KASAN reported a UAF problem in profile_tick():
BUG: KASAN: use-after-free in profile_tick+0x5c/0x80
Read of size 8 at addr ffff888100928aa0 by task bash/1108
CPU: 2 PID: 1108 Comm: bash Not tainted 5.10.0+ #72
Call Trace:
<IRQ>
dump_stack+0x93/0xc5
print_address_description.constprop.0+0x1c/0x3c0
kasan_report.cold+0x37/0x74
check_memory_region+0x161/0x1c0
profile_tick+0x5c/0x80
tick_sched_timer+0xcd/0x100
__hrtimer_run_queues+0x23e/0x480
hrtimer_interrupt+0x1c2/0x440
asm_call_irq_on_stack+0xf/0x20
</IRQ>
...
It is beacause in profiling_store(), profile_init() is possible to fail
and free prof_cpu_mask. However prof_cpu_mask is not set to NULL and
cpumask_available(prof_cpu_mask) will return true in profile_tick().
Then cpumask_test_cpu() will dereference prof_cpu_mask and trigger the
KASAN warning.
There is no interface to disable profile_tick() even though profile_init()
has been already failed. So just set prof_cpu_mask to NULL when free it.
Then accessing to prof_cpu_mask can be rejected by prof_buffer or
cpumask_available().
Fixes: c309b917cab5 ("cpumask: convert kernel/profile.c")
Signed-off-by: Chen Zhongjin <[email protected]>
---
kernel/profile.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/profile.c b/kernel/profile.c
index 8a77769bc4b4..d60f9634fb2a 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -133,6 +133,7 @@ int __ref profile_init(void)
return 0;
free_cpumask_var(prof_cpu_mask);
+ prof_cpu_mask = NULL;
return -ENOMEM;
}
@@ -334,7 +335,7 @@ void profile_tick(int type)
{
struct pt_regs *regs = get_irq_regs();
- if (!user_mode(regs) && cpumask_available(prof_cpu_mask) &&
+ if (!user_mode(regs) && prof_buffer && cpumask_available(prof_cpu_mask) &&
cpumask_test_cpu(smp_processor_id(), prof_cpu_mask))
profile_hit(type, (void *)profile_pc(regs));
}
--
2.17.1
get_maintainer.pl gets a wrong spelled mail address
'[email protected]'.
Seems it's because Andrew left a wrong Reviewed-by in the last commit..
so -cc alone for Andrew.
Sorry for bothering.
On 2023/2/24 16:49, Chen Zhongjin wrote:
> KASAN reported a UAF problem in profile_tick():
>
> BUG: KASAN: use-after-free in profile_tick+0x5c/0x80
> Read of size 8 at addr ffff888100928aa0 by task bash/1108
>
> CPU: 2 PID: 1108 Comm: bash Not tainted 5.10.0+ #72
> Call Trace:
> <IRQ>
> dump_stack+0x93/0xc5
> print_address_description.constprop.0+0x1c/0x3c0
> kasan_report.cold+0x37/0x74
> check_memory_region+0x161/0x1c0
> profile_tick+0x5c/0x80
> tick_sched_timer+0xcd/0x100
> __hrtimer_run_queues+0x23e/0x480
> hrtimer_interrupt+0x1c2/0x440
> asm_call_irq_on_stack+0xf/0x20
> </IRQ>
> ...
>
> It is beacause in profiling_store(), profile_init() is possible to fail
> and free prof_cpu_mask. However prof_cpu_mask is not set to NULL and
> cpumask_available(prof_cpu_mask) will return true in profile_tick().
> Then cpumask_test_cpu() will dereference prof_cpu_mask and trigger the
> KASAN warning.
>
> There is no interface to disable profile_tick() even though profile_init()
> has been already failed. So just set prof_cpu_mask to NULL when free it.
> Then accessing to prof_cpu_mask can be rejected by prof_buffer or
> cpumask_available().
>
> Fixes: c309b917cab5 ("cpumask: convert kernel/profile.c")
> Signed-off-by: Chen Zhongjin <[email protected]>
> ---
> kernel/profile.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/profile.c b/kernel/profile.c
> index 8a77769bc4b4..d60f9634fb2a 100644
> --- a/kernel/profile.c
> +++ b/kernel/profile.c
> @@ -133,6 +133,7 @@ int __ref profile_init(void)
> return 0;
>
> free_cpumask_var(prof_cpu_mask);
> + prof_cpu_mask = NULL;
> return -ENOMEM;
> }
>
> @@ -334,7 +335,7 @@ void profile_tick(int type)
> {
> struct pt_regs *regs = get_irq_regs();
>
> - if (!user_mode(regs) && cpumask_available(prof_cpu_mask) &&
> + if (!user_mode(regs) && prof_buffer && cpumask_available(prof_cpu_mask) &&
> cpumask_test_cpu(smp_processor_id(), prof_cpu_mask))
> profile_hit(type, (void *)profile_pc(regs));
> }
Hi Chen,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on next-20230224]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
patch link: https://lore.kernel.org/r/20230224084945.134038-1-chenzhongjin%40huawei.com
patch subject: [PATCH] x86: profiling: Set prof_cpu_mask to NULL after free
config: openrisc-randconfig-r012-20230222 (https://download.01.org/0day-ci/archive/20230225/[email protected]/config)
compiler: or1k-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/ed9b4879e816862f4f6210b1c429bcbebac6d317
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
git checkout ed9b4879e816862f4f6210b1c429bcbebac6d317
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=openrisc SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All errors (new ones prefixed by >>):
kernel/profile.c: In function 'profile_init':
>> kernel/profile.c:136:23: error: assignment to expression with array type
136 | prof_cpu_mask = NULL;
| ^
vim +136 kernel/profile.c
98
99
100 int __ref profile_init(void)
101 {
102 int buffer_bytes;
103 if (!prof_on)
104 return 0;
105
106 /* only text is profiled */
107 prof_len = (_etext - _stext) >> prof_shift;
108
109 if (!prof_len) {
110 pr_warn("profiling shift: %u too large\n", prof_shift);
111 prof_on = 0;
112 return -EINVAL;
113 }
114
115 buffer_bytes = prof_len*sizeof(atomic_t);
116
117 if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL))
118 return -ENOMEM;
119
120 cpumask_copy(prof_cpu_mask, cpu_possible_mask);
121
122 prof_buffer = kzalloc(buffer_bytes, GFP_KERNEL|__GFP_NOWARN);
123 if (prof_buffer)
124 return 0;
125
126 prof_buffer = alloc_pages_exact(buffer_bytes,
127 GFP_KERNEL|__GFP_ZERO|__GFP_NOWARN);
128 if (prof_buffer)
129 return 0;
130
131 prof_buffer = vzalloc(buffer_bytes);
132 if (prof_buffer)
133 return 0;
134
135 free_cpumask_var(prof_cpu_mask);
> 136 prof_cpu_mask = NULL;
137 return -ENOMEM;
138 }
139
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
Hi Chen,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on v6.2 next-20230224]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
patch link: https://lore.kernel.org/r/20230224084945.134038-1-chenzhongjin%40huawei.com
patch subject: [PATCH] x86: profiling: Set prof_cpu_mask to NULL after free
config: arm-randconfig-r004-20230222 (https://download.01.org/0day-ci/archive/20230225/[email protected]/config)
compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project db89896bbbd2251fff457699635acbbedeead27f)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/intel-lab-lkp/linux/commit/ed9b4879e816862f4f6210b1c429bcbebac6d317
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
git checkout ed9b4879e816862f4f6210b1c429bcbebac6d317
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm olddefconfig
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
All errors (new ones prefixed by >>):
>> kernel/profile.c:136:16: error: array type 'cpumask_var_t' (aka 'struct cpumask[1]') is not assignable
prof_cpu_mask = NULL;
~~~~~~~~~~~~~ ^
1 error generated.
vim +136 kernel/profile.c
98
99
100 int __ref profile_init(void)
101 {
102 int buffer_bytes;
103 if (!prof_on)
104 return 0;
105
106 /* only text is profiled */
107 prof_len = (_etext - _stext) >> prof_shift;
108
109 if (!prof_len) {
110 pr_warn("profiling shift: %u too large\n", prof_shift);
111 prof_on = 0;
112 return -EINVAL;
113 }
114
115 buffer_bytes = prof_len*sizeof(atomic_t);
116
117 if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL))
118 return -ENOMEM;
119
120 cpumask_copy(prof_cpu_mask, cpu_possible_mask);
121
122 prof_buffer = kzalloc(buffer_bytes, GFP_KERNEL|__GFP_NOWARN);
123 if (prof_buffer)
124 return 0;
125
126 prof_buffer = alloc_pages_exact(buffer_bytes,
127 GFP_KERNEL|__GFP_ZERO|__GFP_NOWARN);
128 if (prof_buffer)
129 return 0;
130
131 prof_buffer = vzalloc(buffer_bytes);
132 if (prof_buffer)
133 return 0;
134
135 free_cpumask_var(prof_cpu_mask);
> 136 prof_cpu_mask = NULL;
137 return -ENOMEM;
138 }
139
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
prof_cpu_mask can't be set to NULL when CONFIG_CPUMASK_OFFSTACK=n,
because it is an array.
But checking prof_buffer still can prevent prof_cpu_mask be used in
profile_tick() and fix this problem.
Will push another version for this.
On 2023/2/25 6:16, kernel test robot wrote:
> Hi Chen,
>
> Thank you for the patch! Yet something to improve:
>
> [auto build test ERROR on linus/master]
> [also build test ERROR on v6.2 next-20230224]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
> patch link: https://lore.kernel.org/r/20230224084945.134038-1-chenzhongjin%40huawei.com
> patch subject: [PATCH] x86: profiling: Set prof_cpu_mask to NULL after free
> config: arm-randconfig-r004-20230222 (https://download.01.org/0day-ci/archive/20230225/[email protected]/config)
> compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project db89896bbbd2251fff457699635acbbedeead27f)
> reproduce (this is a W=1 build):
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # install arm cross compiling tool for clang build
> # apt-get install binutils-arm-linux-gnueabi
> # https://github.com/intel-lab-lkp/linux/commit/ed9b4879e816862f4f6210b1c429bcbebac6d317
> git remote add linux-review https://github.com/intel-lab-lkp/linux
> git fetch --no-tags linux-review Chen-Zhongjin/x86-profiling-Set-prof_cpu_mask-to-NULL-after-free/20230224-165419
> git checkout ed9b4879e816862f4f6210b1c429bcbebac6d317
> # save the config file
> mkdir build_dir && cp config build_dir/.config
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm olddefconfig
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash
>
> If you fix the issue, kindly add following tag where applicable
> | Reported-by: kernel test robot <[email protected]>
> | Link: https://lore.kernel.org/oe-kbuild-all/[email protected]/
>
> All errors (new ones prefixed by >>):
>
>>> kernel/profile.c:136:16: error: array type 'cpumask_var_t' (aka 'struct cpumask[1]') is not assignable
> prof_cpu_mask = NULL;
> ~~~~~~~~~~~~~ ^
> 1 error generated.
>
>
> vim +136 kernel/profile.c
>
> 98
> 99
> 100 int __ref profile_init(void)
> 101 {
> 102 int buffer_bytes;
> 103 if (!prof_on)
> 104 return 0;
> 105
> 106 /* only text is profiled */
> 107 prof_len = (_etext - _stext) >> prof_shift;
> 108
> 109 if (!prof_len) {
> 110 pr_warn("profiling shift: %u too large\n", prof_shift);
> 111 prof_on = 0;
> 112 return -EINVAL;
> 113 }
> 114
> 115 buffer_bytes = prof_len*sizeof(atomic_t);
> 116
> 117 if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL))
> 118 return -ENOMEM;
> 119
> 120 cpumask_copy(prof_cpu_mask, cpu_possible_mask);
> 121
> 122 prof_buffer = kzalloc(buffer_bytes, GFP_KERNEL|__GFP_NOWARN);
> 123 if (prof_buffer)
> 124 return 0;
> 125
> 126 prof_buffer = alloc_pages_exact(buffer_bytes,
> 127 GFP_KERNEL|__GFP_ZERO|__GFP_NOWARN);
> 128 if (prof_buffer)
> 129 return 0;
> 130
> 131 prof_buffer = vzalloc(buffer_bytes);
> 132 if (prof_buffer)
> 133 return 0;
> 134
> 135 free_cpumask_var(prof_cpu_mask);
> > 136 prof_cpu_mask = NULL;
> 137 return -ENOMEM;
> 138 }
> 139
>