kvm: use-after-free/GPF in kvm_irq_delivery_to_apic_fast

From: Dmitry Vyukov
Date: Sat Nov 12 2016 - 15:11:50 EST

Next message: Mikulas Patocka: "dm-crypt accepts '+' in the key"
Previous message: Walt Feasel: "[PATCH] [STYLE]staging:skein:threefish_block.c remove blank lines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The following program triggers use-after-free in kvm_irq_delivery_to_apic_fast:
https://gist.githubusercontent.com/dvyukov/68a25fb4f8f48807fb7cdf3ebbb84e58/raw/b7b85810a1070c93387ece6d2388da8dbe937452/gistfile1.txt

On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).

==================================================================
BUG: KASAN: use-after-free in
kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003da49610
Read of size 8 by task a.out/2749
CPU: 1 PID: 2749 Comm: a.out Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88003be37740 ffffffff81c2e46b ffff88003e816d40 ffff88003da495f8
ffff88003da49788 0000000000000000 ffff88003be37768 ffffffff8165ab9c
ffffed0007b492c2 ffffed0007b492c2 ffff88003e816d40 ffff88003be377e8
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81c2e46b>] dump_stack+0xb3/0x118 lib/dump_stack.c:51
[<ffffffff8165ab9c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[< inline >] kasan_report_error mm/kasan/report.c:283
[<ffffffff8165aed1>] kasan_report+0x231/0x500 mm/kasan/report.c:303
[<ffffffff8165b214>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:329
[<ffffffff8112092a>] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210
arch/x86/kvm/lapic.c:824
[<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0
arch/x86/kvm/irq_comm.c:72
[<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
[<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280
arch/x86/kvm/../../../virt/kvm/irqchip.c:74
[<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
Object at ffff88003da495f8, in cache anon_vma_chain size: 80
Allocated:
PID = 2683
[ 140.731021] [<ffffffff811abb36>] save_stack_trace+0x16/0x20
[ 140.731021] [<ffffffff81659ee6>] save_stack+0x46/0xd0
[ 140.731021] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0
[ 140.731021] [<ffffffff8165a6c2>] kasan_slab_alloc+0x12/0x20
[ 140.731021] [<ffffffff816552ec>] kmem_cache_alloc+0xbc/0x260
[ 140.731021] [<ffffffff8160f746>] anon_vma_prepare+0xb6/0x530
[ 140.731021] [<ffffffff815ea4f4>] handle_mm_fault+0x17d4/0x1e70
[ 140.731021] [<ffffffff8120fbf8>] __do_page_fault+0x4f8/0xae0
[ 140.731021] [<ffffffff812102a3>] trace_do_page_fault+0x93/0x450
[ 140.731021] [<ffffffff81202ba4>] do_async_page_fault+0x14/0x70
[ 140.731021] [<ffffffff831f1f78>] async_page_fault+0x28/0x30
Freed:
PID = 2683
[ 140.731021] [<ffffffff811abb36>] save_stack_trace+0x16/0x20
[ 140.731021] [<ffffffff81659ee6>] save_stack+0x46/0xd0
[ 140.731021] [<ffffffff8165a741>] kasan_slab_free+0x71/0xb0
[ 140.731021] [<ffffffff816562a5>] kmem_cache_free+0xb5/0x2d0
[ 140.731021] [<ffffffff8160e4ac>] unlink_anon_vmas+0x12c/0x700
[ 140.731021] [<ffffffff815e1c1d>] free_pgtables+0x1bd/0x3b0
[ 140.731021] [<ffffffff815fe0c2>] exit_mmap+0x212/0x3d0
[ 140.731021] [<ffffffff812345c5>] mmput+0x95/0x300
[ 140.731021] [<ffffffff8124885d>] do_exit+0x71d/0x2bc0
[ 140.731021] [<ffffffff8124efa8>] do_group_exit+0x108/0x330
[ 140.731021] [<ffffffff8124f1ed>] SyS_exit_group+0x1d/0x20
[ 140.731021] [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Memory state around the buggy address:
ffff88003da49500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003da49580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb
>ffff88003da49600: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
^
ffff88003da49680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003da49700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Sometimes it also crashes with slab-out-of-bounds report:

BUG: KASAN: slab-out-of-bounds in
kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003d9ca750
Read of size 8 by task syz-executor/22923
CPU: 0 PID: 22923 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff880067d8f740 ffffffff81c2e46b ffff88003e9fafc0 ffff88003d9ca5d8
ffff88003d9ca7a8 0000000000000000 ffff880067d8f768 ffffffff8165ab9c
ffffed0007b394ea ffffed0007b394ea ffff88003e9fafc0 ffff880067d8f7e8
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81c2e46b>] dump_stack+0xb3/0x118 lib/dump_stack.c:51
[<ffffffff8165ab9c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[< inline >] kasan_report_error mm/kasan/report.c:283
[<ffffffff8165aed1>] kasan_report+0x231/0x500 mm/kasan/report.c:303
[<ffffffff8165b214>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:329
[<ffffffff8112092a>] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210
arch/x86/kvm/lapic.c:824
[<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0
arch/x86/kvm/irq_comm.c:72
[<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
[<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280
arch/x86/kvm/../../../virt/kvm/irqchip.c:74
[<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Object at ffff88003d9ca5d8, in cache kernfs_node_cache size: 152
Allocated:
PID = 1
[ 1582.592315] [<ffffffff811abb36>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
[ 1582.592315] [<ffffffff81659ee6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[ 1582.592315] [< inline >] set_track mm/kasan/kasan.c:507
[ 1582.592315] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0
mm/kasan/kasan.c:598
[ 1582.592315] [<ffffffff8165a6c2>] kasan_slab_alloc+0x12/0x20
mm/kasan/kasan.c:537
[ 1582.592315] [< inline >] slab_post_alloc_hook mm/slab.h:417
[ 1582.592315] [< inline >] slab_alloc_node mm/slub.c:2708
[ 1582.592315] [< inline >] slab_alloc mm/slub.c:2716
[ 1582.592315] [<ffffffff816552ec>] kmem_cache_alloc+0xbc/0x260 mm/slub.c:2721
[ 1582.592315] [< inline >] kmem_cache_zalloc include/linux/slab.h:626
[ 1582.592315] [<ffffffff817f298c>] __kernfs_new_node+0x6c/0x2b0
fs/kernfs/dir.c:619
[ 1582.592315] [<ffffffff817f5ed0>] kernfs_new_node+0x80/0xe0
fs/kernfs/dir.c:651
[ 1582.592315] [<ffffffff817f680d>] kernfs_create_dir_ns+0x3d/0x130
fs/kernfs/dir.c:923
[ 1582.592315] [< inline >] kernfs_create_dir
include/linux/kernfs.h:467
[ 1582.592315] [<ffffffff817ff113>] internal_create_group+0x113/0x9b0
fs/sysfs/group.c:124
[ 1582.592315] [<ffffffff817ff9cf>] sysfs_create_group+0x1f/0x30
fs/sysfs/group.c:156
[ 1582.592315] [< inline >] kernel_add_sysfs_param kernel/params.c:851
[ 1582.592315] [< inline >] param_sysfs_builtin kernel/params.c:888
[ 1582.592315] [<ffffffff83f727d3>] param_sysfs_init+0x31d/0x38c
kernel/params.c:1009
[ 1582.592315] [<ffffffff81000560>] do_one_initcall+0xa0/0x230 init/main.c:778
[ 1582.592315] [< inline >] do_initcall_level init/main.c:844
[ 1582.592315] [< inline >] do_initcalls init/main.c:852
[ 1582.592315] [< inline >] do_basic_setup init/main.c:870
[ 1582.592315] [<ffffffff83f2fcac>] kernel_init_freeable+0x48d/0x546
init/main.c:1017
[ 1582.592315] [<ffffffff831dc9c3>] kernel_init+0x13/0x180 init/main.c:943
[ 1582.592315] [<ffffffff831f102a>] ret_from_fork+0x2a/0x40
arch/x86/entry/entry_64.S:433

I am also getting GPFs in this function:

general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 25060 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003ca02dc0 task.stack: ffff88003bd20000
RIP: 0010:[<ffffffff8111fb8b>] [< inline >] kvm_apic_set_irq
arch/x86/kvm/lapic.c:493
RIP: 0010:[<ffffffff8111fb8b>] [<ffffffff8111fb8b>]
kvm_irq_delivery_to_apic_fast+0x45b/0x1210 arch/x86/kvm/lapic.c:828
RSP: 0018:ffff88003bd27808 EFLAGS: 00010a07
RAX: 896f75003880d045 RBX: dffffc0000000000 RCX: ffffc90000b65000
RDX: 112deea007101a84 RSI: 0000000000000004 RDI: 896f75003880d425
RBP: ffff88003bd278e8 R08: 0000000000000023 R09: 0000000000000000
R10: ffffffff84da2600 R11: 1ffff100077a4ed2 R12: 0000000000000002
R13: ffff88003bd27978 R14: ffff88003bd27a70 R15: ffffffff81e5f63b
FS: 00007f4746517700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000003bc6d000 CR4: 00000000000026f0
DR0: 0000000000011000 DR1: 000000000000f000 DR2: 0000000000010000
DR3: 000000000000f000 DR6: 00000000ffff0ff3 DR7: 0000000000000400
Stack:
ffffffff8111f813 ffffffff813382ce ffff88003ec21580 1ffff100077a4f0c
ffffed00077a4f4f ffff88003bd27a7a ffff88003d780490 ffff88003bd27880
0000000000000000 ffff88003d7804a0 0000000000000000 0000000041b58ab3
Call Trace:
[<ffffffff8112e3f2>] kvm_irq_delivery_to_apic+0x132/0x9a0
arch/x86/kvm/irq_comm.c:72
[<ffffffff8112ed71>] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
[<ffffffff81070961>] kvm_send_userspace_msi+0x201/0x280
arch/x86/kvm/../../../virt/kvm/irqchip.c:74
[<ffffffff810668a5>] kvm_vm_ioctl+0xba5/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Code: bf 98 00 00 00 48 89 fa 48 c1 ea 03 80 3c 1a 00 0f 85 09 0d 00
00 49 8b 87 98 00 00 00 48 8d b8 e0 03 00 00 48 89 fa 48 c1 ea 03 <80>
3c 1a 00 0f 85 f4 0c 00 00 4c 8b 90 e0 03 00 00 48 8b 85 40
RIP [< inline >] kvm_apic_set_irq arch/x86/kvm/lapic.c:493
RIP [<ffffffff8111fb8b>] kvm_irq_delivery_to_apic_fast+0x45b/0x1210
arch/x86/kvm/lapic.c:828
RSP <ffff88003bd27808>
---[ end trace a99d569255e525d1 ]---

Next message: Mikulas Patocka: "dm-crypt accepts '+' in the key"
Previous message: Walt Feasel: "[PATCH] [STYLE]staging:skein:threefish_block.c remove blank lines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]