From: Sasha Levin <levinsasha928@gmail.com>
To: Ming Lei <tom.leiming@gmail.com>
Cc: Hillf Danton <dhillf@gmail.com>, Dave Jones <davej@redhat.com>,
Greg Kroah-Hartman <greg@kroah.com>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: use after free in sysfs_find_dirent
Date: Tue, 19 Mar 2013 12:28:50 -0400 [thread overview]
Message-ID: <51489242.9020801@gmail.com> (raw)
In-Reply-To: <CACVXFVPV3mq=k-AZ1bYkAMdxwXD96Ty7DYeh9H9J=yvA4m=rGA@mail.gmail.com>
On 03/19/2013 07:54 AM, Ming Lei wrote:
> Hi Sasha,
>
> On Tue, Mar 19, 2013 at 11:40 AM, Ming Lei <tom.leiming@gmail.com> wrote:
>> Hi Sasha,
>>
>> On Tue, Mar 19, 2013 at 10:06 AM, Sasha Levin <levinsasha928@gmail.com> wrote:
>>> [ 232.822703] sysfs_dir_pos-973 sysfs_dirent use after free: vx855(vx855)-bind, 0-25520352
>>
>> Looks filp->f_pos is changed as zero by llseek(), so may leave
>> filp->private_data
>> point to one refcount-balanced sysfs_dirent object, which will be put
>> again afterwards.
>>
>> Hope we are luck this time, please try the attachment patch.
>
> Looks the better and simpler way is to hold the i_mutex for llseek.
> If you haven't test the v2, please ignore it and just test the attachment
> v3 patch.
With v3 of the patch:
[ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: tun(tun)-uevent, 2-1472641949
[ 1275.667234] release_sysfs_dirent-285 sysfs_dirent use after free: tun-uevent
[ 1275.668347] Pid: 13795, comm: trinity-child62 Tainted: G W 3.9.0-rc3-next-20130319-sasha-00041-g22d0dce-dirty #305
[ 1275.696032] Call Trace:
[ 1275.696529] [<ffffffff812fa373>] release_sysfs_dirent+0x53/0x120
[ 1275.697593] [<ffffffff812fa53a>] sysfs_dir_pos+0x9a/0x140
[ 1275.698551] [<ffffffff812fa6fd>] sysfs_readdir+0x11d/0x280
[ 1275.699512] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.700586] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.701482] [<ffffffff8128cd78>] vfs_readdir+0x78/0xc0
[ 1275.702333] [<ffffffff8128cedc>] SyS_getdents+0x8c/0x110
[ 1275.703242] [<ffffffff83da13d8>] tracesys+0xe1/0xe6
[ 1275.710567] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1275.711796] Dumping ftrace buffer:
[ 1275.712423] (ftrace buffer empty)
[ 1275.712993] Modules linked in:
[ 1275.713518] CPU 0
[ 1275.713830] Pid: 13795, comm: trinity-child62 Tainted: G W 3.9.0-rc3-next-20130319-sasha-00041-g22d0dce-dirty #305
[ 1275.717622] RIP: 0010:[<ffffffff819eccf3>] [<ffffffff819eccf3>] rb_next+0x23/0x60
[ 1275.718775] RSP: 0018:ffff880065349e58 EFLAGS: 00010202
[ 1275.719618] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800af811ab0 RCX: ffff8800af811ab0
[ 1275.720046] RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800afff8f40 RDI: ffff8800af811af8
[ 1275.720046] RBP: ffff880065349e58 R08: 2222222222222222 R09: 2222222222222222
[ 1275.720046] R10: 2222222222222222 R11: 0000000000000000 R12: ffff88009c642100
[ 1275.720046] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000009
[ 1275.720046] FS: 00007faf86d64700(0000) GS:ffff8800bb800000(0000) knlGS:0000000000000000
[ 1275.720046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1275.720046] CR2: 0000000001e3b228 CR3: 000000007207e000 CR4: 00000000000406f0
[ 1275.720046] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1275.720046] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1275.720046] Process trinity-child62 (pid: 13795, threadinfo ffff880065348000, task ffff880065240000)
[ 1275.720046] Stack:
[ 1275.720046] ffff880065349ec8 ffffffff812fa7f9 2222222222222222 222222220000000a
[ 1275.720046] 000000000000c3e5 ffffffff8128ca00 ffff880065349f28 ffff8800afff8f40
[ 1275.720046] ffff8800a31c65d8 ffff88009c642100 ffff880065349f28 ffffffff8128ca00
[ 1275.720046] Call Trace:
[ 1275.720046] [<ffffffff812fa7f9>] sysfs_readdir+0x219/0x280
[ 1275.720046] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.720046] [<ffffffff8128ca00>] ? SyS_ioctl+0xa0/0xa0
[ 1275.720046] [<ffffffff8128cd78>] vfs_readdir+0x78/0xc0
[ 1275.720046] [<ffffffff8128cedc>] SyS_getdents+0x8c/0x110
[ 1275.720046] [<ffffffff83da13d8>] tracesys+0xe1/0xe6
[ 1275.720046] Code: 85 d2 75 f4 5d c3 66 90 55 31 c0 48 8b 17 48 89 e5 48 39 d7 74 4a 48 8b 47 08 48 85 c0 75 0c eb 17 0f 1f 80 00
00 00 00 48 89 d0 <48> 8b 50 10 48 85 d2 75 f4 eb 2a 66 90 48 89 d1 48 83 e1 fc 74
[ 1275.720046] RIP [<ffffffff819eccf3>] rb_next+0x23/0x60
[ 1275.720046] RSP <ffff880065349e58>
Thanks,
Sasha
next prev parent reply other threads:[~2013-03-19 16:28 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-07 5:28 use after free in sysfs_find_dirent Dave Jones
2013-03-07 5:33 ` sysfs_dir_cache slab corruption Dave Jones
2013-03-07 6:03 ` Greg Kroah-Hartman
2013-03-07 6:02 ` use after free in sysfs_find_dirent Greg Kroah-Hartman
2013-03-07 6:26 ` Dave Jones
2013-03-13 11:47 ` Ming Lei
2013-03-15 4:03 ` Sasha Levin
2013-03-15 5:04 ` Sasha Levin
2013-03-15 7:38 ` Ming Lei
2013-03-15 16:27 ` Sasha Levin
2013-03-16 12:39 ` Hillf Danton
2013-03-16 13:30 ` Ming Lei
2013-03-16 15:07 ` Sasha Levin
2013-03-16 15:22 ` Ming Lei
2013-03-16 15:58 ` Ming Lei
2013-03-16 18:33 ` Sasha Levin
2013-03-17 1:02 ` Ming Lei
2013-03-17 14:24 ` Sasha Levin
2013-03-17 16:23 ` Ming Lei
2013-03-19 2:06 ` Sasha Levin
2013-03-19 3:40 ` Ming Lei
2013-03-19 11:54 ` Ming Lei
2013-03-19 16:28 ` Sasha Levin [this message]
2013-03-20 1:02 ` Ming Lei
2013-03-20 14:34 ` Sasha Levin
2013-03-20 17:17 ` Greg Kroah-Hartman
2013-03-16 15:59 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51489242.9020801@gmail.com \
--to=levinsasha928@gmail.com \
--cc=davej@redhat.com \
--cc=dhillf@gmail.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tom.leiming@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).