perf: use-after-free in perf_event_for_each
From: Dmitry Vyukov
Date: Mon Jan 23 2017 - 08:30:44 EST
Hello,
The following program triggers use-after-free in perf_event_for_each:
https://gist.githubusercontent.com/dvyukov/f1c354a8356e42f4d0b3d912e1bec956/raw/31d7ecdf6dc2c7327b80ef8581a39c823bbe405d/gistfile1.txt
BUG: KASAN: use-after-free in perf_event_for_each_child+0x15f/0x180
kernel/events/core.c:4495 at addr ffff8800680ec248
Read of size 8 by task a.out/19370
CPU: 3 PID: 19370 Comm: a.out Not tainted 4.10.0-rc5+ #186
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:328
perf_event_for_each_child+0x15f/0x180 kernel/events/core.c:4495
perf_event_for_each kernel/events/core.c:4514 [inline]
_perf_ioctl kernel/events/core.c:4671 [inline]
perf_ioctl+0x9b5/0x1480 kernel/events/core.c:4685
vfs_ioctl fs/ioctl.c:43 [inline]
do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683
SYSC_ioctl fs/ioctl.c:698 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x44d289
RSP: 002b:00007fb128517cd8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044d289
RDX: 0000000000010001 RSI: 0000000000002400 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fb1285189c0 R15: 00007fb128518700
Object at ffff8800680ec040, in cache kmalloc-2048 size: 2048
Allocated:
PID = 19367
[<ffffffff81a0942b>] kmem_cache_alloc_trace+0x10b/0x670 mm/slab.c:3629
[<ffffffff818328e5>] kzalloc include/linux/slab.h:490 [inline]
[<ffffffff818328e5>] perf_event_alloc+0x1c5/0x1ef0 kernel/events/core.c:9134
[<ffffffff8184432d>] SYSC_perf_event_open+0xb8d/0x31b0 kernel/events/core.c:9692
[<ffffffff81850419>] SyS_perf_event_open+0x39/0x50 kernel/events/core.c:9586
[<ffffffff841c8c81>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 19372
[<ffffffff81a0b103>] __cache_free mm/slab.c:3505 [inline]
[<ffffffff81a0b103>] kfree+0xd3/0x250 mm/slab.c:3822
[<ffffffff81819b6c>] free_event_rcu+0x5c/0x70 kernel/events/core.c:3828
[<ffffffff81608600>] __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
[<ffffffff81608600>] rcu_do_batch.isra.70+0x9e0/0xdf0 kernel/rcu/tree.c:2780
[<ffffffff81608e82>] invoke_rcu_callbacks kernel/rcu/tree.c:3043 [inline]
[<ffffffff81608e82>] __rcu_process_callbacks kernel/rcu/tree.c:3010 [inline]
[<ffffffff81608e82>] rcu_process_callbacks+0x472/0xc70 kernel/rcu/tree.c:3027
[<ffffffff841cbfbf>] __do_softirq+0x31f/0xbe7 kernel/softirq.c:284
On commit 095cbe66973771fecd8e8b1e8763181363ef703e (Jan 22).