From: Dmitry Vyukov <dvyukov@google.com>
To: Thomas Gleixner <tglx@linutronix.de>,
bigeasy@linutronix.de, Davidlohr Bueso <dave@stgolabs.net>,
Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Subject: futex: use-after-free in futex_wait_requeue_pi
Date: Fri, 10 Mar 2017 19:10:30 +0100 [thread overview]
Message-ID: <CACT4Y+bWALT2BZmHO+P6a17pEo0KRcA_i9CQQ1+z3FYLiyk-mw@mail.gmail.com> (raw)
Hello,
The following program triggers use-after-free in futex_wait_requeue_pi:
https://gist.githubusercontent.com/dvyukov/42e596153263793b75ad587c8d0626b0/raw/35461a6c1b0a4163a67191ff5d35202f35ecbf44/gistfile1.txt
==================================================================
BUG: KASAN: use-after-free in futex_wait_requeue_pi+0xf5d/0x1160
kernel/futex.c:2942 at addr ffff880066ea7158
Read of size 8 by task a.out/4777
CPU: 0 PID: 4777 Comm: a.out Not tainted 4.11.0-rc1+ #326
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:337
rt_mutex_owner include/linux/compiler.h:254 [inline]
futex_wait_requeue_pi.constprop.20+0xf5d/0x1160 kernel/futex.c:2942
do_futex+0x813/0x1f20 kernel/futex.c:3236
SYSC_futex kernel/futex.c:3277 [inline]
SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4412f9
RSP: 002b:00007f803bcd9c98 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412f9
RDX: 0000000000000004 RSI: 000080000000000b RDI: 000000002000cffc
RBP: 0000000000000082 R08: 0000000020048000 R09: 0000000000000000
R10: 00007f803bcd9cd0 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f803bcda9c0 R15: 00007f803bcda700
Object at ffff880066ea7100, in cache kmalloc-192 size: 192
Allocated:
PID = 4825
kzalloc include/linux/slab.h:663 [inline]
refill_pi_state_cache.part.8+0xa5/0x2d0 kernel/futex.c:789
refill_pi_state_cache kernel/futex.c:1669 [inline]
futex_requeue+0x18f8/0x2400 kernel/futex.c:1727
do_futex+0x7e1/0x1f20 kernel/futex.c:3239
SYSC_futex kernel/futex.c:3277 [inline]
SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 4777
kfree+0xed/0x280 mm/slab.c:3831
put_pi_state+0x3e0/0x540 kernel/futex.c:842
unqueue_me_pi+0x4a/0xc0 kernel/futex.c:2111
futex_wait_requeue_pi.constprop.20+0xc5a/0x1160 kernel/futex.c:2934
do_futex+0x813/0x1f20 kernel/futex.c:3236
SYSC_futex kernel/futex.c:3277 [inline]
SyS_futex+0x2a9/0x3a0 kernel/futex.c:3245
entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
ffff880066ea7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880066ea7080: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880066ea7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff880066ea7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff880066ea7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
On commit c1aa905a304e4b5e6a3fe112ec62d9c1c7b0c155.
next reply other threads:[~2017-03-10 18:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-10 18:10 Dmitry Vyukov [this message]
2017-03-10 18:30 ` futex: use-after-free in futex_wait_requeue_pi Sebastian Andrzej Siewior
2017-03-10 18:32 ` Dmitry Vyukov
2017-03-13 8:06 ` Peter Zijlstra
2017-03-13 10:02 ` Sebastian Andrzej Siewior
2017-03-13 10:04 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+bWALT2BZmHO+P6a17pEo0KRcA_i9CQQ1+z3FYLiyk-mw@mail.gmail.com \
--to=dvyukov@google.com \
--cc=bigeasy@linutronix.de \
--cc=dave@stgolabs.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=syzkaller@googlegroups.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.