Received: by 2002:ac2:48a3:0:0:0:0:0 with SMTP id u3csp25620lfg; Tue, 8 Mar 2022 18:25:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJw1gjOhHrYq590aRqbhj9meqAIcgE8Zn+GDV/A593Cufb2GtnGMKhIjSZXfUqR/nc6qobvK X-Received: by 2002:a17:902:f682:b0:151:9769:351c with SMTP id l2-20020a170902f68200b001519769351cmr20830291plg.157.1646792725821; Tue, 08 Mar 2022 18:25:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646792725; cv=none; d=google.com; s=arc-20160816; b=ZT497zsj+DpIKnxQ9IXPTmc9JvCrUEl/zfnEpq5qGgP44rQwTNmRVha/VRkQsDqubU jCBy0pmCoMAngXMF1HKLRH+fk5S6E07qtmAs3YmwC29I9UwykkQoLNvUjE4chsiqS1pt ij3UM8ntiMUyf0gHWCUn8IdajRkyxkGtG2WwawJoEyc51B5S/OUkpa8Qa/2fGokJP/zk XDzMdmq4Wic1Fjroi2bBloMN6LTkeR9j5HYrRnVcpmuH8EItFLYX20tcTM0KeekbPmS6 sWDYqZEYFDdsUkB+21JjtD1OHXYVv8BPv1xksDx/tkiVzLOl+5Mk1s7Sr8AWcl/95NIM E7rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from; bh=YFaKWon5NB0f7nRiYcpb2uT3VTnpgKbLKW/8TXRcTgY=; b=VEB4h12tkLIAhC4Hus/z2KvI8OViJAcaJqQPxFHyJ1ZwkUeL4un8m+ras3Pmtw9HWz M9T7AdjvnlA4qaBp0mdEfXliBrkSntST4BAeJdNJilQemFJoSZAowLqVcX8OMFp63GQn nMGGDKDbY8TZSp12m7Qwy8ngGBOFlYueQ4VRaLgnZuBbymGcHsZ9aY4lENX8OuI4LB9t sdInACe2FMG12RNPzGOBbewn07G0/ijcU+kDGWTdo+mQXNmusXS/OCpfIVI3wCix5GNW 0czHGXqyKXzVT1ZWXW4WYa0mDAMHCDzCBJH2XdtDRDR55CWB7/y6W5HIFPQrNTIp3Gam v4ZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id t9-20020a170902b20900b0014f21a5ea40si625374plr.569.2022.03.08.18.25.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Mar 2022 18:25:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 901FD9BB9D; Tue, 8 Mar 2022 17:30:04 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230401AbiCIBar (ORCPT + 99 others); Tue, 8 Mar 2022 20:30:47 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230296AbiCIBap (ORCPT ); Tue, 8 Mar 2022 20:30:45 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 332BF4756D; Tue, 8 Mar 2022 17:29:48 -0800 (PST) Received: from kwepemi100015.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KCvhR3LnKzBrfj; Wed, 9 Mar 2022 09:27:51 +0800 (CST) Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemi100015.china.huawei.com (7.221.188.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Wed, 9 Mar 2022 09:29:46 +0800 Received: from localhost.localdomain (10.175.112.125) by kwepemm600017.china.huawei.com (7.193.23.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Wed, 9 Mar 2022 09:29:45 +0800 From: Peng Liu To: , , , , , , , , , CC: , Subject: [PATCH 1/3] kunit: fix UAF when run kfence test case test_gfpzero Date: Wed, 9 Mar 2022 01:47:03 +0000 Message-ID: <20220309014705.1265861-2-liupeng256@huawei.com> X-Mailer: git-send-email 2.18.0.huawei.25 In-Reply-To: <20220309014705.1265861-1-liupeng256@huawei.com> References: <20220309014705.1265861-1-liupeng256@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.112.125] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemm600017.china.huawei.com (7.193.23.234) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kunit will create a new thread to run an actual test case, and the main process will wait for the completion of the actual test thread until overtime. The variable "struct kunit test" has local property in function kunit_try_catch_run, and will be used in the test case thread. Task kunit_try_catch_run will free "struct kunit test" when kunit runs overtime, but the actual test case is still run and an UAF bug will be triggered. The above problem has been both observed in a physical machine and qemu platform when running kfence kunit tests. The problem can be triggered when setting CONFIG_KFENCE_DYNAMIC_OBJECTS = 65535. Under this setting, the test case test_gfpzero will cost hours and kunit will run to overtime. The follows show the panic log. BUG: unable to handle page fault for address: ffffffff82d882e9 Call Trace: kunit_log_append+0x58/0xd0 ... test_alloc.constprop.0.cold+0x6b/0x8a [kfence_test] test_gfpzero.cold+0x61/0x8ab [kfence_test] kunit_try_run_case+0x4c/0x70 kunit_generic_run_threadfn_adapter+0x11/0x20 kthread+0x166/0x190 ret_from_fork+0x22/0x30 Kernel panic - not syncing: Fatal exception Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 To solve this problem, the test case thread should be stopped when the kunit frame runs overtime. The stop signal will send in function kunit_try_catch_run, and test_gfpzero will handle it. Signed-off-by: Peng Liu --- lib/kunit/try-catch.c | 1 + mm/kfence/kfence_test.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c index be38a2c5ecc2..6b3d4db94077 100644 --- a/lib/kunit/try-catch.c +++ b/lib/kunit/try-catch.c @@ -78,6 +78,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context) if (time_remaining == 0) { kunit_err(test, "try timed out\n"); try_catch->try_result = -ETIMEDOUT; + kthread_stop(task_struct); } exit_code = try_catch->try_result; diff --git a/mm/kfence/kfence_test.c b/mm/kfence/kfence_test.c index 50dbb815a2a8..caed6b4eba94 100644 --- a/mm/kfence/kfence_test.c +++ b/mm/kfence/kfence_test.c @@ -623,7 +623,7 @@ static void test_gfpzero(struct kunit *test) break; test_free(buf2); - if (i == CONFIG_KFENCE_NUM_OBJECTS) { + if (kthread_should_stop() || (i == CONFIG_KFENCE_NUM_OBJECTS)) { kunit_warn(test, "giving up ... cannot get same object back\n"); return; } -- 2.18.0.huawei.25