use after free of task_struct->numa_faults in task_numa_find_cpu
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Tim Gardner |
Bug Description
[Impact]
The use-after-free invalid read bug, which happens in really tricky case, would use the numa_faults data already freed for the NUMA balance to make a decision to migrate the exiting process.
The bug was found by the Ubuntu-3.13.0-65 with KASan backported.
binary package:
http://
source code:
http://
=======
BUG: KASan: use after free in task_numa_
Read of size 8 by task qemu-system-
=======
BUG kmalloc-128 (Tainted: G B ): kasan: bad access detected
-------
INFO: Allocated in task_numa_
INFO: Freed in task_numa_
INFO: Slab 0xffffea00374e4f00 objects=37 used=17 fp=0xffff880dd3
INFO: Object 0xffff880dd393ecb0 @offset=11440 fp=0xffff880dd3
Bytes b4 ffff880dd393eca0: 0c 00 00 00 18 00 00 00 af 63 3a 04 01 00 00 00 .........c:.....
Object ffff880dd393ecb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ece0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ecf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object ffff880dd393ed20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
CPU: 61 PID: 3998900 Comm: qemu-system-x86 Tainted: G B 3.13.0-65-generic #105
Hardware name: Supermicro X8QB6/X8QB6, BIOS 2.0c 06/11/2
ffffea00374e4f00 ffff8816c572b420 ffffffff81a6ce35 ffff88045f00f500
ffff8816c572b450 ffffffff81244aed ffff88045f00f500 ffffea00374e4f00
ffff880dd393ecb0 0000000000000012 ffff8816c572b478 ffffffff8124ac36
Call Trace:
[<ffffffff81a6
[<ffffffff8124
[<ffffffff8124
[<ffffffff8124
[<ffffffff8124
[<ffffffff810d
[<ffffffff8124
[<ffffffff814f
[<ffffffff810d
[<ffffffff810d
[<ffffffff810d
[<ffffffff810e
[<ffffffff8120
[<ffffffff8121
[<ffffffff810d
[<ffffffff8106
[<ffffffff81a7
[<ffffffff810c
[<ffffffff81a6
[<ffffffff81a7
[<ffffffff81a7
[<ffffffff8128
[<ffffffff810e
[<ffffffff8102
[<ffffffff810c
[<ffffffff810d
[<ffffffff8128
[<ffffffff810d
[<ffffffff8112
[<ffffffff8112
[<ffffffff8112
[<ffffffff8102
[<ffffffff8111
[<ffffffff8108
[<ffffffff8128
[<ffffffff81a8
Memory state around the buggy address:
ffff880dd393eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880dd393ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880dd393ec80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb
ffff880dd393ed00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff880dd393ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
=======
-------
$ addr2line 0xffffffff810dda7c -e usr/lib/
task_numa_compare
/home/gavin/
task_numa_find_cpu
/home/gavin/
1083 if (cur->numa_group == env->p->numa_group) {
1084 imp = taskimp + task_weight(cur, env->src_nid) -
1085 task_weight(cur, env->dst_nid);
In short, this is the use-after-free bug happening on the
task_struct-
[Fix]
There are 3 patches(renamed to A, B, and C) related to the backport.
However, not all distribution need all the patches as some are already in the newer version of kernel.
A: 156654f491dd ("sched/numa: Move task_numa_free() to
__put_
Reason: The patch is included because the task_numa_free() should be called inside the __put_task_struct() since the Fix C is based on the
get_task_struct() to avoid the task_numa_free() being called.
B: 1effd9f19324 ("sched/numa: Fix unsafe get_task_struct() in
task_numa_
Reason: Add the checking of the PF_EXITING flag to ensure the task has not been freed.
C: 1dff76b92f69 ("sched/numa: Fix use-after-free bug in the
task_numa_
Reason: However, as the commit message in B said "rcu_read_lock()
can't save us from the final put_task_struct() in
finish_
For v3.13 Trusty there are 3 patches needed:
- A, B, and C.
For v3.16 Utopic there are 2 patches needed:
- B and C.
For v3.19 Vivid/v4.2 Wily there is 1 patch needed:
- C. <-- clean cherry-pick.
[Test Case]
Running the reproducer for about 4 weeks with the backported Trusty kernel cannot find the KASan error messages in the dmesg.
Reproducer:
https:/
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
status: | Incomplete → Triaged |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Wily): | |
status: | New → Fix Committed |
tags: |
added: verification-done-trusty verification-done-vivid verification-done-wily removed: verification-needed-trusty verification-needed-vivid verification-needed-wily |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1527643
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.