From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D574FC433F5 for ; Wed, 9 Mar 2022 10:04:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232003AbiCIKFH (ORCPT ); Wed, 9 Mar 2022 05:05:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42390 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229501AbiCIKFF (ORCPT ); Wed, 9 Mar 2022 05:05:05 -0500 Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 046E013CEF7 for ; Wed, 9 Mar 2022 02:04:07 -0800 (PST) Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-2dc242a79beso16637177b3.8 for ; Wed, 09 Mar 2022 02:04:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Snnx2gCzpEJKOVry4K+to5AuKutoJTTCZRIqxcxA9Nk=; b=ZoGSXpWHdTYaLziLCfUaWUf3m1iTHxUZqAHXTFCoiNG9YYUbShXsEwbpmc+xfCAViy MsyoeP3h9gtdIGxclP+Bm5yQqDX5yJJFVmiOhE2v+dY/WDs4ua8HSIN5swxC77NUXv4F baUj8KL1I7hWYZ1+Nm2PACBxxRpn4JvZZNQNcpxG/IDZIclwjZngWLQ3MfEtzu/yoGS1 2DFBncpJCiTFZk70jLQRET515HnC/JGGCYxdfJbma5Q7wfxZY7XqiigOVCHvEY3YPaRk 2d35iOQgZpDFRCr31RCQWvR19lWSmEVQ3gYnG33V933UM3axMOT6a/BdpNHD/GCHg3Jc 9A4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Snnx2gCzpEJKOVry4K+to5AuKutoJTTCZRIqxcxA9Nk=; b=z6cqUSqZgIcf1AE9LECPB3JNQhJbD1Uc71551F3AxeWI4ukB1BFg73yfenUOqt69nb FitjNHe5rBp7zyQatb+ZWk5ei7w+4dXGK+d9Q5tJgV9Hz4BjHuF4yCanl+HmCM5N0v9p jfSV8VUR+KxCki3U1sUK+PiQiNcr3qDYbIqjDn8XirnB3fm3duCs62XobENshKmemFQg AhUXQhvxDt6p98C8u/EP5nSuen90hlBi9Wgd8qhTEcj+xRuXIMCN3cYZ+1OccZ9Mm0Ax OeLQlMx2KBPepdLEBNRzodr7JoTd3FgkAA0ApEko6+5gXLy+yeHJWB3zEinpLOTdwLMq 4Oxg== X-Gm-Message-State: AOAM5315ttxrx0Aa7vIsAI9fV0c1yrTmlbKgm/CHAgBMzBTPuE7/FDVs 9yn7Ssp/Op9+IeactKOhW5BBnbmLeYOECcIoEVu0kw== X-Google-Smtp-Source: ABdhPJzfh0259sDflgr3TRJzqUoYoF5lrF6coJwBqb1KbMrihdQh7+BYnKkeVezNkQCMEMleBRmlOArjIB/8uTRgEyI= X-Received: by 2002:a81:8985:0:b0:2dc:472:ff3f with SMTP id z127-20020a818985000000b002dc0472ff3fmr16171043ywf.333.1646820245970; Wed, 09 Mar 2022 02:04:05 -0800 (PST) MIME-Version: 1.0 References: <20220309083753.1561921-1-liupeng256@huawei.com> <20220309083753.1561921-2-liupeng256@huawei.com> In-Reply-To: <20220309083753.1561921-2-liupeng256@huawei.com> From: Marco Elver Date: Wed, 9 Mar 2022 11:03:28 +0100 Message-ID: Subject: Re: [PATCH v2 1/3] kunit: fix UAF when run kfence test case test_gfpzero To: Peng Liu Cc: brendanhiggins@google.com, glider@google.com, dvyukov@google.com, akpm@linux-foundation.org, linux-kselftest@vger.kernel.org, kunit-dev@googlegroups.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, wangkefeng.wang@huawei.com, Daniel Latypov , David Gow Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 9 Mar 2022 at 09:19, 'Peng Liu' via kasan-dev wrote: > > Kunit will create a new thread to run an actual test case, and the > main process will wait for the completion of the actual test thread > until overtime. The variable "struct kunit test" has local property > in function kunit_try_catch_run, and will be used in the test case > thread. Task kunit_try_catch_run will free "struct kunit test" when > kunit runs overtime, but the actual test case is still run and an > UAF bug will be triggered. > > The above problem has been both observed in a physical machine and > qemu platform when running kfence kunit tests. The problem can be > triggered when setting CONFIG_KFENCE_NUM_OBJECTS = 65535. Under > this setting, the test case test_gfpzero will cost hours and kunit > will run to overtime. The follows show the panic log. > > BUG: unable to handle page fault for address: ffffffff82d882e9 > > Call Trace: > kunit_log_append+0x58/0xd0 > ... > test_alloc.constprop.0.cold+0x6b/0x8a [kfence_test] > test_gfpzero.cold+0x61/0x8ab [kfence_test] > kunit_try_run_case+0x4c/0x70 > kunit_generic_run_threadfn_adapter+0x11/0x20 > kthread+0x166/0x190 > ret_from_fork+0x22/0x30 > Kernel panic - not syncing: Fatal exception > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > Ubuntu-1.8.2-1ubuntu1 04/01/2014 > > To solve this problem, the test case thread should be stopped when > the kunit frame runs overtime. The stop signal will send in function > kunit_try_catch_run, and test_gfpzero will handle it. > > Signed-off-by: Peng Liu Reviewed-by: Marco Elver Also Cc'ing more KUnit folks to double-check this is the right solution. > --- > lib/kunit/try-catch.c | 1 + > mm/kfence/kfence_test.c | 2 +- > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c > index be38a2c5ecc2..6b3d4db94077 100644 > --- a/lib/kunit/try-catch.c > +++ b/lib/kunit/try-catch.c > @@ -78,6 +78,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) > if (time_remaining == 0) { > kunit_err(test, "try timed out\n"); > try_catch->try_result = -ETIMEDOUT; > + kthread_stop(task_struct); > } > > exit_code = try_catch->try_result; > diff --git a/mm/kfence/kfence_test.c b/mm/kfence/kfence_test.c > index 50dbb815a2a8..caed6b4eba94 100644 > --- a/mm/kfence/kfence_test.c > +++ b/mm/kfence/kfence_test.c > @@ -623,7 +623,7 @@ static void test_gfpzero(struct kunit *test) > break; > test_free(buf2); > > - if (i == CONFIG_KFENCE_NUM_OBJECTS) { > + if (kthread_should_stop() || (i == CONFIG_KFENCE_NUM_OBJECTS)) { > kunit_warn(test, "giving up ... cannot get same object back\n"); > return; > } > -- > 2.18.0.huawei.25 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20220309083753.1561921-2-liupeng256%40huawei.com.