x86/microcode: use-after-free after cpu offline/online

From: Andrey Ryabinin
Date: Wed Jan 25 2017 - 11:57:58 EST

Next message: Steve Wise: "RE: [PATCH] IB/cxgb3: header should be defining CXGB3_ABI_USER_H"
Previous message: Stephen Hemminger: "RE: [PATCH] Drivers: hv: balloon: add a comment explaining fall through in hv_memory_notifier()"
Next in thread: Borislav Petkov: "Re: x86/microcode: use-after-free after cpu offline/online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4.10-rc5
# echo 0 > /sys/devices/system/cpu/cpu1/online
# echo 1 > /sys/devices/system/cpu/cpu1/online

triggers use-after-free (probably caused by 06b8534cb72 "x86/microcode: Rework microcode loading").

__load_ucode_intel() accesses initrd which is obviously gone at this point:

[ 62.347662] ==================================================================
[ 62.347670] BUG: KASAN: use-after-free in find_cpio_data+0x779/0x850 at addr ffff880036e75000
[ 62.347672] Read of size 1 by task swapper/1/0
[ 62.347675] page:ffffea0000db9d40 count:0 mapcount:0 mapping: (null) index:0x1
[ 62.347677] flags: 0x100000000000000()
[ 62.347680] raw: 0100000000000000 0000000000000000 0000000000000001 00000000ffffffff
[ 62.347682] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[ 62.347682] page dumped because: kasan: bad access detected
[ 62.347685] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G W 4.10.0-rc5-debug-00075-g2dbde22 #3
[ 62.347686] Hardware name: Dell Inc. XPS 13 9360/0839Y6, BIOS 1.2.3 12/01/2016
[ 62.347687] Call Trace:
[ 62.347690] dump_stack+0xb1/0x10c
[ 62.347693] ? _atomic_dec_and_lock+0xc4/0xc4
[ 62.347696] ? __dump_page+0x529/0x760
[ 62.347699] kasan_report_error+0x5ba/0x8b0
[ 62.347702] ? pointer+0xe70/0xe70
[ 62.347704] ? find_cpio_data+0x779/0x850
[ 62.347706] __asan_report_load1_noabort+0x59/0x80
[ 62.347708] ? find_cpio_data+0x779/0x850
[ 62.347711] find_cpio_data+0x779/0x850
[ 62.347713] ? vsprintf+0x20/0x20
[ 62.347716] ? dump_stack+0x10c/0x10c
[ 62.347718] ? get_ucode_user+0x50/0x50
[ 62.347721] ? print_usage_bug+0x6e0/0x6e0
[ 62.347724] find_microcode_in_initrd+0x25f/0x330
[ 62.347726] __load_ucode_intel+0xde/0x120
[ 62.347728] ? collect_cpu_info_early+0x360/0x360
[ 62.347731] ? debug_check_no_locks_freed+0x330/0x330
[ 62.347733] load_ucode_intel_ap+0x8b/0xc0
[ 62.347735] ? collect_cpu_info+0x4e0/0x4e0
[ 62.347737] ? trace_hardirqs_on+0xd/0x10
[ 62.347740] ? flat_send_IPI_mask_allbutself+0xf0/0xf0
[ 62.347741] load_ucode_ap+0x15d/0x180
[ 62.347743] ? get_builtin_firmware+0x160/0x160
[ 62.347746] ? flush_tlb_func+0x690/0x690
[ 62.347749] ? do_raw_spin_trylock+0x110/0x110
[ 62.347752] ? cpumask_weight+0x50/0x50
[ 62.347754] cpu_init+0x7b7/0x1580
[ 62.347756] ? trace_hardirqs_off+0xd/0x10
[ 62.347758] ? play_dead_common+0x30/0x40
[ 62.347760] ? native_play_dead+0x76/0x1c0
[ 62.347762] ? hlt_play_dead+0x40/0x40
[ 62.347764] ? syscall_init+0x140/0x140
[ 62.347766] ? arch_cpu_idle_dead+0x2d/0x40
[ 62.347769] ? do_idle+0x1da/0x2f0
[ 62.347771] start_secondary+0x14/0x370
[ 62.347774] start_cpu+0x14/0x14
[ 62.347776] Memory state around the buggy address:
[ 62.347778] ffff880036e74f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.347780] ffff880036e74f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.347782] >ffff880036e75000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.347783] ^
[ 62.347785] ffff880036e75080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.347786] ffff880036e75100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 62.347787] ==================================================================

Next message: Steve Wise: "RE: [PATCH] IB/cxgb3: header should be defining CXGB3_ABI_USER_H"
Previous message: Stephen Hemminger: "RE: [PATCH] Drivers: hv: balloon: add a comment explaining fall through in hv_memory_notifier()"
Next in thread: Borislav Petkov: "Re: x86/microcode: use-after-free after cpu offline/online"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]