| Message ID | 1646297678-2141-1-git-send-email-xuyang2018.jy@fujitsu.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | syscalls/setsockopt09: Add another linux git | expand |
Hi All > On centos7.9ga, I still hit another crash problem because of use-after-free in > prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this Using free is incorrect, should modify as below: Since we still use the freed resource when timer expired Best Regards Yang Xu > case will crash after we print TPASS info. > > Signed-off-by: Yang Xu<xuyang2018.jy@fujitsu.com> > --- > testcases/kernel/syscalls/setsockopt/setsockopt09.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt09.c b/testcases/kernel/syscalls/setsockopt/setsockopt09.c > index 2fc66ebbc..62c6dea07 100644 > --- a/testcases/kernel/syscalls/setsockopt/setsockopt09.c > +++ b/testcases/kernel/syscalls/setsockopt/setsockopt09.c > @@ -19,6 +19,17 @@ > * > * net/packet: rx_owner_map depends on pg_vec > * > + * It also triggers another use-after-free problem in > + * prb_retire_rx_blk_timer_expired. > + * > + * Kernel crash fixed in: > + * > + * commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042 > + * Author: WANG Cong<xiyou.wangcong@gmail.com> > + * Date: Mon Jul 24 10:07:32 2017 -0700 > + * > + * packet: fix use-after-free in prb_retire_rx_blk_timer_expired() > + * > */ > > #define _GNU_SOURCE > @@ -110,6 +121,7 @@ static struct tst_test test = { > NULL, > }, > .tags = (const struct tst_tag[]) { > + {"linux-git", "c800aaf8d869"}, > {"linux-git", "ec6af094ea28"}, > {"CVE", "2021-22600"}, > {}
Hi Xu, > On centos7.9ga, I still hit another crash problem because of use-after-free in > prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this > case will crash after we print TPASS info. Reviewed-by: Petr Vorel <pvorel@suse.cz> LGTM. I tested two old kernels, the one with patch survives, the other got reboot. BTW funny enough the affected system manages to print "TPASS: Nothing bad happened, probably" before reboot :). Kind regards, Petr
Hi Petr > Hi Xu, > >> On centos7.9ga, I still hit another crash problem because of use-after-free in >> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this >> case will crash after we print TPASS info. > > Reviewed-by: Petr Vorel<pvorel@suse.cz> > > LGTM. > I tested two old kernels, the one with patch survives, the other got reboot. > > BTW funny enough the affected system manages to print "TPASS: Nothing bad > happened, probably" before reboot :). Yes, it crash when timer expired, so it will print TPASS before reboot. Also, I try sleep 10ms, but it still print TPASS and reboot after serval seconds. I have wrote it in my commit message, so this should be friendly for user to know this situation. Best Regards Yang Xu > > Kind regards, > Petr
> Hi Petr > > Hi Xu, > >> On centos7.9ga, I still hit another crash problem because of use-after-free in > >> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this > >> case will crash after we print TPASS info. > > Reviewed-by: Petr Vorel<pvorel@suse.cz> > > LGTM. > > I tested two old kernels, the one with patch survives, the other got reboot. > > BTW funny enough the affected system manages to print "TPASS: Nothing bad > > happened, probably" before reboot :). > Yes, it crash when timer expired, so it will print TPASS before reboot. > Also, I try sleep 10ms, but it still print TPASS and reboot after serval > seconds. > I have wrote it in my commit message, so this should be friendly for > user to know this situation. Sure, I didn't expect we would be able to fix this (I'm *not* voting for sleep 10+ s). It can just be a bit confusing when you read test logs if the framework does not clearly show that system got rebooted (I saw reset in dmesg but didn't believe it's caused by this test output due TPASS. Lesson learned :)). Kind regards, Petr > Best Regards > Yang Xu > > Kind regards, > > Petr
Hi Petr >> Hi Petr >>> Hi Xu, > >>>> On centos7.9ga, I still hit another crash problem because of use-after-free in >>>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this >>>> case will crash after we print TPASS info. > >>> Reviewed-by: Petr Vorel<pvorel@suse.cz> > >>> LGTM. >>> I tested two old kernels, the one with patch survives, the other got reboot. > >>> BTW funny enough the affected system manages to print "TPASS: Nothing bad >>> happened, probably" before reboot :). >> Yes, it crash when timer expired, so it will print TPASS before reboot. >> Also, I try sleep 10ms, but it still print TPASS and reboot after serval >> seconds. > >> I have wrote it in my commit message, so this should be friendly for >> user to know this situation. > > Sure, I didn't expect we would be able to fix this (I'm *not* voting for sleep > 10+ s). It can just be a bit confusing when you read test logs if the framework > does not clearly show that system got rebooted (I saw reset in dmesg but didn't > believe it's caused by this test output due TPASS. Lesson learned :)). Yes, it looks confused. So, how about testing 100 times in runtest/syscall and runtest/cve like "cve-2021-22555 setsockopt08 -i 100" does. ps: I tested it on old kernel and it works well. Best Regards Yang Xu > > Kind regards, > Petr > >> Best Regards >> Yang Xu > >>> Kind regards, >>> Petr
On 04. 03. 22 4:24, xuyang2018.jy@fujitsu.com wrote: > Hi Petr >> Hi Xu, >> >>> On centos7.9ga, I still hit another crash problem because of use-after-free in >>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this >>> case will crash after we print TPASS info. >> >> Reviewed-by: Petr Vorel<pvorel@suse.cz> >> >> LGTM. >> I tested two old kernels, the one with patch survives, the other got reboot. >> >> BTW funny enough the affected system manages to print "TPASS: Nothing bad >> happened, probably" before reboot :). > Yes, it crash when timer expired, so it will print TPASS before reboot. > Also, I try sleep 10ms, but it still print TPASS and reboot after serval > seconds. The timeout is controlled by req.tp_retire_blk_tov and the value is in milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough.
Hi Martin > On 04. 03. 22 4:24, xuyang2018.jy@fujitsu.com wrote: >> Hi Petr >>> Hi Xu, >>> >>>> On centos7.9ga, I still hit another crash problem because of use-after-free in >>>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this >>>> case will crash after we print TPASS info. >>> >>> Reviewed-by: Petr Vorel<pvorel@suse.cz> >>> >>> LGTM. >>> I tested two old kernels, the one with patch survives, the other got reboot. >>> >>> BTW funny enough the affected system manages to print "TPASS: Nothing bad >>> happened, probably" before reboot :). >> Yes, it crash when timer expired, so it will print TPASS before reboot. >> Also, I try sleep 10ms, but it still print TPASS and reboot after serval >> seconds. > > The timeout is controlled by req.tp_retire_blk_tov and the value is in > milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough. I tested this on my vm, it still can't ensure hit the old crash before print PASS log. Best Regards Yang Xu >
On 09. 03. 22 3:03, xuyang2018.jy@fujitsu.com wrote: > Hi Martin >> The timeout is controlled by req.tp_retire_blk_tov and the value is in >> milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough. > I tested this on my vm, it still can't ensure hit the old crash before > print PASS log. That is probably expected. You'll need make a taint check after the usleep() to detect failure. See setsockopt06 which tests for similar use-after-free in socket timer.
Hi Martin > On 09. 03. 22 3:03, xuyang2018.jy@fujitsu.com wrote: >> Hi Martin >>> The timeout is controlled by req.tp_retire_blk_tov and the value is in >>> milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough. >> I tested this on my vm, it still can't ensure hit the old crash before >> print PASS log. > > That is probably expected. You'll need make a taint check after the > usleep() to detect failure. See setsockopt06 which tests for similar > use-after-free in socket timer. I add a sleep ie setsockopt06, but it doesn't detect the kernel tainted state in time and doesn't report "Kernel is vulnerable". Best Regards Yang Xu >
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt09.c b/testcases/kernel/syscalls/setsockopt/setsockopt09.c index 2fc66ebbc..62c6dea07 100644 --- a/testcases/kernel/syscalls/setsockopt/setsockopt09.c +++ b/testcases/kernel/syscalls/setsockopt/setsockopt09.c @@ -19,6 +19,17 @@ * * net/packet: rx_owner_map depends on pg_vec * + * It also triggers another use-after-free problem in + * prb_retire_rx_blk_timer_expired. + * + * Kernel crash fixed in: + * + * commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042 + * Author: WANG Cong <xiyou.wangcong@gmail.com> + * Date: Mon Jul 24 10:07:32 2017 -0700 + * + * packet: fix use-after-free in prb_retire_rx_blk_timer_expired() + * */ #define _GNU_SOURCE @@ -110,6 +121,7 @@ static struct tst_test test = { NULL, }, .tags = (const struct tst_tag[]) { + {"linux-git", "c800aaf8d869"}, {"linux-git", "ec6af094ea28"}, {"CVE", "2021-22600"}, {}
On centos7.9ga, I still hit another crash problem because of use-after-free in prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this case will crash after we print TPASS info. Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com> --- testcases/kernel/syscalls/setsockopt/setsockopt09.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)