Re: Invalid credentials ( __validate_creds()) due to cred->magic =="DeaD" from sys_clone() (2.6.39 PREEMPT SMP SELinux kernel)
From: Robert ÅwiÄcki
Date: Tue Jun 07 2011 - 10:27:04 EST
Another BUG(), a quite obvious use-after-free - still trying to create
a reproductible testcase.
=== KDB ===
Stack traceback for pid 28120
0xffff8800cba32ee0 28120 15501 1 1 R 0xffff8800cba33360 *iknowthis
<c> ffff8800cba3dea8<c> 0000000000000018<c> ffffffff810b6f16<c>
ffff880000000104<c>
<c> ffffffff8267436f<c> ffff88010367bf00<c> ffff88010367bf00<c>
ffff8800cba3def8<c>
<c> ffffffff810b6f48<c> ffff880000000104<c> ffffffff8267436f<c>
ffff8800cba3def8<c>
Call Trace:
[<ffffffff810b6f16>] ? __invalid_creds+0x53/0x55
[<ffffffff810b6f48>] ? __validate_creds+0x30/0x37
[<ffffffff810b6fa2>] ? put_cred+0x22/0x3a
[<ffffffff810b7463>] ? commit_creds+0x1d3/0x1de
[<ffffffff810a8ea4>] ? sys_setgid+0x75/0x8d
[<ffffffff81edab82>] ? system_call_fastpath+0x16/0x1b
[1]kdb> summary
sysname Linux
release 2.6.39
version #3 SMP PREEMPT Fri May 27 15:27:03 CEST 2011
machine x86_64
nodename ise-test
domainname (none)
ccversion CCVERSION
date 2011-06-07 01:56:05 tz_minuteswest -120
uptime 13:11
load avg 14.40 14.63 16.68
MemTotal: 993059 kB
MemFree: 485955 kB
Buffers: 20849 kB
DMESG:
<3>[47480.305640] CRED: Invalid credentials
<3>[47480.315628] CRED: At include/linux/cred.h:260
<3>[47480.320595] CRED: Specified credentials: ffff88010367bf00
<3>[47480.326668] CRED: ->magic=6b6b6b6b, put_addr=6b6b6b6b6b6b6b6b
<3>[47480.333593] CRED: ->usage=1802201963, subscr=1802201963
<3>[47480.339812] CRED: ->*uid = { 1802201963,1802201963,1802201963,1802201963 }
<3>[47480.347490] CRED: ->*gid = { 1802201963,1802201963,1802201963,1802201963 }
<3>[47480.354947] CRED: ->security is 6b6b6b6b6b6b6b6b
=== KGDB ===
(gdb) bt
#0 __invalid_creds (cred=0xffff88010367bf00, file=<value optimized
out>, line=<value optimized out>)
at kernel/cred.c:812
#1 0xffffffff810b6f48 in __validate_creds (cred=0xffff88010367bf00,
file=<value optimized out>,
line=<value optimized out>) at include/linux/cred.h:186
#2 0xffffffff810b6fa2 in put_cred (_cred=<value optimized out>) at
include/linux/cred.h:260
#3 0xffffffff810b7463 in commit_creds (new=0xffff88011aeda200) at
kernel/cred.c:540
#4 0xffffffff810a8ea4 in sys_setgid (gid=65534) at kernel/sys.c:577
#5 <signal handler called>
#6 0x00007ff2b4b78649 in __brk_reservation_fn_dmi_alloc__ ()
#7 0xffff880118cd1770 in __brk_reservation_fn_dmi_alloc__ ()
#8 0xffffffff82a1bed0 in ?? ()
#9 0x0000000200020000 in __brk_reservation_fn_dmi_alloc__ ()
#10 0x0000000300000000 in __brk_reservation_fn_dmi_alloc__ ()
#11 0x00007ffffffff000 in __brk_reservation_fn_dmi_alloc__ ()
#12 0xffffffff810a7406 in sys_restart_syscall () at kernel/signal.c:2085
#13 0x0000000000000000 in ?? ()
[4 frames up]
#4 0xffffffff810a8ea4 in sys_setgid (gid=65534) at kernel/sys.c:577
577 return commit_creds(new);
(gdb) p *old
$1 = {usage = {counter = 1802201963}, subscribers = {counter =
1802201963}, put_addr = 0x6b6b6b6b6b6b6b6b,
magic = 1802201963, uid = 1802201963, gid = 1802201963, suid =
1802201963, sgid = 1802201963, euid = 1802201963,
egid = 1802201963, fsuid = 1802201963, fsgid = 1802201963,
securebits = 1802201963, cap_inheritable = {cap = {
1802201963, 1802201963}}, cap_permitted = {cap = {1802201963,
1802201963}}, cap_effective = {cap = {1802201963,
1802201963}}, cap_bset = {cap = {1802201963, 1802201963}},
jit_keyring = 107 'k',
thread_keyring = 0x6b6b6b6b6b6b6b6b, request_key_auth =
0x6b6b6b6b6b6b6b6b, tgcred = 0x6b6b6b6b6b6b6b6b,
security = 0x6b6b6b6b6b6b6b6b, user = 0x6b6b6b6b6b6b6b6b, user_ns =
0x6b6b6b6b6b6b6b6b,
group_info = 0x6b6b6b6b6b6b6b6b, rcu = {next = 0x6b6b6b6b6b6b6b6b,
func = 0xa56b6b6b6b6b6b6b}}
(gdb) p *new
$2 = {usage = {counter = 2}, subscribers = {counter = 2}, put_addr =
0x0, magic = 1131636068, uid = 65534,
gid = 65534, suid = 65534, sgid = 65534, euid = 65534, egid = 65534,
fsuid = 65534, fsgid = 65534, securebits = 0,
cap_inheritable = {cap = {0, 0}}, cap_permitted = {cap = {0, 0}},
cap_effective = {cap = {0, 0}}, cap_bset = {cap = {
4294967295, 4294967295}}, jit_keyring = 0 '\000', thread_keyring
= 0x0, request_key_auth = 0x0,
tgcred = 0xffff880101adce58, security = 0xffff8801146fb340, user =
0xffff88011fcc7240, user_ns = 0xffffffff82a21a80,
group_info = 0xffff8800cb9fa000, rcu = {next = 0x0, func = 0}}
--
Robert ÅwiÄcki
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/