Hi, I'm working on a memory error detector AddressSanitizer for Linux kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel), which can detect use-after-free and buffer-overflow errors. Currently the tool is in very early stage and it can contain bugs.
I was running a system call fuzzer and got some reports: [ 64.143848] ========================================================================= [ 64.144763] ERROR: AddressSanitizer: heap-use-after-free on address ffff88002a3dae60 [ 64.145945] Stack trace: [ 64.146302] [<ffffffff810dd1f5>] asan_report_error+0x85/0x2c0 [ 64.147112] [<ffffffff810dc700>] asan_check_region+0x30/0x40 [ 64.147966] [<ffffffff810dd4b3>] __tsan_read4+0x13/0x20 [ 64.148808] [<ffffffffa00804d0>] e1000_clean+0x1d0/0x11b0 [e1000] [ 64.149742] [<ffffffff817f8e1a>] net_rx_action+0x1aa/0x380 [ 64.150574] [<ffffffff810ee9d2>] __do_softirq+0x182/0x3a0 [ 64.151391] [<ffffffff8192629c>] call_softirq+0x1c/0x30 [ 64.152179] [<ffffffff8108040d>] do_softirq+0x5d/0xc0 [ 64.152926] [<ffffffff810ed3d7>] local_bh_enable+0x127/0x130 [ 64.153717] [<ffffffff8185d775>] ip_finish_output+0x365/0x640 [ 64.154653] [<ffffffff8185fc79>] ip_output+0xb9/0x100 [ 64.155423] [<ffffffff8185ed1c>] ip_local_out+0x4c/0x60 [ 64.156216] [<ffffffff818611b3>] ip_send_skb+0x23/0x70 [ 64.156951] [<ffffffff818a4bf4>] udp_send_skb+0x584/0x6e0 [ 64.157761] [<ffffffff818a681c>] udp_sendmsg+0x4dc/0xfd0 [ 64.158581] [<ffffffff818b93e8>] inet_sendmsg+0x108/0x160 [ 64.159401] [<ffffffff817d0f43>] sock_sendmsg+0x133/0x170 [ 64.160143] [<ffffffff817d1669>] SYSC_sendto+0x1e9/0x2d0 [ 64.160932] [<ffffffff817d2329>] SyS_sendto+0x49/0x70 [ 64.161710] [<ffffffff81826e55>] compat_sys_socketcall+0x305/0x530 [ 64.162634] [<ffffffff81926335>] sysenter_dispatch+0x7/0x1a [ 64.163471] [<ffffffffffffffff>] 0xffffffffffffffff [ 64.164213] Free stack trace: [ 64.164660] [<ffffffff810dc831>] asan_slab_free+0x61/0xb0 [ 64.165466] [<ffffffff8127f955>] kmem_cache_free+0x55/0x2e0 [ 64.166261] [<ffffffff817db68b>] kfree_skbmem+0x5b/0xd0 [ 64.167046] [<ffffffff817e003c>] consume_skb+0x4c/0xd0 [ 64.167811] [<ffffffff817f3f90>] dev_kfree_skb_any+0x60/0x70 [ 64.168710] [<ffffffffa007c6ba>] e1000_unmap_and_free_tx_resource.isra.45+0xda/0x130 [e1000] [ 64.169954] [<ffffffffa00804e9>] e1000_clean+0x1e9/0x11b0 [e1000] [ 64.170859] [<ffffffff817f8e1a>] net_rx_action+0x1aa/0x380 [ 64.171685] [<ffffffff810ee9d2>] __do_softirq+0x182/0x3a0 [ 64.172491] [<ffffffff8192629c>] call_softirq+0x1c/0x30 [ 64.173276] [<ffffffff8108040d>] do_softirq+0x5d/0xc0 [ 64.174041] [<ffffffff810ed3d7>] local_bh_enable+0x127/0x130 [ 64.174868] [<ffffffff8185d775>] ip_finish_output+0x365/0x640 [ 64.175734] [<ffffffff8185fc79>] ip_output+0xb9/0x100 [ 64.176518] [<ffffffff8185ed1c>] ip_local_out+0x4c/0x60 [ 64.177315] [<ffffffff818611b3>] ip_send_skb+0x23/0x70 [ 64.178087] [<ffffffff818a4bf4>] udp_send_skb+0x584/0x6e0 [ 64.178910] [<ffffffff818a681c>] udp_sendmsg+0x4dc/0xfd0 [ 64.179713] [<ffffffff818b93e8>] inet_sendmsg+0x108/0x160 [ 64.180524] [<ffffffff817d0f43>] sock_sendmsg+0x133/0x170 [ 64.181332] [<ffffffff817d1669>] SYSC_sendto+0x1e9/0x2d0 [ 64.182001] [<ffffffff817d2329>] SyS_sendto+0x49/0x70 [ 64.182771] [<ffffffff817d238b>] SyS_send+0x3b/0x50 [ 64.183508] Shadow bytes around the buggy address: [ 64.184258] ffff88003ba7b570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.185109] ffff88003ba7b580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd [ 64.186184] ffff88003ba7b590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [ 64.187257] ffff88003ba7b5a0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa [ 64.188442] ffff88003ba7b5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.189520] =>ffff88003ba7b5c0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd [ 64.190600] ffff88003ba7b5d0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa [ 64.191676] ffff88003ba7b5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.192730] ffff88003ba7b5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.193822] ffff88003ba7b600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.194903] ffff88003ba7b610: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 64.195954] Shadow byte legend (one shadow byte represents 8 application bytes): [ 64.197039] Addressable: 00 [ 64.197585] Partially addressable: 01 02 03 04 05 06 07 [ 64.198407] Heap redzone: fa [ 64.198955] Freed heap region: fd [ 64.199519] ========================================================================= [ 64.200424] ========================================================================= [ 64.201539] ERROR: AddressSanitizer: heap-use-after-free on address ffff88002a3daedc [ 64.202432] Stack trace: [ 64.202814] [<ffffffff810dd1f5>] asan_report_error+0x85/0x2c0 [ 64.203636] [<ffffffff810dc700>] asan_check_region+0x30/0x40 [ 64.204481] [<ffffffff810dd4b3>] __tsan_read4+0x13/0x20 [ 64.205267] [<ffffffff817e001b>] consume_skb+0x2b/0xd0 [ 64.206066] [<ffffffff817f3f90>] dev_kfree_skb_any+0x60/0x70 [ 64.206923] [<ffffffffa007c6ba>] e1000_unmap_and_free_tx_resource.isra.45+0xda/0x130 [e1000] [ 64.208144] [<ffffffffa00804e9>] e1000_clean+0x1e9/0x11b0 [e1000] [ 64.209067] [<ffffffff817f8e1a>] net_rx_action+0x1aa/0x380 [ 64.209866] [<ffffffff810ee9d2>] __do_softirq+0x182/0x3a0 [ 64.210671] [<ffffffff8192629c>] call_softirq+0x1c/0x30 [ 64.211463] [<ffffffff8108040d>] do_softirq+0x5d/0xc0 [ 64.212227] [<ffffffff810ed3d7>] local_bh_enable+0x127/0x130 [ 64.213074] [<ffffffff8185d775>] ip_finish_output+0x365/0x640 [ 64.213910] [<ffffffff8185fc79>] ip_output+0xb9/0x100 [ 64.214661] [<ffffffff8185ed1c>] ip_local_out+0x4c/0x60 [ 64.215451] [<ffffffff818611b3>] ip_send_skb+0x23/0x70 [ 64.216249] [<ffffffff818a4bf4>] udp_send_skb+0x584/0x6e0 [ 64.217064] [<ffffffff818a681c>] udp_sendmsg+0x4dc/0xfd0 [ 64.217838] [<ffffffff818b93e8>] inet_sendmsg+0x108/0x160 [ 64.218687] [<ffffffff817d0f43>] sock_sendmsg+0x133/0x170 [ 64.219496] [<ffffffff817d1669>] SYSC_sendto+0x1e9/0x2d0 [ 64.220297] [<ffffffff817d2329>] SyS_sendto+0x49/0x70 [ 64.221069] [<ffffffff81826e55>] compat_sys_socketcall+0x305/0x530 [ 64.222053] [<ffffffff81926335>] sysenter_dispatch+0x7/0x1a [ 64.222867] [<ffffffffffffffff>] 0xffffffffffffffff [ 64.223592] Free stack trace: [ 64.224050] [<ffffffff810dc831>] asan_slab_free+0x61/0xb0 [ 64.224841] [<ffffffff8127f955>] kmem_cache_free+0x55/0x2e0 [ 64.225559] [<ffffffff817db68b>] kfree_skbmem+0x5b/0xd0 [ 64.226342] [<ffffffff817e003c>] consume_skb+0x4c/0xd0 [ 64.227121] [<ffffffff817f3f90>] dev_kfree_skb_any+0x60/0x70 [ 64.227958] [<ffffffffa007c6ba>] e1000_unmap_and_free_tx_resource.isra.45+0xda/0x130 [e1000] [ 64.229240] [<ffffffffa00804e9>] e1000_clean+0x1e9/0x11b0 [e1000] [ 64.230149] [<ffffffff817f8e1a>] net_rx_action+0x1aa/0x380 [ 64.230947] [<ffffffff810ee9d2>] __do_softirq+0x182/0x3a0 [ 64.231706] [<ffffffff8192629c>] call_softirq+0x1c/0x30 [ 64.232451] [<ffffffff8108040d>] do_softirq+0x5d/0xc0 [ 64.233219] [<ffffffff810ed3d7>] local_bh_enable+0x127/0x130 [ 64.234012] [<ffffffff8185d775>] ip_finish_output+0x365/0x640 [ 64.234842] [<ffffffff8185fc79>] ip_output+0xb9/0x100 [ 64.235621] [<ffffffff8185ed1c>] ip_local_out+0x4c/0x60 [ 64.236431] [<ffffffff818611b3>] ip_send_skb+0x23/0x70 [ 64.237221] [<ffffffff818a4bf4>] udp_send_skb+0x584/0x6e0 [ 64.237991] [<ffffffff818a681c>] udp_sendmsg+0x4dc/0xfd0 [ 64.238788] [<ffffffff818b93e8>] inet_sendmsg+0x108/0x160 [ 64.239604] [<ffffffff817d0f43>] sock_sendmsg+0x133/0x170 [ 64.240413] [<ffffffff817d1669>] SYSC_sendto+0x1e9/0x2d0 [ 64.241213] [<ffffffff817d2329>] SyS_sendto+0x49/0x70 [ 64.241954] [<ffffffff817d238b>] SyS_send+0x3b/0x50 [ 64.242681] Shadow bytes around the buggy address: [ 64.243422] ffff88003ba7b580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd [ 64.244534] ffff88003ba7b590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [ 64.245615] ffff88003ba7b5a0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa [ 64.246691] ffff88003ba7b5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.247768] ffff88003ba7b5c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [ 64.248886] =>ffff88003ba7b5d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa [ 64.250001] ffff88003ba7b5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.251084] ffff88003ba7b5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.252162] ffff88003ba7b600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.253236] ffff88003ba7b610: fa fa fa fa fa fa fa fa 00 00 00 00 fa fa fa fa [ 64.254312] ffff88003ba7b620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [ 64.255431] Shadow byte legend (one shadow byte represents 8 application bytes): [ 64.256500] Addressable: 00 [ 64.257083] Partially addressable: 01 02 03 04 05 06 07 [ 64.257851] Heap redzone: fa [ 64.258397] Freed heap region: fd [ 64.258942] ========================================================================= There were more use-after-free reports after these two. The first use-after-free was caused by accessing 'len' field in 'buffer_info->skb' in 'e1000_clean_tx_irq' (line 3835). Our guess is that 'buffer_info->skb' had been freed in another thread (the bottom frames of the stack traces are different) by 'e1000_unmap_and_free_tx_resource' (line 1972) but wasn't assigned to 'NULL' yet (line 1973). The kernel version is 3.11-rc4 (last commit: b7bc9e7d808ba55729bd263b0210cda36965be32). e100_clean_tx_irq: http://lxr.free-electrons.com/source/drivers/net/ethernet/intel/e1000/e1000_main.c#L3835 e1000_unmap_and_free_tx_resource: http://lxr.free-electrons.com/source/drivers/net/ethernet/intel/e1000/e1000_main.c#L1958 Since these reports were caused by a system call fuzzer I don't know how to reproduce them. Could you confirm if this is a real bug? Thanks! ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
