Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210301065134.GA12822@xsang-OptiPlex-9020>
Date: Mon, 1 Mar 2021 14:51:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, kernel test robot <oliver.sang@...el.com>,
	LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
	io-uring@...r.kernel.org,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christian Brauner <christian.brauner@...ntu.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>
Subject: 5b5c35b757: BUG:KASAN:use-after-free_in_dec_rlimit_ucounts


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 5b5c35b757a192cc54eb96137761da67e7ce0520 ("[PATCH v7 6/7] Reimplement RLIMIT_MEMLOCK on top of ucounts")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210222-175836
base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next

in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:

	group: ["group-00", "group-01", "group-02", "group-03", "group-04"]

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------------+------------+------------+
|                                                | d28296d248 | 5b5c35b757 |
+------------------------------------------------+------------+------------+
| boot_failures                                  | 0          | 5          |
| BUG:KASAN:use-after-free_in_dec_rlimit_ucounts | 0          | 5          |
| canonical_address#:#[##]                       | 0          | 1          |
| RIP:dec_rlimit_ucounts                         | 0          | 1          |
| Kernel_panic-not_syncing:Fatal_exception       | 0          | 1          |
+------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  235.817305] BUG: KASAN: use-after-free in dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) 
[  235.818278] Read of size 8 at addr ffff88810687b1d0 by task trinity-c2/4730
[  235.819266]
[  235.819585] CPU: 0 PID: 4730 Comm: trinity-c2 Not tainted 5.11.0-rc7-00017-g5b5c35b757a1 #1
[  235.820944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  235.822206] Call Trace:
[  235.822646] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131) 
[  235.823195] print_address_description+0x21/0x140 
[  235.824066] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) 
[  235.824815] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413) 
[  235.825530] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) 
[  235.826260] __asan_load8 (kbuild/src/consumer/mm/kasan/generic.c:252) 
[  235.826848] dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) 
[  235.827549] user_shm_unlock (kbuild/src/consumer/include/linux/spinlock.h:394 kbuild/src/consumer/mm/mlock.c:851) 
[  235.828237] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247) 
[  235.828867] ksys_shmctl+0xc1b/0xe70 
[  235.829658] ? __fsnotify_parent (kbuild/src/consumer/fs/notify/fsnotify.c:200) 
[  235.830391] ? shm_mmap (kbuild/src/consumer/ipc/shm.c:1139) 
[  235.831035] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) 
[  235.831765] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) 
[  235.832545] ? pvclock_clocksource_read (kbuild/src/consumer/arch/x86/kernel/pvclock.c:80) 
[  235.833390] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227) 
[  235.834154] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) 
[  235.834866] ? get_vtime_delta (kbuild/src/consumer/kernel/sched/cputime.c:658 (discriminator 3)) 
[  235.835497] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227) 
[  235.836217] __x64_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1193) 
[  235.836912] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[  235.837540] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) 
[  235.838348] RIP: 0033:0x453b29
[ 235.838867] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
   0:	00 f3                	add    %dh,%bl
   2:	c3                   	retq   
   3:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   a:	00 00 00 
   d:	0f 1f 40 00          	nopl   0x0(%rax)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	0f 83 3b 84 00 00    	jae    0x8471
  36:	c3                   	retq   
  37:	66                   	data16
  38:	2e                   	cs
  39:	0f                   	.byte 0xf
  3a:	1f                   	(bad)  
  3b:	84 00                	test   %al,(%rax)
  3d:	00 00                	add    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	0f 83 3b 84 00 00    	jae    0x8447
   c:	c3                   	retq   
   d:	66                   	data16
   e:	2e                   	cs
   f:	0f                   	.byte 0xf
  10:	1f                   	(bad)  
  11:	84 00                	test   %al,(%rax)
  13:	00 00                	add    %al,(%rax)
	...
[  235.841605] RSP: 002b:00007ffd5b1195a8 EFLAGS: 00000246 ORIG_RAX: 000000000000001f
[  235.842731] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 0000000000453b29
[  235.843745] RDX: 00007f903f38e000 RSI: 000000000000000c RDI: 0000000000000000
[  235.844880] RBP: 00007ffd5b119650 R08: 00000000000000de R09: ffffffffffffffff
[  235.845958] R10: 0000000000000200 R11: 0000000000000246 R12: 0000000000000002
[  235.847062] R13: 00007f903f899058 R14: 00000000010a2830 R15: 00007f903f899000
[  235.848178]
[  235.848538] Allocated by task 4043:
[  235.849196] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) 
[  235.849892] ____kasan_kmalloc+0x87/0xb0 
[  235.850711] __kasan_slab_alloc (kbuild/src/consumer/mm/kasan/common.c:438) 
[  235.851394] kmem_cache_alloc (kbuild/src/consumer/include/linux/kasan.h:209 kbuild/src/consumer/mm/slab.h:512 kbuild/src/consumer/mm/slub.c:2892 kbuild/src/consumer/mm/slub.c:2900 kbuild/src/consumer/mm/slub.c:2905) 
[  235.852114] create_user_ns (kbuild/src/consumer/include/linux/slab.h:672 kbuild/src/consumer/kernel/user_namespace.c:105) 
[  235.852801] unshare_userns (kbuild/src/consumer/kernel/user_namespace.c:168) 
[  235.853464] ksys_unshare (kbuild/src/consumer/kernel/fork.c:2956) 
[  235.854145] __x64_sys_unshare (kbuild/src/consumer/kernel/fork.c:3031) 
[  235.854827] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[  235.855485] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) 
[  235.856368]
[  235.856733] Freed by task 5:
[  235.857292] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) 
[  235.857967] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46) 
[  235.858627] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358) 
[  235.859329] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364) 
[  235.860068] __kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:370) 
[  235.860761] kmem_cache_free (kbuild/src/consumer/mm/slub.c:1580 kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159) 
[  235.861439] free_user_ns (kbuild/src/consumer/kernel/user_namespace.c:39 kbuild/src/consumer/kernel/user_namespace.c:202) 
[  235.862059] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280) 
[  235.862754] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422) 
[  235.863378] kthread (kbuild/src/consumer/kernel/kthread.c:292) 
[  235.863912] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302) 
[  235.864576]
[  235.864940] Last potentially related work creation:
[  235.865717] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) 
[  235.866382] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344) 
[  235.867124] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334) 
[  235.867769] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500) 
[  235.868448] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525) 
[  235.869116] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210) 
[  235.869752] cleanup_net (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/include/linux/user_namespace.h:139 kbuild/src/consumer/net/core/net_namespace.c:622) 
[  235.870370] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280) 
[  235.871057] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422) 
[  235.871706] kthread (kbuild/src/consumer/kernel/kthread.c:292) 
[  235.872321] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302) 
[  235.872974]
[  235.873343] Second to last potentially related work creation:
[  235.874266] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) 
[  235.874934] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344) 
[  235.875695] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334) 
[  235.876369] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500) 
[  235.877033] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525) 
[  235.877677] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210) 
[  235.878286] put_cred_rcu (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/kernel/cred.c:125) 
[  235.878875] rcu_do_batch+0x1e2/0x940 
[  235.879591] rcu_core (kbuild/src/consumer/kernel/rcu/tree.c:2723) 
[  235.880212] rcu_core_si (kbuild/src/consumer/kernel/rcu/tree.c:2737) 
[  235.880832] __do_softirq (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344) 
[  235.881520]
[  235.881867] The buggy address belongs to the object at ffff88810687aff8
[  235.881867]  which belongs to the cache user_namespace of size 592
[  235.883687] The buggy address is located 472 bytes inside of
[  235.883687]  592-byte region [ffff88810687aff8, ffff88810687b248)
[  235.885560] The buggy address belongs to the page:
[  235.886343] page:0000000066c321d7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810687b3a8 pfn:0x106878
[  235.887924] head:0000000066c321d7 order:2 compound_mapcount:0 compound_pincount:0
[  235.889214] flags: 0x8000000000010200(slab|head)
[  235.889993] raw: 8000000000010200 ffff888100c25648 ffff888100c25648 ffff888100c8ccc0
[  235.891261] raw: ffff88810687b3a8 000000000011000a 00000001ffffffff 0000000000000000
[  235.892557] page dumped because: kasan: bad access detected
[  235.893490]
[  235.893838] Memory state around the buggy address:
[  235.894636]  ffff88810687b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  235.895858]  ffff88810687b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  235.897103] >ffff88810687b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  235.898294]                                                  ^
[  235.899208]  ffff88810687b200: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[  235.900359]  ffff88810687b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  235.902866] ==================================================================
[  235.904088] Disabling lock debugging due to kernel taint

Kboot worker: lkp-worker52
Elapsed time: 240



To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc7-00017-g5b5c35b757a1 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc7-00017-g5b5c35b757a1" of type "text/plain" (126328 bytes)

View attachment "job-script" of type "text/plain" (4345 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14968 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.