[Bug 1133616] New: use after free in list_lru_add
http://bugzilla.suse.com/show_bug.cgi?id=1133616 Bug ID: 1133616 Summary: use after free in list_lru_add Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: CONFIRMED Severity: Normal Priority: P5 - None Component: Kernel Assignee: jslaby@suse.com Reporter: jslaby@suse.com QA Contact: qa-bugs@suse.de CC: mkoutny@suse.com Found By: --- Blocker: --- On a specific hardware, we see 100 % reproducible crash while booting with fresh enough systemd. Systemd version matters as it does something special. The crash with KASAN-enabled kernel:
systemd[1]: Listening on Journal Socket. ================================================================== BUG: KASAN: slab-out-of-bounds in list_lru_add+0x5ec/0x6a0 Read of size 8 at addr ffff8880c42f0a18 by task (le-setup)/204
CPU: 3 PID: 204 Comm: (le-setup) Not tainted 5.0.9-0.g09ca824-default #1 openSUSE Tumbleweed (unreleased) Hardware name: Supermicro H8DSP-8/H8DSP-8, BIOS 080011 06/30/2006 Call Trace: dump_stack+0x9a/0xf0 ? list_lru_add+0x5ec/0x6a0 print_address_description+0x65/0x205 ? list_lru_add+0x5ec/0x6a0 ? list_lru_add+0x5ec/0x6a0 kasan_report.cold.4+0x1a/0x39 ? list_lru_add+0x5ec/0x6a0 list_lru_add+0x5ec/0x6a0 ? each_symbol_section+0x60/0x60 d_lru_add+0xd4/0x120 dput.part.27+0x2ba/0x330 __fput+0x333/0x7c0 ? _raw_write_lock_irq+0xe0/0xe0 task_work_run+0x11c/0x190 exit_to_usermode_loop+0x152/0x170 do_syscall_64+0x200/0x290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7faa5a7c57b7 Code: ff ff ff ff c3 48 8b 15 df 96 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb c0 66 2e 0f 1f 84 00 00 00 00 00 90 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 96 0c 00 f7 d8 64 89 02 b8 RSP: 002b:00007ffc7e72c8e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000556dd36f6fd0 RCX: 00007faa5a7c57b7 RDX: 00007faa5a8907c0 RSI: 0000556dd36f7053 RDI: 0000000000000003 RBP: 00007faa5a8913c0 R08: 0000556dd36f70b0 R09: 00007ffc7e72c715 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000556dd36f90a0 R14: 00007ffc7e72c9ca R15: 0000000000000003
Allocated by task 1: __kasan_kmalloc.constprop.14+0xc1/0xd0 __list_lru_init+0x3cd/0x5e0 sget_userns+0x65c/0xba0 kernfs_mount_ns+0x120/0x7f0 cgroup_do_mount+0x93/0x2e0 cgroup1_mount+0x335/0x925 cgroup_mount+0x14a/0x7b0 mount_fs+0xce/0x304 vfs_kern_mount.part.33+0x58/0x370 do_mount+0x390/0x2540 ksys_mount+0xb6/0xd0 __x64_sys_mount+0xba/0x150 do_syscall_64+0xa5/0x290 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0: (stack is not available)
The buggy address belongs to the object at ffff8880c42f0a00 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 24 bytes inside of 32-byte region [ffff8880c42f0a00, ffff8880c42f0a20) The buggy address belongs to the page: page:ffffea000310bc00 count:1 mapcount:0 mapping:ffff88800fc00900 index:0xffff8880c42f0fc1 flags: 0x9ffff800000200(slab) raw: 009ffff800000200 ffffea000310ba88 ffffea000310fb88 ffff88800fc00900 raw: ffff8880c42f0fc1 ffff8880c42f0000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff8880c42f0900: fb fb fb fb fc fc fc fc 00 00 02 fc fc fc fc fc ffff8880c42f0980: 00 00 fc fc fc fc fc fc 00 00 05 fc fc fc fc fc
ffff8880c42f0a00: 00 00 fc fc fc fc fc fc 00 05 fc fc fc fc fc fc ^ ffff8880c42f0a80: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc ffff8880c42f0b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================
This happens at least with kernels 4.12 and 5.0.x. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Jiri Slaby
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c1
--- Comment #1 from Jiri Slaby
Allocated by task 1: __kasan_kmalloc.constprop.13+0xc1/0xd0 __list_lru_init+0x3cd/0x5e0 sget_userns+0x65c/0xba0 kernfs_mount_ns+0x120/0x7f0 cgroup_do_mount+0x93/0x2e0 cgroup1_mount+0x335/0x925 cgroup_mount+0x14a/0x7b0 mount_fs+0xce/0x304 vfs_kern_mount.part.33+0x58/0x370 do_mount+0x390/0x2540 ksys_mount+0xb6/0xd0 __x64_sys_mount+0xba/0x150 do_syscall_64+0xa5/0x290 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 1: __kasan_slab_free+0x125/0x170 kfree+0x90/0x1a0 acpi_ds_terminate_control_method+0x5a2/0x5c9 acpi_ps_parse_aml+0x927/0xc32 acpi_ps_execute_method+0x65f/0x7cd acpi_ns_evaluate+0xa83/0xf6f acpi_evaluate_object+0x38c/0x924 acpi_evaluate_integer+0xb5/0x250 acpi_bus_get_status+0x144/0x3f0 acpi_add_single_object+0xbc4/0x16d0 acpi_bus_check_add+0x1a0/0x450 acpi_ns_walk_namespace+0x1cb/0x383 acpi_walk_namespace+0xf3/0x13b acpi_bus_scan+0xd0/0xe0 acpi_scan_init+0x220/0x56a acpi_init+0x572/0x600 do_one_initcall+0x92/0x301 kernel_init_freeable+0x4fe/0x5d1 kernel_init+0xc/0x111 ret_from_fork+0x3a/0x50
The buggy address belongs to the object at ffff8880d69a2e68 which belongs to the cache kmalloc-16 of size 16 The buggy address is located 8 bytes to the right of 16-byte region [ffff8880d69a2e68, ffff8880d69a2e78) The buggy address belongs to the page: page:ffffea00035a6880 count:1 mapcount:0 mapping:ffff88800fc0f940 index:0x0 compound_mapcount: 0 flags: 0x9ffff800010200(slab|head) raw: 009ffff800010200 ffffea00035a6208 ffffea00035a7188 ffff88800fc0f940 raw: 0000000000000000 0000000000160016 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff8880d69a2d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880d69a2e00: fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 fc
ffff8880d69a2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880d69a2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880d69a2f80: fc fc fc fc fc fc fc fc fc fc fc 00 00 fc fc fc
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c2
--- Comment #2 from Michal Koutný
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c3
--- Comment #3 from Jiri Slaby
__list_lru_init+0x3cd/0x5e0
This is kvmalloc in memcg_init_list_lru_node: memcg_lrus = kvmalloc(sizeof(*memcg_lrus) + size * sizeof(void *), GFP_KERNEL);
The buggy address belongs to the object at ffff8880d69a2e68 which belongs to the cache kmalloc-16 of size 16
Oh, wait, size 16? memcg_lrus is struct list_lru_memcg which is: struct rcu_head rcu; /* array of per cgroup lists, indexed by memcg_cache_id */ struct list_lru_one *lru[0]; struct rcu_head is of size 16. So it must mean that size is 0 in memcg_init_list_lru_node. That cannot be correct. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c4
--- Comment #4 from Jiri Slaby
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c5
--- Comment #5 from Jiri Slaby
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c6
--- Comment #6 from Jiri Slaby
Makes it indeed boot. memcg has very wrong assumptions on memcg_nr_cache_ids. It does not assume it can change later... This is something for upstream.
memcg_update_all_list_lrus should handle that, but list_lru_memcg_aware is broken on this machine, as there is no node 0 according to the attached dmesg. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c7
Jiri Slaby
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c8
Jiri Slaby
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c18
--- Comment #18 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c19
--- Comment #19 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c20
--- Comment #20 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c21
--- Comment #21 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c22
--- Comment #22 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c23
--- Comment #23 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c24
--- Comment #24 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c25
--- Comment #25 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c26
--- Comment #26 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c27
--- Comment #27 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c28
--- Comment #28 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
http://bugzilla.suse.com/show_bug.cgi?id=1133616#c32
--- Comment #32 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1133616
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com