All of lore.kernel.org
 help / color / mirror / Atom feed
From: Qian Cai <cai@lca.pw>
To: bigeasy@linutronix.de
Cc: dave.hansen@intel.com, bp@suse.de, tglx@linutronix.de,
	x86@kernel.org, "linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	luto@amacapital.net, hpa@zytor.com, mingo@kernel.org
Subject: copy_fpstate_to_sigframe()  use-after-free
Date: Tue, 30 Apr 2019 16:58:22 -0400	[thread overview]
Message-ID: <1556657902.6132.13.camel@lca.pw> (raw)

The commit eeec00d73be2 ("x86/fpu: Fault-in user stack if
copy_fpstate_to_sigframe() fails") causes use-after-free when running the LTP
signal06 test case. Reverted this commit fixed the issue.

[ 6150.581746] LTP: starting signal06
[ 6151.099635]
==================================================================
[ 6151.137893] BUG: KASAN: use-after-free in follow_page_mask+0x32/0x3e0
[ 6151.169683] Read of size 8 at addr ffff8884ac424048 by task signal06/45144
[ 6151.201832] 
[ 6151.208652] CPU: 45 PID: 45144 Comm: signal06 Kdump: loaded Not tainted
5.1.0-rc7-next-20190430+ #8
[ 6151.251025] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6151.289642] Call Trace:
[ 6151.300966]  dump_stack+0x62/0x9a
[ 6151.316552]  print_address_description.cold.2+0x9/0x28b
[ 6151.340859]  __kasan_report.cold.3+0x7a/0xb5
[ 6151.360819]  ? follow_page_mask+0x32/0x3e0
[ 6151.380970]  kasan_report+0xc/0x10
[ 6151.396922]  __asan_load8+0x71/0xa0
[ 6151.413474]  follow_page_mask+0x32/0x3e0
[ 6151.431870]  __get_user_pages+0x3cc/0x7c0
[ 6151.450644]  ? follow_page_mask+0x3e0/0x3e0
[ 6151.470058]  ? lock_downgrade+0x300/0x300
[ 6151.488677]  ? __bad_area_nosemaphore+0x66/0x230
[ 6151.510560]  ? do_raw_spin_unlock+0xa8/0x140
[ 6151.530468]  __gup_longterm_locked+0x32c/0xa90
[ 6151.551432]  ? do_page_fault+0x4c/0x260
[ 6151.569327]  ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6151.591874]  get_user_pages+0x60/0x70
[ 6151.609098]  copy_fpstate_to_sigframe+0x31a/0x670
[ 6151.631612]  ? __fpu__restore_sig+0x7a0/0x7a0
[ 6151.652869]  do_signal+0x40c/0x9d0
[ 6151.669822]  ? do_send_specific+0x87/0xe0
[ 6151.690250]  ? setup_sigcontext+0x280/0x280
[ 6151.710151]  ? check_kill_permission+0x8e/0x1c0
[ 6151.731618]  ? do_send_specific+0xa6/0xe0
[ 6151.750539]  ? do_tkill+0x125/0x160
[ 6151.766493]  ? signal_fault+0x160/0x160
[ 6151.783820]  exit_to_usermode_loop+0x9d/0xc0
[ 6151.803040]  do_syscall_64+0x470/0x5d8
[ 6151.819575]  ? syscall_return_slowpath+0xf0/0xf0
[ 6151.840392]  ? __do_page_fault+0x44d/0x5b0
[ 6151.858886]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6151.882493] RIP: 0033:0x40377e
[ 6151.896645] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6151.984032] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6152.018779] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6152.052252] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6152.085621] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6152.119275] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6152.155037] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6152.190814] 
[ 6152.197777] Allocated by task 45145:
[ 6152.214655]  __kasan_kmalloc.part.0+0x44/0xc0
[ 6152.235078]  __kasan_kmalloc.constprop.1+0xac/0xc0
[ 6152.257665]  kasan_slab_alloc+0x11/0x20
[ 6152.275711]  kmem_cache_alloc+0x131/0x360
[ 6152.294272]  vm_area_dup+0x20/0x80
[ 6152.310227]  __split_vma+0x68/0x270
[ 6152.326595]  split_vma+0x51/0x70
[ 6152.341817]  mprotect_fixup+0x469/0x540
[ 6152.359402]  do_mprotect_pkey+0x2a8/0x480
[ 6152.378313]  __x64_sys_mprotect+0x48/0x60
[ 6152.397014]  do_syscall_64+0xc8/0x5d8
[ 6152.414015]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.437731] 
[ 6152.444797] Freed by task 45145:
[ 6152.459202]  __kasan_slab_free+0x134/0x200
[ 6152.477692]  kasan_slab_free+0xe/0x10
[ 6152.494044]  kmem_cache_free+0xa0/0x300
[ 6152.512009]  vm_area_free+0x18/0x20
[ 6152.528295]  __vma_adjust+0x2f8/0xca0
[ 6152.545417]  vma_merge+0x619/0x6d0
[ 6152.561416]  mprotect_fixup+0x2bf/0x540
[ 6152.579336]  do_mprotect_pkey+0x2a8/0x480
[ 6152.597772]  __x64_sys_mprotect+0x48/0x60
[ 6152.616119]  do_syscall_64+0xc8/0x5d8
[ 6152.633298]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.657665] 
[ 6152.665119] The buggy address belongs to the object at ffff8884ac424008
[ 6152.665119]  which belongs to the cache vm_area_struct(96:user.slice) of size
200
[ 6152.734268] The buggy address is located 64 bytes inside of
[ 6152.734268]  200-byte region [ffff8884ac424008, ffff8884ac4240d0)
[ 6152.788643] The buggy address belongs to the page:
[ 6152.810991] page:ffffea0012b10900 count:1 mapcount:0 mapping:ffff88829c7383c0
index:0x0
[ 6152.848361] flags: 0x15fffe000000200(slab)
[ 6152.867558] raw: 015fffe000000200 ffffea00171b6c08 ffff8885928109a0
ffff88829c7383c0
[ 6152.903840] raw: 0000000000000000 0000000000070007 00000001ffffffff
ffff8884da644008
[ 6152.940077] page dumped because: kasan: bad access detected
[ 6152.966181] page->mem_cgroup:ffff8884da644008
[ 6152.986737] page allocated via order 0, migratetype Unmovable, gfp_mask
0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[ 6153.036670]  prep_new_page+0x29d/0x2c0
[ 6153.054207]  get_page_from_freelist+0x95b/0x2050
[ 6153.076165]  __alloc_pages_nodemask+0x2ff/0x1b50
[ 6153.097886]  alloc_pages_current+0x9c/0x110
[ 6153.117199]  allocate_slab+0x3a7/0x850
[ 6153.134763]  new_slab+0x46/0x70
[ 6153.149507]  ___slab_alloc+0x5d3/0x9c0
[ 6153.167080]  __slab_alloc+0x12/0x20
[ 6153.184301]  kmem_cache_alloc+0x30a/0x360
[ 6153.203847]  vm_area_dup+0x20/0x80
[ 6153.221785]  __split_vma+0x68/0x270
[ 6153.238130]  split_vma+0x51/0x70
[ 6153.253442]  mprotect_fixup+0x4be/0x540
[ 6153.271351]  do_mprotect_pkey+0x2a8/0x480
[ 6153.290282]  __x64_sys_mprotect+0x48/0x60
[ 6153.308993]  do_syscall_64+0xc8/0x5d8
[ 6153.326146] 
[ 6153.333065] Memory state around the buggy address:
[ 6153.355172]  ffff8884ac423f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.388572]  ffff8884ac423f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.422389] >ffff8884ac424000: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 6153.456232]                                               ^
[ 6153.482324]  ffff8884ac424080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
fc
[ 6153.516323]  ffff8884ac424100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6153.549993]
==================================================================
[ 6153.583892] Disabling lock debugging due to kernel taint
[ 6190.482570] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 6190.519596] CPU: 0 PID: 45144 Comm: signal06 Kdump: loaded Tainted:
G    B             5.1.0-rc7-next-20190430+ #8
[ 6190.568280] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6190.605290] RIP: 0010:hugetlb_fault+0x46/0x920
[ 6190.625151] Code: 41 54 53 48 83 ec 48 48 89 7d c8 4c 89 ef 89 4d c4 48 89 55
a0 e8 aa 36 02 00 49 8b 9e a0 00 00 00 48 8d 7b 20 e8 9a 36 02 00 <48> 8b 5b 20
48 8d 7b 28 e8 8d 36 02 00 48 8b 5b 28 48 8d bb 40 06
[ 6190.711533] RSP: 0018:ffff8887c7bcf820 EFLAGS: 00010282
[ 6190.734963] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff8c33a376
[ 6190.767109] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6b8b
[ 6190.799329] RBP: ffff8887c7bcf890 R08: fffffbfff1b05102 R09: fffffbfff1b05101
[ 6190.831304] R10: fffffbfff1b05101 R11: ffffffff8d82880b R12: 0000000000000001
[ 6190.863311] R13: ffff8884ac4240a8 R14: ffff8884ac424008 R15: 0000000000629c80
[ 6190.895367] FS:  00007f8105646740(0000) GS:ffff888453400000(0000)
knlGS:0000000000000000
[ 6190.931839] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6190.957598] CR2: 00007ff1a60018c0 CR3: 0000000834bd8002 CR4: 00000000001606b0
[ 6190.989654] Call Trace:
[ 6191.000738]  ? kasan_check_read+0x11/0x20
[ 6191.019852]  handle_mm_fault+0x313/0x360
[ 6191.040562]  __get_user_pages+0x448/0x7c0
[ 6191.059723]  ? follow_page_mask+0x3e0/0x3e0
[ 6191.078545]  ? lock_downgrade+0x300/0x300
[ 6191.096551]  ? __bad_area_nosemaphore+0x66/0x230
[ 6191.117323]  ? do_raw_spin_unlock+0xa8/0x140
[ 6191.136813]  __gup_longterm_locked+0x32c/0xa90
[ 6191.156738]  ? do_page_fault+0x4c/0x260
[ 6191.174016]  ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6191.195529]  get_user_pages+0x60/0x70
[ 6191.212026]  copy_fpstate_to_sigframe+0x31a/0x670
[ 6191.233252]  ? __fpu__restore_sig+0x7a0/0x7a0
[ 6191.252704]  do_signal+0x40c/0x9d0
[ 6191.267912]  ? do_send_specific+0x87/0xe0
[ 6191.285864]  ? setup_sigcontext+0x280/0x280
[ 6191.304675]  ? check_kill_permission+0x8e/0x1c0
[ 6191.325007]  ? do_send_specific+0xa6/0xe0
[ 6191.343005]  ? do_tkill+0x125/0x160
[ 6191.358809]  ? signal_fault+0x160/0x160
[ 6191.376088]  exit_to_usermode_loop+0x9d/0xc0
[ 6191.395176]  do_syscall_64+0x470/0x5d8
[ 6191.412299]  ? syscall_return_slowpath+0xf0/0xf0
[ 6191.433590]  ? __do_page_fault+0x44d/0x5b0
[ 6191.452211]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6191.474981] RIP: 0033:0x40377e
[ 6191.488761] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6191.578915] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6191.613071] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6191.645339] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6191.677764] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6191.709916] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6191.741996] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6191.774072] Modules linked in: brd vfat fat ext4 crc16 mbcache jbd2 overlay
loop kvm_intel kvm dax_pmem irqbypass dax_pmem_core ip_tables x_tables xfs
sd_mod igb i2c_algo_bit hpsa i2c_core scsi_transport_sas dm_mirror
dm_region_hash dm_log dm_mod

             reply	other threads:[~2019-04-30 20:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-30 20:58 Qian Cai [this message]
2019-04-30 20:58 ` Qian Cai
2019-05-01  8:23 ` Borislav Petkov
2019-05-02 17:11   ` [PATCH v2] x86/fpu: Fault-in user stack if copy_fpstate_to_sigframe() fails Sebastian Andrzej Siewior
2019-05-03  6:04     ` Borislav Petkov
2019-05-01  9:00 ` [RFC PATCH] x86/fpu: Use get_user_pages_unlocked() to fault-in pages Sebastian Andrzej Siewior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1556657902.6132.13.camel@lca.pw \
    --to=cai@lca.pw \
    --cc=bigeasy@linutronix.de \
    --cc=bp@suse.de \
    --cc=dave.hansen@intel.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@amacapital.net \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --subject='Re: copy_fpstate_to_sigframe()  use-after-free' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.