kamatam9/gist:096a79cf59d8ed8785c4267e917b8675 Secret

## gistfile1.txt
[ec2-user@ip-10-0-26-185 ~]$
[ec2-user@ip-10-0-26-185 ~]$ cat psi-uaf.c
#include <fcntl.h>
#include <sys/epoll.h>
#include <unistd.h>

int main(void)
{
	const char trigger_str[] = "some 100000 1000000";
        int fd, epfd;
	struct epoll_event event;
	struct epoll_event events[1];

        fd = open("/cgroup2/test/cpu.pressure", O_RDWR);
	write(fd, trigger_str, sizeof(trigger_str));
	epfd = epoll_create(1);
	event.events = EPOLLPRI | EPOLLET;
	event.data.fd = fd;
	epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
	epoll_wait(epfd, events, 1, -1);
	pause();

	return 0;
}
[ec2-user@ip-10-0-26-185 ~]$ gcc psi-uaf.c
[ec2-user@ip-10-0-26-185 ~]$
[ec2-user@ip-10-0-26-185 ~]$ sudo mount -t cgroup2 none /cgroup2/
[ec2-user@ip-10-0-26-185 ~]$ sudo mkdir /cgroup2/test
[ec2-user@ip-10-0-26-185 ~]$ sudo ./a.out &
[1] 2384
[ec2-user@ip-10-0-26-185 ~]$ sudo rmdir /cgroup2/test
[ec2-user@ip-10-0-26-185 ~]$ sudo killall a.out
[ec2-user@ip-10-0-26-185 ~]$
[1]+  Terminated              sudo ./a.out
[ec2-user@ip-10-0-26-185 ~]$ dmesg
...
[  102.806193] ==================================================================
[  102.813207] BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x76/0x130
[  102.816011] Write of size 4 at addr ffff888003324928 by task a.out/2385

[  102.834487] CPU: 0 PID: 2385 Comm: a.out Not tainted 6.2.0-rc3 #28
[  102.836744] Hardware name: Amazon EC2 t3.micro/, BIOS 1.0 10/16/2017
[  102.839159] Call Trace:
[  102.840179]  <TASK>
[  102.841141]  dump_stack_lvl+0x8f/0xc0
[  102.842611]  print_report+0x16c/0x4e0
[  102.844140]  ? _raw_spin_lock_irqsave+0x76/0x130
[  102.845863]  kasan_report+0xc3/0xf0
[  102.847312]  ? mt_destroy_walk+0xa0a/0xa90
[  102.848856]  ? _raw_spin_lock_irqsave+0x76/0x130
[  102.850560]  kasan_check_range+0x2d2/0x310
[  102.852214]  _raw_spin_lock_irqsave+0x76/0x130
[  102.854020]  remove_wait_queue+0x25/0x130
[  102.855540]  ep_free+0x12d/0x220
[  102.856906]  ep_eventpoll_release+0x3c/0x40
[  102.858463]  __fput+0x32b/0x700
[  102.862403]  task_work_run+0x1db/0x230
[  102.865666]  do_exit+0x750/0x2090
[  102.868718]  do_group_exit+0x221/0x230
[  102.871898]  get_signal+0x1768/0x1810
[  102.874963]  ? __schedule+0xf60/0x16e0
[  102.878203]  arch_do_signal_or_restart+0x2e/0x4d0
[  102.881651]  exit_to_user_mode_prepare+0x94/0x100
[  102.885056]  syscall_exit_to_user_mode+0x20/0x40
[  102.888419]  do_syscall_64+0x52/0x90
[  102.891412]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  102.894952] RIP: 0033:0x7f20be0bfb91
[  102.898040] Code: Unable to access opcode bytes at 0x7f20be0bfb67.
[  102.903104] RSP: 002b:00007ffe8f20f418 EFLAGS: 00000246 ORIG_RAX: 0000000000000022
[  102.909299] RAX: fffffffffffffdfe RBX: 0000000000000000 RCX: 00007f20be0bfb91
[  102.913767] RDX: 0000000000000001 RSI: 00007ffe8f20f428 RDI: 0000000000000004
[  102.917980] RBP: 00007ffe8f20f460 R08: 0000000000400780 R09: 00007f20be40f240
[  102.922173] R10: 00000000000003df R11: 0000000000000246 R12: 00000000004005a0
[  102.927445] R13: 00007ffe8f20f540 R14: 0000000000000000 R15: 0000000000000000
[  102.931674]  </TASK>

[  102.936679] Allocated by task 2385:
[  102.939681]  kasan_set_track+0x3d/0x60
[  102.942802]  __kasan_kmalloc+0x85/0x90
[  102.945878]  psi_trigger_create+0x155/0x850
[  102.949189]  pressure_write+0x200/0x510
[  102.954214]  cgroup_file_write+0x1de/0x3e0
[  102.957528]  kernfs_fop_write_iter+0x27d/0x380
[  102.960842]  vfs_write+0x7d7/0xaa0
[  102.963878]  ksys_write+0xd7/0x1a0
[  102.967736]  do_syscall_64+0x43/0x90
[  102.970956]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

[  102.976903] Freed by task 2391:
[  102.979839]  kasan_set_track+0x3d/0x60
[  102.982905]  kasan_save_free_info+0x27/0x40
[  102.986143]  ____kasan_slab_free+0x11d/0x170
[  102.989412]  slab_free_freelist_hook+0x87/0x150
[  102.992823]  __kmem_cache_free+0xcb/0x180
[  102.996070]  psi_trigger_destroy+0x458/0x550
[  102.999359]  cgroup_file_release+0x96/0x110
[  103.002633]  kernfs_drain_open_files+0x238/0x420
[  103.005985]  kernfs_drain+0x191/0x2a0
[  103.009015]  __kernfs_remove+0x3a6/0x600
[  103.012157]  kernfs_remove_by_name_ns+0xc2/0x120
[  103.017230]  cgroup_addrm_files+0x90f/0xcf0
[  103.020743]  cgroup_destroy_locked+0x48a/0x730
[  103.024209]  cgroup_rmdir+0x2b/0x130
[  103.028249]  kernfs_iop_rmdir+0x17a/0x230
[  103.032415]  vfs_rmdir+0x196/0x410
[  103.035508]  do_rmdir+0x1c7/0x3f0
[  103.038586]  __x64_sys_rmdir+0x45/0x50
[  103.041748]  do_syscall_64+0x43/0x90
[  103.044859]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

[  103.050836] The buggy address belongs to the object at ffff888003324900
                which belongs to the cache kmalloc-128 of size 128
[  103.058548] The buggy address is located 40 bytes inside of
                128-byte region [ffff888003324900, ffff888003324980)

[  103.068277] The buggy address belongs to the physical page:
[  103.071930] page:00000000b4928b2a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3324
[  103.078482] flags: 0x1fffff80000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
[  103.082682] raw: 001fffff80000200 ffff8880010418c0 ffffea0000063f00 dead000000000004
[  103.088748] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  103.094786] page dumped because: kasan: bad access detected

[  103.100769] Memory state around the buggy address:
[  103.104191]  ffff888003324800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.110891]  ffff888003324880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  103.116871] >ffff888003324900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.122768]                                   ^
[  103.126145]  ffff888003324980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  103.132261]  ffff888003324a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  103.138220] ==================================================================
[  103.144469] Disabling lock debugging due to kernel taint
	[ec2-user@ip-10-0-26-185 ~]$
	[ec2-user@ip-10-0-26-185 ~]$ cat psi-uaf.c
	#include <fcntl.h>
	#include <sys/epoll.h>
	#include <unistd.h>

	int main(void)
	{
	const char trigger_str[] = "some 100000 1000000";
	int fd, epfd;
	struct epoll_event event;
	struct epoll_event events[1];

	fd = open("/cgroup2/test/cpu.pressure", O_RDWR);
	write(fd, trigger_str, sizeof(trigger_str));
	epfd = epoll_create(1);
	event.events = EPOLLPRI \| EPOLLET;
	event.data.fd = fd;
	epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
	epoll_wait(epfd, events, 1, -1);
	pause();

	return 0;
	}
	[ec2-user@ip-10-0-26-185 ~]$ gcc psi-uaf.c
	[ec2-user@ip-10-0-26-185 ~]$
	[ec2-user@ip-10-0-26-185 ~]$ sudo mount -t cgroup2 none /cgroup2/
	[ec2-user@ip-10-0-26-185 ~]$ sudo mkdir /cgroup2/test
	[ec2-user@ip-10-0-26-185 ~]$ sudo ./a.out &
	[1] 2384
	[ec2-user@ip-10-0-26-185 ~]$ sudo rmdir /cgroup2/test
	[ec2-user@ip-10-0-26-185 ~]$ sudo killall a.out
	[ec2-user@ip-10-0-26-185 ~]$
	[1]+ Terminated sudo ./a.out
	[ec2-user@ip-10-0-26-185 ~]$ dmesg
	...
	[ 102.806193] ==================================================================
	[ 102.813207] BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x76/0x130
	[ 102.816011] Write of size 4 at addr ffff888003324928 by task a.out/2385

	[ 102.834487] CPU: 0 PID: 2385 Comm: a.out Not tainted 6.2.0-rc3 #28
	[ 102.836744] Hardware name: Amazon EC2 t3.micro/, BIOS 1.0 10/16/2017
	[ 102.839159] Call Trace:
	[ 102.840179] <TASK>
	[ 102.841141] dump_stack_lvl+0x8f/0xc0
	[ 102.842611] print_report+0x16c/0x4e0
	[ 102.844140] ? _raw_spin_lock_irqsave+0x76/0x130
	[ 102.845863] kasan_report+0xc3/0xf0
	[ 102.847312] ? mt_destroy_walk+0xa0a/0xa90
	[ 102.848856] ? _raw_spin_lock_irqsave+0x76/0x130
	[ 102.850560] kasan_check_range+0x2d2/0x310
	[ 102.852214] _raw_spin_lock_irqsave+0x76/0x130
	[ 102.854020] remove_wait_queue+0x25/0x130
	[ 102.855540] ep_free+0x12d/0x220
	[ 102.856906] ep_eventpoll_release+0x3c/0x40
	[ 102.858463] __fput+0x32b/0x700
	[ 102.862403] task_work_run+0x1db/0x230
	[ 102.865666] do_exit+0x750/0x2090
	[ 102.868718] do_group_exit+0x221/0x230
	[ 102.871898] get_signal+0x1768/0x1810
	[ 102.874963] ? __schedule+0xf60/0x16e0
	[ 102.878203] arch_do_signal_or_restart+0x2e/0x4d0
	[ 102.881651] exit_to_user_mode_prepare+0x94/0x100
	[ 102.885056] syscall_exit_to_user_mode+0x20/0x40
	[ 102.888419] do_syscall_64+0x52/0x90
	[ 102.891412] entry_SYSCALL_64_after_hwframe+0x63/0xcd
	[ 102.894952] RIP: 0033:0x7f20be0bfb91
	[ 102.898040] Code: Unable to access opcode bytes at 0x7f20be0bfb67.
	[ 102.903104] RSP: 002b:00007ffe8f20f418 EFLAGS: 00000246 ORIG_RAX: 0000000000000022
	[ 102.909299] RAX: fffffffffffffdfe RBX: 0000000000000000 RCX: 00007f20be0bfb91
	[ 102.913767] RDX: 0000000000000001 RSI: 00007ffe8f20f428 RDI: 0000000000000004
	[ 102.917980] RBP: 00007ffe8f20f460 R08: 0000000000400780 R09: 00007f20be40f240
	[ 102.922173] R10: 00000000000003df R11: 0000000000000246 R12: 00000000004005a0
	[ 102.927445] R13: 00007ffe8f20f540 R14: 0000000000000000 R15: 0000000000000000
	[ 102.931674] </TASK>

	[ 102.936679] Allocated by task 2385:
	[ 102.939681] kasan_set_track+0x3d/0x60
	[ 102.942802] __kasan_kmalloc+0x85/0x90
	[ 102.945878] psi_trigger_create+0x155/0x850
	[ 102.949189] pressure_write+0x200/0x510
	[ 102.954214] cgroup_file_write+0x1de/0x3e0
	[ 102.957528] kernfs_fop_write_iter+0x27d/0x380
	[ 102.960842] vfs_write+0x7d7/0xaa0
	[ 102.963878] ksys_write+0xd7/0x1a0
	[ 102.967736] do_syscall_64+0x43/0x90
	[ 102.970956] entry_SYSCALL_64_after_hwframe+0x63/0xcd

	[ 102.976903] Freed by task 2391:
	[ 102.979839] kasan_set_track+0x3d/0x60
	[ 102.982905] kasan_save_free_info+0x27/0x40
	[ 102.986143] ____kasan_slab_free+0x11d/0x170
	[ 102.989412] slab_free_freelist_hook+0x87/0x150
	[ 102.992823] __kmem_cache_free+0xcb/0x180
	[ 102.996070] psi_trigger_destroy+0x458/0x550
	[ 102.999359] cgroup_file_release+0x96/0x110
	[ 103.002633] kernfs_drain_open_files+0x238/0x420
	[ 103.005985] kernfs_drain+0x191/0x2a0
	[ 103.009015] __kernfs_remove+0x3a6/0x600
	[ 103.012157] kernfs_remove_by_name_ns+0xc2/0x120
	[ 103.017230] cgroup_addrm_files+0x90f/0xcf0
	[ 103.020743] cgroup_destroy_locked+0x48a/0x730
	[ 103.024209] cgroup_rmdir+0x2b/0x130
	[ 103.028249] kernfs_iop_rmdir+0x17a/0x230
	[ 103.032415] vfs_rmdir+0x196/0x410
	[ 103.035508] do_rmdir+0x1c7/0x3f0
	[ 103.038586] __x64_sys_rmdir+0x45/0x50
	[ 103.041748] do_syscall_64+0x43/0x90
	[ 103.044859] entry_SYSCALL_64_after_hwframe+0x63/0xcd

	[ 103.050836] The buggy address belongs to the object at ffff888003324900
	which belongs to the cache kmalloc-128 of size 128
	[ 103.058548] The buggy address is located 40 bytes inside of
	128-byte region [ffff888003324900, ffff888003324980)

	[ 103.068277] The buggy address belongs to the physical page:
	[ 103.071930] page:00000000b4928b2a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3324
	[ 103.078482] flags: 0x1fffff80000200(slab\|node=0\|zone=1\|lastcpupid=0x1fffff)
	[ 103.082682] raw: 001fffff80000200 ffff8880010418c0 ffffea0000063f00 dead000000000004
	[ 103.088748] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
	[ 103.094786] page dumped because: kasan: bad access detected

	[ 103.100769] Memory state around the buggy address:
	[ 103.104191] ffff888003324800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 103.110891] ffff888003324880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 103.116871] >ffff888003324900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 103.122768] ^
	[ 103.126145] ffff888003324980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 103.132261] ffff888003324a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
	[ 103.138220] ==================================================================
	[ 103.144469] Disabling lock debugging due to kernel taint