futex: use-after-free in futex_wait_requeue_pi

futex: use-after-free in futex_wait_requeue_pi

[Dmitry Vyukov]

Hello,

The following program triggers use-after-free in futex_wait_requeue_pi:
https://gist.githubusercontent.com/dvyukov/42e596153263793b75ad587c8d0626b0/raw/35461a6c1b0a4163a67191ff5d35202f35ecbf44/gistfile1.txt

==================================================================
BUG: KASAN: use-after-free in futex_wait_requeue_pi+0xf5d/0x1160
kernel/futex.c:2942 at addr ffff880066ea7158
Read of size 8 by task a.out/4777
CPU: 0 PID: 4777 Comm: a.out Not tainted 4.11.0-rc1+ #326
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337
 rt_mutex_owner include/linux/compiler.h:254 [inline]
 futex_wait_requeue_pi.constprop.20+0xf5d/0x1160 kernel/futex.c:2942
 do_futex+0x813/0x1f20 kernel/futex.c:3236
 SYSC_futex kernel/futex.c:3277 [inline]
 SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4412f9
RSP: 002b:00007f803bcd9c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412f9
RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc
RBP: 0000000000000082 R08: 0000000020048000 R09: 0000000000000000
R10: 00007f803bcd9cd0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f803bcda9c0 R15: 00007f803bcda700
Object at ffff880066ea7100, in cache kmalloc-192 size: 192
Allocated:
PID = 4825
 kzalloc include/linux/slab.h:663 [inline]
 refill_pi_state_cache.part.8+0xa5/0x2d0 kernel/futex.c:789
 refill_pi_state_cache kernel/futex.c:1669 [inline]
 futex_requeue+0x18f8/0x2400 kernel/futex.c:1727
 do_futex+0x7e1/0x1f20 kernel/futex.c:3239
 SYSC_futex kernel/futex.c:3277 [inline]
 SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
 entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 4777
 kfree+0xed/0x280 mm/slab.c:3831
 put_pi_state+0x3e0/0x540 kernel/futex.c:842
 unqueue_me_pi+0x4a/0xc0 kernel/futex.c:2111
 futex_wait_requeue_pi.constprop.20+0xc5a/0x1160 kernel/futex.c:2934
 do_futex+0x813/0x1f20 kernel/futex.c:3236
 SYSC_futex kernel/futex.c:3277 [inline]
 SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
 entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
 ffff880066ea7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880066ea7080: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880066ea7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff880066ea7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff880066ea7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

On commit c1aa905a304e4b5e6a3fe112ec62d9c1c7b0c155.

Re: futex: use-after-free in futex_wait_requeue_pi

[Sebastian Andrzej Siewior]

On 2017-03-10 19:10:30 [+0100], Dmitry Vyukov wrote:
> BUG: KASAN: use-after-free in futex_wait_requeue_pi+0xf5d/0x1160
…
> On commit c1aa905a304e4b5e6a3fe112ec62d9c1c7b0c155.
That is "Merge tag 'pm-4.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm".
Are sure about that commit? Does this trigger now and then or is 100%?

Sebastian

Re: futex: use-after-free in futex_wait_requeue_pi

[Dmitry Vyukov]

On Fri, Mar 10, 2017 at 7:30 PM, Sebastian Andrzej Siewior
<bigeasy@linutronix.de> wrote:
> On 2017-03-10 19:10:30 [+0100], Dmitry Vyukov wrote:
>> BUG: KASAN: use-after-free in futex_wait_requeue_pi+0xf5d/0x1160
> …
>> On commit c1aa905a304e4b5e6a3fe112ec62d9c1c7b0c155.
> That is "Merge tag 'pm-4.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm".
> Are sure about that commit? Does this trigger now and then or is 100%?

I am sure that I've triggered this bug on that commit. I am not saying
that this is the guilty commit.

Re: futex: use-after-free in futex_wait_requeue_pi

[Peter Zijlstra]

On Fri, Mar 10, 2017 at 07:10:30PM +0100, Dmitry Vyukov wrote:
> Hello,
> 
> The following program triggers use-after-free in futex_wait_requeue_pi:
> https://gist.githubusercontent.com/dvyukov/42e596153263793b75ad587c8d0626b0/raw/35461a6c1b0a4163a67191ff5d35202f35ecbf44/gistfile1.txt

There's a known use-after-free there, see:

http://lkml.kernel.org/r/20170304093558.801744246@infradead.org

I've not woken up enough; or actually looked at your report to see if
its the same.

Re: futex: use-after-free in futex_wait_requeue_pi

[Sebastian Andrzej Siewior]

On 2017-03-13 09:06:20 [+0100], Peter Zijlstra wrote:
> On Fri, Mar 10, 2017 at 07:10:30PM +0100, Dmitry Vyukov wrote:
> > The following program triggers use-after-free in futex_wait_requeue_pi:
> > https://gist.githubusercontent.com/dvyukov/42e596153263793b75ad587c8d0626b0/raw/35461a6c1b0a4163a67191ff5d35202f35ecbf44/gistfile1.txt
> There's a known use-after-free there, see:
> I've not woken up enough; or actually looked at your report to see if
> its the same.

It seems so, yes. The test-case triggered on the commit mentioned in
less than a minute and after the patch applied it runs now for 16
without complains.
A stable tag would be nice then :)

Sebastian

Re: futex: use-after-free in futex_wait_requeue_pi

[Dmitry Vyukov]

On Mon, Mar 13, 2017 at 11:02 AM, Sebastian Andrzej Siewior
<bigeasy@linutronix.de> wrote:
> On 2017-03-13 09:06:20 [+0100], Peter Zijlstra wrote:
>> On Fri, Mar 10, 2017 at 07:10:30PM +0100, Dmitry Vyukov wrote:
>> > The following program triggers use-after-free in futex_wait_requeue_pi:
>> > https://gist.githubusercontent.com/dvyukov/42e596153263793b75ad587c8d0626b0/raw/35461a6c1b0a4163a67191ff5d35202f35ecbf44/gistfile1.txt
>> There's a known use-after-free there, see:
>> I've not woken up enough; or actually looked at your report to see if
>> its the same.
>
> It seems so, yes. The test-case triggered on the commit mentioned in
> less than a minute and after the patch applied it runs now for 16
> without complains.
> A stable tag would be nice then :)


Yes, looking at the fix, I would expect that it fixes the problem.
Thanks