Re: perf: use-after-free in perf_event_for_each
From: Dmitry Vyukov
Date: Tue Jan 24 2017 - 08:29:45 EST
On Tue, Jan 24, 2017 at 2:17 PM, Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> On Mon, Jan 23, 2017 at 06:04:42PM +0100, Peter Zijlstra wrote:
>> On Mon, Jan 23, 2017 at 02:30:12PM +0100, Dmitry Vyukov wrote:
>> > Hello,
>> > The following program triggers use-after-free in perf_event_for_each:
>> > https://gist.githubusercontent.com/dvyukov/f1c354a8356e42f4d0b3d912e1bec956/raw/31d7ecdf6dc2c7327b80ef8581a39c823bbe405d/gistfile1.txt
> I've been running 60 concurrent instances of that thing for hours now,
> and have not been able to reproduce :-/
> I did enable CONFIG_KASAN but otherwise booted as normal, and the thing
> [ 0.000000] kasan: KernelAddressSanitizer initialized
> Is there anything else I should do?
Should be enough.
> I've ran out of ideas and it would be very helpful if I could prod at
> something that fails...
Try to run more parallel processes at the same time.
This program will run 32 processes in a tight loop:
It triggered the UAF in several minutes for me. I have 4 CPUs in the
VM. If you have more, set number of processes to 8*CPU.
Just in case this is my config:
$ grep "PERF" .config
# CONFIG_CGROUP_PERF is not set
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
# CONFIG_PERF_EVENTS_AMD_POWER is not set
# CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
# CONFIG_PCIEASPM_PERFORMANCE is not set
# CONFIG_RCU_PERF_TEST is not set
And here is how I start qemu:
qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
arch/x86/boot/bzImage -append "kvm-intel.nested=1
kvm-intel.enable_apicv=1 console=ttyS0 root=/dev/sda
earlyprintk=serial slub_debug=UZ vsyscall=native rodata=n oops=panic
panic_on_warn=1 panic=86400" -enable-kvm -pidfile vm_pid -m 2G -smp 4
-cpu host -usb -usbdevice mouse -usbdevice tablet -soundhw all