.381463] [<ffffffffa9589f5b>] dump_stack+0x68/0x9d [ 4972.390913] [<ffffffffa930b195>] print_trailer+0x115/0x1a0 [ 4972.400287] [<ffffffffa9311d04>] object_err+0x34/0x40 [ 4972.409592] [<ffffffffa9313d06>] kasan_report_error+0x216/0x540 [ 4972.418804] [<ffffffffa930f040>] ? kmem_cache_alloc_trace+0x150/0x3c0 [ 4972.427961] [<ffffffffa931341e>] ? kasan_kmalloc+0x5e/0x70 [ 4972.437028] [<ffffffffa95a8679>] ? __fa_get_part.part.1+0x39/0xa0 [ 4972.446036] [<ffffffffa9313541>] ? memset+0x31/0x40 [ 4972.454942] [<ffffffffa93145c8>] kasan_report+0x58/0x60 [ 4972.463762] [<ffffffffa93f38d3>] ? proc_map_files_readdir+0x2e3/0x5a0 [ 4972.472545] [<ffffffffa9312ea1>] __asan_load4+0x61/0x80 [ 4972.481235] [<ffffffffa93f38d3>] proc_map_files_readdir+0x2e3/0x5a0 [ 4972.489878] [<ffffffffa913c555>] ? __lock_is_held+0x25/0xd0 [ 4972.498440] [<ffffffffa93f35f0>] ? proc_fill_cache+0x350/0x350 [ 4972.506913] [<ffffffffa90f9a88>] ? preempt_count_sub+0x18/0xd0 [ 4972.515308] [<ffffffffa934dfae>] ? iterate_dir+0x6e/0x270 [ 4972.523617] [<ffffffffa934e00e>] iterate_dir+0xce/0x270 [ 4972.531835] [<ffffffffa934e889>] SyS_getdents+0xf9/0x1c0 [ 4972.539960] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120 [ 4972.547985] [<ffffffffa934e4b0>] ? fillonedir+0x120/0x120 [ 4972.555937] [<ffffffffa900359d>] ? syscall_trace_enter_phase2+0x12d/0x3d0 [ 4972.563846] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120 [ 4972.571664] [<ffffffffa9003b74>] do_syscall_64+0xf4/0x240 [ 4972.579406] [<ffffffffa9d6d59a>] entry_SYSCALL64_slow_path+0x25/0x25 [ 4972.587084] Memory state around the buggy address: [ 4972.594716] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4972.602347] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 4972.609910] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.617302] ^ [ 4972.624636] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.631951] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4972.639157] ================================================================== [ 4972.646802] ================================================================== [ 4972.654020] BUG: KASAN: use-after-free in proc_map_files_readdir+0x2e3/0x5a0 at addr ffff88044feb2044 [ 4972.668206] Read of size 4 by task trinity-main/29845 [ 4972.675263] ============================================================================= [ 4972.682417] BUG filp (Tainted: G B ): kasan: bad access detected [ 4972.689458] ----------------------------------------------------------------------------- [ 4972.703585] INFO: Allocated in 0x6b6b6b6b6b6b6b6b age=5745178089 cpu=2835364724 pid=-1 [ 4972.710711] 0x6b6b6b6b6b6b6b6b [ 4972.717717] 0x6b6b6b6b6b6b6b6b [ 4972.724561] 0x6b6b6b6b6b6b6b6b [ 4972.731274] 0x6b6b6b6b6b6b6b6b [ 4972.737843] 0xa56b6b6b6b6b6b6b [ 4972.744278] 0xbbbbbbbbbbbbbbbb [ 4972.750567] INFO: Slab 0xffffea00113fac00 objects=18 used=17 fp=0xffff88044feb1fc0 flags=0x8000000000004080 [ 4972.763271] INFO: Object 0xffff88044feb1f80 @offset=8064 fp=0x6b6b6b6b6b6b6b6b [ 4972.775891] Redzone ffff88044feb1f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.788457] Redzone ffff88044feb1f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4972.801134] Redzone ffff88044feb1f60: 02 00 00 00 00 00 00 00 c1 61 00 00 01 00 00 00 .........a...... [ 4972.813794] Redzone ffff88044feb1f70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ 4972.826504] Object ffff88044feb1f80: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.839308] Object ffff88044feb1f90: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.852301] Object ffff88044feb1fa0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.865378] Object ffff88044feb1fb0: bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ [ 4972.878776] Object ffff88044feb1fc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.892470] Object ffff88044feb1fd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.906480] Object ffff88044feb1fe0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.920803] Object ffff88044feb1ff0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.935382] Object ffff88044feb2000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.950258] Object ffff88044feb2010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.965469] Object ffff88044feb2020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.981031] Object ffff88044feb2030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4972.996940] Object ffff88044feb2040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.013140] Object ffff88044feb2050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.029845] Object ffff88044feb2060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.046768] Object ffff88044feb2070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.064196] Object ffff88044feb2080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.081863] Object ffff88044feb2090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.099761] Object ffff88044feb20a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.118026] Object ffff88044feb20b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.136261] Object ffff88044feb20c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.154560] Object ffff88044feb20d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.172809] Object ffff88044feb20e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.191305] Object ffff88044feb20f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.210307] Object ffff88044feb2100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.229675] Object ffff88044feb2110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.249401] Object ffff88044feb2120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.269100] Object ffff88044feb2130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.288884] Object ffff88044feb2140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.308679] Object ffff88044feb2150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.328658] Object ffff88044feb2160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 4973.348735] Redzone ffff88044feb2170: 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkk [ 4973.368628] Padding ffff88044feb22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 4973.388562] CPU: 0 PID: 29845 Comm: trinity-main Tainted: G B 4.7.0-rc7-think+ #2 [ 4973.408490] ffffea00113fac00 0000000076df81a9 ffff880458e47ba0 ffffffffa9589f5b [ 4973.418458] ffff88044feb0000 ffff88044feb1f80 ffff880458e47bd0 ffffffffa930b195 [ 4973.428289] ffff880462b647c0 ffffea00113fac00 ffff88044feb1f80 ffff88045bbc1660 [ 4973.438053] Call Trace: [ 4973.447651] [<ffffffffa9589f5b>] dump_stack+0x68/0x9d [ 4973.457263] [<ffffffffa930b195>] print_trailer+0x115/0x1a0 [ 4973.466793] [<ffffffffa9311d04>] object_err+0x34/0x40 [ 4973.476232] [<ffffffffa9313d06>] kasan_report_error+0x216/0x540 [ 4973.485591] [<ffffffffa959fe21>] ? snprintf+0x91/0xc0 [ 4973.494861] [<ffffffffa959fd90>] ? vsprintf+0x20/0x20 [ 4973.504012] [<ffffffffa93145c8>] kasan_report+0x58/0x60 [ 4973.513100] [<ffffffffa93f38d3>] ? proc_map_files_readdir+0x2e3/0x5a0 [ 4973.522213] [<ffffffffa9312ea1>] __asan_load4+0x61/0x80 [ 4973.531214] [<ffffffffa93f38d3>] proc_map_files_readdir+0x2e3/0x5a0 [ 4973.540194] [<ffffffffa913c555>] ? __lock_is_held+0x25/0xd0 [ 4973.549061] [<ffffffffa93f35f0>] ? proc_fill_cache+0x350/0x350 [ 4973.557882] [<ffffffffa90f9a88>] ? preempt_count_sub+0x18/0xd0 [ 4973.566574] [<ffffffffa934dfae>] ? iterate_dir+0x6e/0x270 [ 4973.575182] [<ffffffffa934e00e>] iterate_dir+0xce/0x270 [ 4973.583497] [<ffffffffa934e889>] SyS_getdents+0xf9/0x1c0 [ 4973.591838] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120 [ 4973.600091] [<ffffffffa934e4b0>] ? fillonedir+0x120/0x120 [ 4973.608254] [<ffffffffa900359d>] ? syscall_trace_enter_phase2+0x12d/0x3d0 [ 4973.616388] [<ffffffffa934e790>] ? SyS_old_readdir+0x120/0x120 [ 4973.624417] [<ffffffffa9003b74>] do_syscall_64+0xf4/0x240 [ 4973.632372] [<ffffffffa9d6d59a>] entry_SYSCALL64_slow_path+0x25/0x25 [ 4973.640253] Memory state around the buggy address: [ 4973.648082] ffff88044feb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 4973.655847] ffff88044feb1f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 4973.663498] >ffff88044feb2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.671024] ^ [ 4973.678505] ffff88044feb2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.686031] ffff88044feb2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 4973.693425] ================================================================== ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-07-20 13:14 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-07-19 11:16 4.7-rc7: use-after-free in proc_map_files_readdir Alexey Dobriyan 2016-07-19 15:31 ` Dave Jones 2016-07-19 16:20 ` Al Viro 2016-07-19 18:33 ` Dave Jones 2016-07-19 19:38 ` Al Viro 2016-07-19 19:47 ` Dave Jones 2016-07-20 13:14 ` Dave Jones 2016-07-19 19:28 ` Alexey Dobriyan -- strict thread matches above, loose matches on Subject: below -- 2016-07-18 23:24 Dave Jones
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).