[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu

Gavin Guo Fri, 18 Dec 2015 07:32:05 -0800

** Description changed:

- kernel: [284190.877125] 
==================================================================
- kernel: [284190.898773] BUG: KASan: use after free in 
task_numa_find_cpu+0x64c/0x890 at addr ffff880dd393ecd8
- kernel: [284190.920765] Read of size 8 by task qemu-system-x86/3998900
- kernel: [284190.931678] 
=============================================================================
- kernel: [284190.953554] BUG kmalloc-128 (Tainted: G    B        ): kasan: bad 
access detected
- kernel: [284190.975502] 
-----------------------------------------------------------------------------
- kernel: [284190.975502] 
- kernel: [284191.007763] INFO: Allocated in task_numa_fault+0xc1b/0xed0 
age=41980 cpu=18 pid=3998890
- kernel: [284191.029051]         __slab_alloc+0x4f8/0x560
- kernel: [284191.039625]         __kmalloc+0x1eb/0x280
- kernel: [284191.049891]         task_numa_fault+0xc1b/0xed0
- kernel: [284191.060127]         do_numa_page+0x192/0x200
- kernel: [284191.070242]         handle_mm_fault+0x808/0x1160
- kernel: [284191.080157]         __do_page_fault+0x218/0x750
- kernel: [284191.090082]         do_page_fault+0x1a/0x70
- kernel: [284191.099481]         page_fault+0x28/0x30
- kernel: [284191.108724]         SyS_poll+0x66/0x1a0
- kernel: [284191.117928]         system_call_fastpath+0x1a/0x1f
- kernel: [284191.127199] INFO: Freed in task_numa_free+0x1d2/0x200 age=62 
cpu=18 pid=0
- kernel: [284191.136694]         __slab_free+0x2ab/0x3f0
- kernel: [284191.145806]         kfree+0x161/0x170
- kernel: [284191.154839]         task_numa_free+0x1d2/0x200
- kernel: [284191.163491]         finish_task_switch+0x1d2/0x210
- kernel: [284191.171969]         __schedule+0x5d4/0xc60
- kernel: [284191.180216]         schedule_preempt_disabled+0x40/0xc0
- kernel: [284191.188395]         cpu_startup_entry+0x2da/0x340
- kernel: [284191.196148]         start_secondary+0x28f/0x360
- kernel: [284191.203870] INFO: Slab 0xffffea00374e4f00 objects=37 used=17 
fp=0xffff880dd393ecb0 flags=0x6ffff0000004080
- kernel: [284191.219348] INFO: Object 0xffff880dd393ecb0 @offset=11440 
fp=0xffff880dd393f700
- kernel: [284191.219348] 
- kernel: [284191.241998] Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 
63 3a 04 01 00 00 00  .........c:.....
- kernel: [284191.256760] Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.272018] Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.287142] Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.302631] Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.319383] Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.337471] Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.355802] Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
- kernel: [284191.375335] Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 
6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
- kernel: [284191.394619] CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G 
   B         3.13.0-65-generic #105
- kernel: [284191.394624] Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c    
06/11/2
- kernel: [284191.394628]  ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 
ffff88045f00f500
- kernel: [284191.394657]  ffff8816c572b450 ffffffff81244aed ffff88045f00f500 
ffffea00374e4f00
- kernel: [284191.394674]  ffff880dd393ecb0 0000000000000012 ffff8816c572b478 
ffffffff8124ac36
- kernel: [284191.394690] Call Trace:
- kernel: [284191.394704]  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
- kernel: [284191.394716]  [<ffffffff81244aed>] print_trailer+0xfd/0x170
- kernel: [284191.394727]  [<ffffffff8124ac36>] object_err+0x36/0x40
- kernel: [284191.394740]  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
- kernel: [284191.394750]  [<ffffffff8124d260>] kasan_report+0x40/0x50
- kernel: [284191.394761]  [<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
- kernel: [284191.394771]  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
- kernel: [284191.394784]  [<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
- kernel: [284191.394794]  [<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
- kernel: [284191.394805]  [<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
- kernel: [284191.394816]  [<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
- kernel: [284191.394827]  [<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
- kernel: [284191.394837]  [<ffffffff8120ef02>] do_numa_page+0x192/0x200
- kernel: [284191.394848]  [<ffffffff81211038>] handle_mm_fault+0x808/0x1160
- kernel: [284191.394858]  [<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
- kernel: [284191.394873]  [<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
- kernel: [284191.394884]  [<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
- kernel: [284191.394899]  [<ffffffff810c2186>] ? 
hrtimer_try_to_cancel+0x76/0x160
- kernel: [284191.394912]  [<ffffffff81a6f5e7>] ? 
schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
- kernel: [284191.394923]  [<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
- kernel: [284191.394932]  [<ffffffff81a772e8>] page_fault+0x28/0x30
- kernel: [284191.394942]  [<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
- kernel: [284191.394954]  [<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
- kernel: [284191.394969]  [<ffffffff810233c9>] ? sched_clock+0x9/0x10
- kernel: [284191.394980]  [<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
- kernel: [284191.394992]  [<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
- kernel: [284191.395002]  [<ffffffff8128b5c0>] ? 
poll_select_copy_remaining+0x170/0x170
- kernel: [284191.395014]  [<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
- kernel: [284191.395030]  [<ffffffff8112a28f>] ? 
drop_futex_key_refs.isra.14+0x1f/0x90
- kernel: [284191.395041]  [<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
- kernel: [284191.395051]  [<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
- kernel: [284191.395061]  [<ffffffff81022c89>] ? read_tsc+0x9/0x20
- kernel: [284191.395075]  [<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
- kernel: [284191.395091]  [<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
- kernel: [284191.395101]  [<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
- kernel: [284191.395113]  [<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
- kernel: [284191.395116] Memory state around the buggy address:
- kernel: [284191.404972]  ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc fc fc
- kernel: [284191.425658]  ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc fc fc
- kernel: [284191.446199] >ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb 
fb fb fb fb fb
- kernel: [284191.467308]                                                     ^
- kernel: [284191.477664]  ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc 
fc fc fc fc fc
- kernel: [284191.497868]  ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc fc fc
- kernel: [284191.518622] 
==================================================================
+ ==================================================================
+ BUG: KASan: use after free in task_numa_find_cpu+0x64c/0x890 at addr 
ffff880dd393ecd8
+ Read of size 8 by task qemu-system-x86/3998900
+ =============================================================================
+ BUG kmalloc-128 (Tainted: G    B        ): kasan: bad access detected
+ -----------------------------------------------------------------------------
  
- $ addr2line 0xffffffff810dda7c -e 
usr/lib/debug/boot/vmlinux-3.13.0-65-generic -f -itask_numa_compare
- /home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1084
- task_numa_find_cpu
- /home/gavin/os/ubuntu-trusty-amd64/kernel/sched/fair.c:1170
+ INFO: Allocated in task_numa_fault+0xc1b/0xed0 age=41980 cpu=18 pid=3998890
+         __slab_alloc+0x4f8/0x560
+         __kmalloc+0x1eb/0x280
+         task_numa_fault+0xc1b/0xed0
+         do_numa_page+0x192/0x200
+         handle_mm_fault+0x808/0x1160
+         __do_page_fault+0x218/0x750
+         do_page_fault+0x1a/0x70
+         page_fault+0x28/0x30
+         SyS_poll+0x66/0x1a0
+         system_call_fastpath+0x1a/0x1f
+ INFO: Freed in task_numa_free+0x1d2/0x200 age=62 cpu=18 pid=0
+         __slab_free+0x2ab/0x3f0
+         kfree+0x161/0x170
+         task_numa_free+0x1d2/0x200
+         finish_task_switch+0x1d2/0x210
+         __schedule+0x5d4/0xc60
+         schedule_preempt_disabled+0x40/0xc0
+         cpu_startup_entry+0x2da/0x340
+         start_secondary+0x28f/0x360
+ INFO: Slab 0xffffea00374e4f00 objects=37 used=17 fp=0xffff880dd393ecb0 
flags=0x6ffff0000004080
+ INFO: Object 0xffff880dd393ecb0 @offset=11440 fp=0xffff880dd393f700
  
- 1083                 if (cur->numa_group == env->p->numa_group) {
- 1084                         imp = taskimp + task_weight(cur, env->src_nid) -
- 1085                               task_weight(cur, env->dst_nid);
- 
- -------------------------8<-------------------------
- 
- In short, this is the use-after-free bug which happens when the process
- is exiting and the numa_faults is freed in the task_numa_free() called
- by the finish_task_switch. While the numa balance mechanism which
- triggers the do_numa_page is calculating to determine to migrate the
- current process to another CPU, it will also need to to read the
- task_struct->numa_faults, which triggers the use-after-free bug.
- 
- The Bug was found by the Ubuntu-3.13.0-65 with Kasan backported.
- Binary package: http://kernel.ubuntu.com/~gavinguo/kasan/Ubuntu-3.13.0-65.105/
- Source code: 
http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=Ubuntu-3.13.0-65-kasan
+ Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 63 3a 04 01 00 00 00  
.........c:.....
+ Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  
kkkkkkkkkkkkkkkk
+ Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  
kkkkkkkkkkkkkkk.
+ CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G    B         
3.13.0-65-generic #105
+ Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c    06/11/2
+  ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
+  ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
+  ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
+ Call Trace:
+  [<ffffffff81a6ce35>] dump_stack+0x45/0x56
+  [<ffffffff81244aed>] print_trailer+0xfd/0x170
+  [<ffffffff8124ac36>] object_err+0x36/0x40
+  [<ffffffff8124cbf9>] kasan_report_error+0x1e9/0x3a0
+  [<ffffffff8124d260>] kasan_report+0x40/0x50
+  [<ffffffff810dda7c>] ? task_numa_find_cpu+0x64c/0x890
+  [<ffffffff8124bee9>] __asan_load8+0x69/0xa0
+  [<ffffffff814f5c38>] ? find_next_bit+0xd8/0x120
+  [<ffffffff810dda7c>] task_numa_find_cpu+0x64c/0x890
+  [<ffffffff810de16c>] task_numa_migrate+0x4ac/0x7b0
+  [<ffffffff810de523>] numa_migrate_preferred+0xb3/0xc0
+  [<ffffffff810e0b88>] task_numa_fault+0xb88/0xed0
+  [<ffffffff8120ef02>] do_numa_page+0x192/0x200
+  [<ffffffff81211038>] handle_mm_fault+0x808/0x1160
+  [<ffffffff810d7dbd>] ? sched_clock_cpu+0x10d/0x160
+  [<ffffffff81068c52>] ? native_load_tls+0x82/0xa0
+  [<ffffffff81a7bd68>] __do_page_fault+0x218/0x750
+  [<ffffffff810c2186>] ? hrtimer_try_to_cancel+0x76/0x160
+  [<ffffffff81a6f5e7>] ? schedule_hrtimeout_range_clock.part.24+0xf7/0x1c0
+  [<ffffffff81a7c2ba>] do_page_fault+0x1a/0x70
+  [<ffffffff81a772e8>] page_fault+0x28/0x30
+  [<ffffffff8128cbd4>] ? do_sys_poll+0x1c4/0x6d0
+  [<ffffffff810e64f6>] ? enqueue_task_fair+0x4b6/0xaa0
+  [<ffffffff810233c9>] ? sched_clock+0x9/0x10
+  [<ffffffff810cf70a>] ? resched_task+0x7a/0xc0
+  [<ffffffff810d0663>] ? check_preempt_curr+0xb3/0x130
+  [<ffffffff8128b5c0>] ? poll_select_copy_remaining+0x170/0x170
+  [<ffffffff810d3bc0>] ? wake_up_state+0x10/0x20
+  [<ffffffff8112a28f>] ? drop_futex_key_refs.isra.14+0x1f/0x90
+  [<ffffffff8112d40e>] ? futex_requeue+0x3de/0xba0
+  [<ffffffff8112e49e>] ? do_futex+0xbe/0x8f0
+  [<ffffffff81022c89>] ? read_tsc+0x9/0x20
+  [<ffffffff8111bd9d>] ? ktime_get_ts+0x12d/0x170
+  [<ffffffff8108f699>] ? timespec_add_safe+0x59/0xe0
+  [<ffffffff8128d1f6>] SyS_poll+0x66/0x1a0
+  [<ffffffff81a830dd>] system_call_fastpath+0x1a/0x1f
+ Memory state around the buggy address:
+  ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
+                                                     ^
+  ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
+  ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ==================================================================


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1527643

Title:
  use after free of task_struct->numa_faults in task_numa_find_cpu

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1527643/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1527643] Re: use after free of task_struct->numa_faults in task_numa_find_cpu

Reply via email to