From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: David Rientjes <rientjes@google.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>,
Dave Jones <davej@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: fs: use after free in /proc/pid/mountinfo
Date: Sun, 6 Jul 2014 12:04:20 +0200 [thread overview]
Message-ID: <20140706100420.GB3589@osiris> (raw)
In-Reply-To: <53B6C051.2060704@oracle.com>
On Fri, Jul 04, 2014 at 10:55:13AM -0400, Sasha Levin wrote:
> On 07/03/2014 05:37 PM, David Rientjes wrote:
> > On Wed, 2 Jul 2014, Sasha Levin wrote:
> >
> >>> Hi all,
> >>>
> >>> While fuzzing with trinity inside a KVM tools guest running the latest -next
> >>> kernel I've stumbled on the following spew:
> >>>
> >>> [ 3569.869749] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> >>> [ 3569.869769] Dumping ftrace buffer:
> >>> [ 3569.869879] (ftrace buffer empty)
> >>> [ 3569.869894] Modules linked in:
> >>> [ 3569.869900] CPU: 7 PID: 10239 Comm: trinity-c86 Tainted: G W 3.16.0-rc3-next-20140701-sasha-00023-g4eb2544-dirty #759
> >>> [ 3569.869906] task: ffff88039e873000 ti: ffff880393f8c000 task.ti: ffff880393f8c000
> >>> [ 3569.869932] RIP: show_mountinfo (fs/proc_namespace.c:127)
So that would be this line then:
static int show_mountinfo(struct seq_file *m, struct vfsmount *mnt)
{
struct proc_mounts *p = proc_mounts(m);
struct mount *r = real_mount(mnt);
struct super_block *sb = mnt->mnt_sb;
struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt }; <---
if I understand the output correctly?
> >>> All code
> >>> ========
> >>> 0: 00 00 add %al,(%rax)
> >>> 2: 00 00 add %al,(%rax)
> >>> 4: 66 66 66 66 90 data32 data32 data32 xchg %ax,%ax
> >>> 9: 55 push %rbp
> >>> a: 48 89 e5 mov %rsp,%rbp
> >>> d: 48 83 ec 50 sub $0x50,%rsp
> >>> 11: 48 89 5d d8 mov %rbx,-0x28(%rbp)
> >>> 15: 48 89 f3 mov %rsi,%rbx
> >>> 18: 4c 89 65 e0 mov %r12,-0x20(%rbp)
> >>> 1c: 49 89 fc mov %rdi,%r12
> >>> 1f: 4c 89 6d e8 mov %r13,-0x18(%rbp)
> >>> 23: 4c 89 75 f0 mov %r14,-0x10(%rbp)
> >>> 27: 4c 89 7d f8 mov %r15,-0x8(%rbp)
> >>> 2b:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction
> >>> 2e: 48 89 75 b0 mov %rsi,-0x50(%rbp)
> >>> 32: 4c 8b 76 08 mov 0x8(%rsi),%r14
> >>> 36: 8b 96 ec 00 00 00 mov 0xec(%rsi),%edx
> >>> 3c: 48 89 45 b8 mov %rax,-0x48(%rbp)
Does that fit to this asm code? Sorry.. I'm not very familar with x86 asm.
> > Does this now reproduce on Linus's tree? If so, does reverting commit
> > 058504edd026 ("fs/seq_file: fallback to vmalloc allocation") prevent this
> > issue?
> >
> > This is a use-after-free since the poison value is 0x6b and I'm presuming
> > that your /proc/self/mountinfo may be larger than PAGE_SIZE in your
> > testing environment.
>
> Good call, reverting that patch made both issues go away.
Ok, does that mean you have a test case so you can reproduce the crashes?
Just wondering, since trinity is usually quite random in what it does.
I tried to reproduce a crash on one of my systems by enforcing several
seq_files to grow beyond PAGE_SIZE, but couldn't reproduce anything yet.
Could you try the patch below please? It basically reverts my patch and
just leaves the kfree->kvfree conversion in. This is just a shot in the
dark, since I can't make any sense of this ...yet :)
diff --git a/fs/seq_file.c b/fs/seq_file.c
index 3857b720cb1b..c1cf494cc238 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -34,12 +34,7 @@ static void seq_set_overflow(struct seq_file *m)
static void *seq_buf_alloc(unsigned long size)
{
- void *buf;
-
- buf = kmalloc(size, GFP_KERNEL | __GFP_NOWARN);
- if (!buf && size > PAGE_SIZE)
- buf = vmalloc(size);
- return buf;
+ return kmalloc(size, GFP_KERNEL);
}
/**
next prev parent reply other threads:[~2014-07-06 10:04 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-02 11:55 fs: use after free in /proc/pid/mountinfo Sasha Levin
2014-07-03 3:15 ` Sasha Levin
2014-07-03 21:37 ` David Rientjes
2014-07-04 14:55 ` Sasha Levin
2014-07-04 22:35 ` [stable] please do not merge 058504edd026 (was Re: fs: use after free in /proc/pid/mountinfo) David Rientjes
2014-07-04 22:35 ` David Rientjes
2014-07-07 23:05 ` [stable] " Greg KH
2014-07-07 23:05 ` Greg KH
2014-07-07 23:06 ` [stable] " Andrew Morton
2014-07-07 23:19 ` Greg KH
2014-07-07 23:19 ` Greg KH
2014-07-06 10:04 ` Heiko Carstens [this message]
2014-07-09 14:24 ` fs: use after free in /proc/pid/mountinfo Heiko Carstens
2014-07-09 20:31 ` Andrew Morton
2014-07-09 22:10 ` Sasha Levin
2014-07-09 22:59 ` Andrew Morton
2014-07-15 13:52 ` Sasha Levin
2014-07-15 23:01 ` David Rientjes
2014-07-23 20:57 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140706100420.GB3589@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=davej@redhat.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rientjes@google.com \
--cc=sasha.levin@oracle.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.