cgroup user-after-free
Lixiong Liu (刘利雄)
Lixiong.Liu at mediatek.com
Thu Jan 12 01:48:55 PST 2023
Hi,
We meet cgroup use-after-free happened in T SW version with
kernel-5.15.
Root cause:
cgroup_migrate_finish free cset’s cgroup,
but cgroup_sk_alloc use the freed cgroup,
then use-after-free happened.
Detail:
[name:report&]BUG: KASAN: use-after-free in cgroup_sk_alloc
[name:report&]Read of size 8 at addr ffffff80d6d2a048 by task
ChromiumNet/5259
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
print_address_description
__kasan_report
kasan_report
__asan_report_load8_noabort
cgroup_sk_alloc
sk_alloc
unix_create1
unix_create
__sock_create
__sys_socket
__arm64_sys_socket
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
[name:report&]Allocated by task 1380:
____kasan_kmalloc
__kasan_kmalloc
kmem_cache_alloc_trace
find_css_set
cgroup_migrate_prepare_dst
cgroup_attach_task
__cgroup1_procs_write
cgroup1_procs_write
cgroup_file_write
kernfs_fop_write_iter
vfs_write
ksys_write
__arm64_sys_write
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
[name:report&]Freed by task 4530:
kasan_set_track
kasan_set_free_info
____kasan_slab_free
__kasan_slab_free
slab_free_freelist_hook
kmem_cache_free_bulk
kfree_rcu_work
process_one_work
worker_thread
kthread
ret_from_fork
[name:report&]Last potentially related work creation:
kasan_save_stack
__kasan_record_aux_stack
kasan_record_aux_stack_noalloc
kvfree_call_rcu
put_css_set_locked
cgroup_migrate_finish
cgroup_attach_task
__cgroup1_procs_write
cgroup1_procs_write
cgroup_file_write
kernfs_fop_write_iter
vfs_write
ksys_write
__arm64_sys_write
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handle
el0t_64_sync
[name:report&]The buggy address belongs to the object at
ffffff80d6d2a000 which belongs to the cache kmalloc-512 of size 512
[name:report&]The buggy address is located 72 bytes inside of
512-byte region
[name:debug&]page dumped because: kasan: bad access detected
"cgroup_sk_alloc", kernel-5.15/kernel/cgroup/cgroup.c"
cset = task_css_set(current);
if (likely(cgroup_tryget(cset->dfl_cgrp))) {
cgroup = cset->dfl_cgrp;
}
(gdb) p/x &((struct css_set *)0)->dfl_cgrp
$2 = 0x48
Do you have any suggestion for this issue?
Can we workaround this issue just by hold
css_set_lock before access cset->dfl_cgrp
in cgroup_sk_alloc?
Thanks!
Best regards,
Lixiong Liu
More information about the linux-arm-kernel
mailing list