KASAN use-after-free not showing freed stacktrace?

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Vegard Nossum <vegard.nossum@oracle.com>
To: kasan-dev <kasan-dev@googlegroups.com>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: KASAN use-after-free not showing freed stacktrace?
Date: Fri, 29 Jul 2016 22:17:52 +0200	[thread overview]
Message-ID: <579BB9F0.8080700@oracle.com> (raw)

Hi again,

I am seeing some KASAN use-after-free bugs now but there is no
stacktrace for where they were freed anymore:

BUG: KASAN: use-after-free in acct_collect+0x7d5/0x830 at addr 
ffff88010e129b08
Read of size 8 by task trinity-c0/13609
CPU: 0 PID: 13609 Comm: trinity-c0 Not tainted 4.7.0+ #65
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014
  ffff88010e129b00 ffff88011482f8f0 ffffffff81d701c1 ffff88011482f980
  ffff88010d4d5c00 ffff88011482f970 ffffffff81477d5e 0000000000000001
  0000000000000000 0000000000000296 0000000000000246 ffffffff8126347d
Call Trace:
  [<ffffffff81d701c1>] dump_stack+0x65/0x84
  [<ffffffff81477d5e>] kasan_report_error+0x22e/0x5e0
  [<ffffffff8126347d>] ? acct_collect+0x12d/0x830
  [<ffffffff8147824e>] __asan_report_load8_noabort+0x3e/0x40
  [<ffffffff81263b25>] ? acct_collect+0x7d5/0x830
  [<ffffffff81263b25>] acct_collect+0x7d5/0x830
  [<ffffffff81263350>] ? acct_exit_ns+0x70/0x70
  [<ffffffff812c9ba0>] ? xacct_add_tsk+0x670/0x670
  [<ffffffff81231b80>] ? hrtimer_active+0x340/0x340
  [<ffffffff8112bf40>] ? get_signal+0x1120/0x1120
  [<ffffffff8115d1e1>] ? creds_are_invalid.part.1+0x11/0xb0
  [<ffffffff8115f5f2>] ? __validate_process_creds+0x242/0x3e0
  [<ffffffff81109421>] do_exit+0xca1/0x2c90
  [<ffffffff81367984>] ? ___perf_sw_event+0x284/0x330
  [<ffffffff813677f4>] ? ___perf_sw_event+0xf4/0x330
  [<ffffffff81367700>] ? perf_swevent_put_recursion_context+0x90/0x90
  [<ffffffff81108780>] ? mm_update_next_owner+0x720/0x720
  [<ffffffff8105a026>] ? print_context_stack+0x76/0xe0
  [<ffffffff8112afc2>] ? get_signal+0x1a2/0x1120
  [<ffffffff8110b544>] do_group_exit+0xf4/0x2f0
  [<ffffffff8112b35d>] get_signal+0x53d/0x1120
  [<ffffffff811e21f2>] ? __lock_acquire.isra.32+0xc2/0x1a30
  [<ffffffff81051673>] do_signal+0x83/0x1f10
  [<ffffffff81dcf247>] ? debug_smp_processor_id+0x17/0x20
  [<ffffffff810515f0>] ? setup_sigcontext+0x7d0/0x7d0
  [<ffffffff810ce68b>] ? __do_page_fault+0x53b/0x8f0
  [<ffffffff8134dcc7>] ? perf_iterate_sb+0x97/0x6d0
  [<ffffffff810cec7d>] ? trace_do_page_fault+0x18d/0x310
  [<ffffffff81308d40>] ? ftrace_syscall_exit+0x550/0x550
  [<ffffffff838a1258>] ? async_page_fault+0x28/0x30
  [<ffffffff81002aa2>] exit_to_usermode_loop+0xa2/0x120
  [<ffffffff81005224>] syscall_return_slowpath+0x144/0x170
  [<ffffffff8389f56f>] ret_from_fork+0x2f/0x40
Object at ffff88010e129b00, in cache vm_area_struct
Object allocated with size 192 bytes.
Allocation:
PID = 1334
  [<ffffffff81077ed6>] save_stack_trace+0x26/0x50
  [<ffffffff814769d6>] save_stack+0x46/0xd0
  [<ffffffff814771ca>] kasan_kmalloc+0xda/0x100
  [<ffffffff81477202>] kasan_slab_alloc+0x12/0x20
  [<ffffffff81472909>] kmem_cache_alloc+0xe9/0x290
  [<ffffffff810f7e57>] copy_process.part.39+0x1e07/0x5390
  [<ffffffff810fb87a>] _do_fork+0x17a/0xa70
  [<ffffffff810fc1f4>] SyS_clone+0x14/0x20
  [<ffffffff810053f1>] do_syscall_64+0x1a1/0x460
  [<ffffffff8389f3ea>] return_from_SYSCALL_64+0x0/0x6a
Memory state around the buggy address:
  ffff88010e129a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88010e129a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 >ffff88010e129b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff88010e129b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  ffff88010e129c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint
==================================================================

That seems like a regression, maybe related to memory quarantine
for SLUB? Or is there something else going on?


Vegard

next             reply	other threads:[~2016-07-29 20:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-29 20:17 Vegard Nossum [this message]
2016-07-29 21:27 ` KASAN use-after-free not showing freed stacktrace? Dmitry Vyukov
2016-07-29 21:55   ` Vegard Nossum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=579BB9F0.8080700@oracle.com \
    --to=vegard.nossum@oracle.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox