copy_fpstate_to_sigframe() use-after-free
From: Qian Cai
Date: Tue Apr 30 2019 - 16:58:36 EST
The commit eeec00d73be2 ("x86/fpu: Fault-in user stack if
copy_fpstate_to_sigframe() fails") causes use-after-free when running the LTP
signal06 test case. Reverted this commit fixed the issue.
[ 6150.581746] LTP: starting signal06
[ 6151.099635]
==================================================================
[ 6151.137893] BUG: KASAN: use-after-free in follow_page_mask+0x32/0x3e0
[ 6151.169683] Read of size 8 at addr ffff8884ac424048 by task signal06/45144
[ 6151.201832]Â
[ 6151.208652] CPU: 45 PID: 45144 Comm: signal06 Kdump: loaded Not tainted
5.1.0-rc7-next-20190430+ #8
[ 6151.251025] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6151.289642] Call Trace:
[ 6151.300966]ÂÂdump_stack+0x62/0x9a
[ 6151.316552]ÂÂprint_address_description.cold.2+0x9/0x28b
[ 6151.340859]ÂÂ__kasan_report.cold.3+0x7a/0xb5
[ 6151.360819]ÂÂ? follow_page_mask+0x32/0x3e0
[ 6151.380970]ÂÂkasan_report+0xc/0x10
[ 6151.396922]ÂÂ__asan_load8+0x71/0xa0
[ 6151.413474]ÂÂfollow_page_mask+0x32/0x3e0
[ 6151.431870]ÂÂ__get_user_pages+0x3cc/0x7c0
[ 6151.450644]ÂÂ? follow_page_mask+0x3e0/0x3e0
[ 6151.470058]ÂÂ? lock_downgrade+0x300/0x300
[ 6151.488677]ÂÂ? __bad_area_nosemaphore+0x66/0x230
[ 6151.510560]ÂÂ? do_raw_spin_unlock+0xa8/0x140
[ 6151.530468]ÂÂ__gup_longterm_locked+0x32c/0xa90
[ 6151.551432]ÂÂ? do_page_fault+0x4c/0x260
[ 6151.569327]ÂÂ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6151.591874]ÂÂget_user_pages+0x60/0x70
[ 6151.609098]ÂÂcopy_fpstate_to_sigframe+0x31a/0x670
[ 6151.631612]ÂÂ? __fpu__restore_sig+0x7a0/0x7a0
[ 6151.652869]ÂÂdo_signal+0x40c/0x9d0
[ 6151.669822]ÂÂ? do_send_specific+0x87/0xe0
[ 6151.690250]ÂÂ? setup_sigcontext+0x280/0x280
[ 6151.710151]ÂÂ? check_kill_permission+0x8e/0x1c0
[ 6151.731618]ÂÂ? do_send_specific+0xa6/0xe0
[ 6151.750539]ÂÂ? do_tkill+0x125/0x160
[ 6151.766493]ÂÂ? signal_fault+0x160/0x160
[ 6151.783820]ÂÂexit_to_usermode_loop+0x9d/0xc0
[ 6151.803040]ÂÂdo_syscall_64+0x470/0x5d8
[ 6151.819575]ÂÂ? syscall_return_slowpath+0xf0/0xf0
[ 6151.840392]ÂÂ? __do_page_fault+0x44d/0x5b0
[ 6151.858886]ÂÂentry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6151.882493] RIP: 0033:0x40377e
[ 6151.896645] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6151.984032] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6152.018779] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6152.052252] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6152.085621] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6152.119275] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6152.155037] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6152.190814]Â
[ 6152.197777] Allocated by task 45145:
[ 6152.214655]ÂÂ__kasan_kmalloc.part.0+0x44/0xc0
[ 6152.235078]ÂÂ__kasan_kmalloc.constprop.1+0xac/0xc0
[ 6152.257665]ÂÂkasan_slab_alloc+0x11/0x20
[ 6152.275711]ÂÂkmem_cache_alloc+0x131/0x360
[ 6152.294272]ÂÂvm_area_dup+0x20/0x80
[ 6152.310227]ÂÂ__split_vma+0x68/0x270
[ 6152.326595]ÂÂsplit_vma+0x51/0x70
[ 6152.341817]ÂÂmprotect_fixup+0x469/0x540
[ 6152.359402]ÂÂdo_mprotect_pkey+0x2a8/0x480
[ 6152.378313]ÂÂ__x64_sys_mprotect+0x48/0x60
[ 6152.397014]ÂÂdo_syscall_64+0xc8/0x5d8
[ 6152.414015]ÂÂentry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.437731]Â
[ 6152.444797] Freed by task 45145:
[ 6152.459202]ÂÂ__kasan_slab_free+0x134/0x200
[ 6152.477692]ÂÂkasan_slab_free+0xe/0x10
[ 6152.494044]ÂÂkmem_cache_free+0xa0/0x300
[ 6152.512009]ÂÂvm_area_free+0x18/0x20
[ 6152.528295]ÂÂ__vma_adjust+0x2f8/0xca0
[ 6152.545417]ÂÂvma_merge+0x619/0x6d0
[ 6152.561416]ÂÂmprotect_fixup+0x2bf/0x540
[ 6152.579336]ÂÂdo_mprotect_pkey+0x2a8/0x480
[ 6152.597772]ÂÂ__x64_sys_mprotect+0x48/0x60
[ 6152.616119]ÂÂdo_syscall_64+0xc8/0x5d8
[ 6152.633298]ÂÂentry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6152.657665]Â
[ 6152.665119] The buggy address belongs to the object at ffff8884ac424008
[ 6152.665119]ÂÂwhich belongs to the cache vm_area_struct(96:user.slice) of size
200
[ 6152.734268] The buggy address is located 64 bytes inside of
[ 6152.734268]ÂÂ200-byte region [ffff8884ac424008, ffff8884ac4240d0)
[ 6152.788643] The buggy address belongs to the page:
[ 6152.810991] page:ffffea0012b10900 count:1 mapcount:0 mapping:ffff88829c7383c0
index:0x0
[ 6152.848361] flags: 0x15fffe000000200(slab)
[ 6152.867558] raw: 015fffe000000200 ffffea00171b6c08 ffff8885928109a0
ffff88829c7383c0
[ 6152.903840] raw: 0000000000000000 0000000000070007 00000001ffffffff
ffff8884da644008
[ 6152.940077] page dumped because: kasan: bad access detected
[ 6152.966181] page->mem_cgroup:ffff8884da644008
[ 6152.986737] page allocated via order 0, migratetype Unmovable, gfp_mask
0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
[ 6153.036670]ÂÂprep_new_page+0x29d/0x2c0
[ 6153.054207]ÂÂget_page_from_freelist+0x95b/0x2050
[ 6153.076165]ÂÂ__alloc_pages_nodemask+0x2ff/0x1b50
[ 6153.097886]ÂÂalloc_pages_current+0x9c/0x110
[ 6153.117199]ÂÂallocate_slab+0x3a7/0x850
[ 6153.134763]ÂÂnew_slab+0x46/0x70
[ 6153.149507]ÂÂ___slab_alloc+0x5d3/0x9c0
[ 6153.167080]ÂÂ__slab_alloc+0x12/0x20
[ 6153.184301]ÂÂkmem_cache_alloc+0x30a/0x360
[ 6153.203847]ÂÂvm_area_dup+0x20/0x80
[ 6153.221785]ÂÂ__split_vma+0x68/0x270
[ 6153.238130]ÂÂsplit_vma+0x51/0x70
[ 6153.253442]ÂÂmprotect_fixup+0x4be/0x540
[ 6153.271351]ÂÂdo_mprotect_pkey+0x2a8/0x480
[ 6153.290282]ÂÂ__x64_sys_mprotect+0x48/0x60
[ 6153.308993]ÂÂdo_syscall_64+0xc8/0x5d8
[ 6153.326146]Â
[ 6153.333065] Memory state around the buggy address:
[ 6153.355172]ÂÂffff8884ac423f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.388572]ÂÂffff8884ac423f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6153.422389] >ffff8884ac424000: fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 6153.456232]ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ^
[ 6153.482324]ÂÂffff8884ac424080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
fc
[ 6153.516323]ÂÂffff8884ac424100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6153.549993]
==================================================================
[ 6153.583892] Disabling lock debugging due to kernel taint
[ 6190.482570] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[ 6190.519596] CPU: 0 PID: 45144 Comm: signal06 Kdump: loaded Tainted:
GÂÂÂÂBÂÂÂÂÂÂÂÂÂÂÂÂÂ5.1.0-rc7-next-20190430+ #8
[ 6190.568280] Hardware name: HP ProLiant XL420 Gen9/ProLiant XL420 Gen9, BIOS
U19 12/27/2015
[ 6190.605290] RIP: 0010:hugetlb_fault+0x46/0x920
[ 6190.625151] Code: 41 54 53 48 83 ec 48 48 89 7d c8 4c 89 ef 89 4d c4 48 89 55
a0 e8 aa 36 02 00 49 8b 9e a0 00 00 00 48 8d 7b 20 e8 9a 36 02 00 <48> 8b 5b 20
48 8d 7b 28 e8 8d 36 02 00 48 8b 5b 28 48 8d bb 40 06
[ 6190.711533] RSP: 0018:ffff8887c7bcf820 EFLAGS: 00010282
[ 6190.734963] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff8c33a376
[ 6190.767109] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 6b6b6b6b6b6b6b8b
[ 6190.799329] RBP: ffff8887c7bcf890 R08: fffffbfff1b05102 R09: fffffbfff1b05101
[ 6190.831304] R10: fffffbfff1b05101 R11: ffffffff8d82880b R12: 0000000000000001
[ 6190.863311] R13: ffff8884ac4240a8 R14: ffff8884ac424008 R15: 0000000000629c80
[ 6190.895367] FS:ÂÂ00007f8105646740(0000) GS:ffff888453400000(0000)
knlGS:0000000000000000
[ 6190.931839] CS:ÂÂ0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6190.957598] CR2: 00007ff1a60018c0 CR3: 0000000834bd8002 CR4: 00000000001606b0
[ 6190.989654] Call Trace:
[ 6191.000738]ÂÂ? kasan_check_read+0x11/0x20
[ 6191.019852]ÂÂhandle_mm_fault+0x313/0x360
[ 6191.040562]ÂÂ__get_user_pages+0x448/0x7c0
[ 6191.059723]ÂÂ? follow_page_mask+0x3e0/0x3e0
[ 6191.078545]ÂÂ? lock_downgrade+0x300/0x300
[ 6191.096551]ÂÂ? __bad_area_nosemaphore+0x66/0x230
[ 6191.117323]ÂÂ? do_raw_spin_unlock+0xa8/0x140
[ 6191.136813]ÂÂ__gup_longterm_locked+0x32c/0xa90
[ 6191.156738]ÂÂ? do_page_fault+0x4c/0x260
[ 6191.174016]ÂÂ? get_user_pages_unlocked+0x2b0/0x2b0
[ 6191.195529]ÂÂget_user_pages+0x60/0x70
[ 6191.212026]ÂÂcopy_fpstate_to_sigframe+0x31a/0x670
[ 6191.233252]ÂÂ? __fpu__restore_sig+0x7a0/0x7a0
[ 6191.252704]ÂÂdo_signal+0x40c/0x9d0
[ 6191.267912]ÂÂ? do_send_specific+0x87/0xe0
[ 6191.285864]ÂÂ? setup_sigcontext+0x280/0x280
[ 6191.304675]ÂÂ? check_kill_permission+0x8e/0x1c0
[ 6191.325007]ÂÂ? do_send_specific+0xa6/0xe0
[ 6191.343005]ÂÂ? do_tkill+0x125/0x160
[ 6191.358809]ÂÂ? signal_fault+0x160/0x160
[ 6191.376088]ÂÂexit_to_usermode_loop+0x9d/0xc0
[ 6191.395176]ÂÂdo_syscall_64+0x470/0x5d8
[ 6191.412299]ÂÂ? syscall_return_slowpath+0xf0/0xf0
[ 6191.433590]ÂÂ? __do_page_fault+0x44d/0x5b0
[ 6191.452211]ÂÂentry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6191.474981] RIP: 0033:0x40377e
[ 6191.488761] Code: b4 00 00 00 0f 85 ae 00 00 00 89 c7 31 db ba c8 00 00 00 be
01 00 00 00 eb 0c 66 90 75 1d 81 fb 30 75 00 00 74 65 89 d0 0f 05 <f2> 0f 10 05
7a b8 21 00 83 c3 01 66 0f 2e c1 7b e1 31 c0 41 89 d8
[ 6191.578915] RSP: 002b:00007fff1fa13190 EFLAGS: 00000287 ORIG_RAX:
00000000000000c8
[ 6191.613071] RAX: 0000000000000000 RBX: 0000000000001e12 RCX: 000000000040377e
[ 6191.645339] RDX: 00000000000000c8 RSI: 0000000000000001 RDI: 000000000000b058
[ 6191.677764] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f8104e48700
[ 6191.709916] R10: fffffffffffff7a8 R11: 0000000000000287 R12: 00007f81056466c0
[ 6191.741996] R13: 00007fff1fa13360 R14: 0000000000000000 R15: 0000000000000000
[ 6191.774072] Modules linked in: brd vfat fat ext4 crc16 mbcache jbd2 overlay
loop kvm_intel kvm dax_pmem irqbypass dax_pmem_core ip_tables x_tables xfs
sd_mod igb i2c_algo_bit hpsa i2c_core scsi_transport_sas dm_mirror
dm_region_hash dm_log dm_mod