Bug 196145

Summary: BUG: KASAN: use-after-free in find_cpio_data
Product: Platform Specific/Hardware Reporter: Johannes Hirte (johannes.hirte)
Component: x86-64Assignee: platform_x86_64 (platform_x86_64)
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.12.0-rc6 Subsystem:
Regression: No Bisected commit-id:

Description Johannes Hirte 2017-06-21 11:24:11 UTC 
With enabled "CPU microcode loading support" I get this use-after-free:

[39364.873907] x86: Booting SMP configuration:
[39364.873911] smpboot: Booting Node 0 Processor 1 APIC 0x11
[39364.874059] ==================================================================
[39364.874075] BUG: KASAN: use-after-free in find_cpio_data+0x867/0x9d0
[39364.874078] Read of size 1 at addr ffff88003731d000 by task swapper/1/0

[39364.874085] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc6-00018-g9705596d08ac #228
[39364.874087] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.07 11/01/2016
[39364.874089] Call Trace:
[39364.874097]  dump_stack+0x9e/0x125
[39364.874099]  ? _atomic_dec_and_lock+0x15b/0x15b
[39364.874104]  ? load_image_and_restore+0xf6/0xf6
[39364.874106]  ? find_cpio_data+0x867/0x9d0
[39364.874111]  print_address_description+0x73/0x280
[39364.874113]  ? find_cpio_data+0x867/0x9d0
[39364.874115]  kasan_report+0x24e/0x340
[39364.874117]  __asan_report_load1_noabort+0x14/0x20
[39364.874119]  find_cpio_data+0x867/0x9d0
[39364.874121]  ? vsnprintf+0x280/0x14d0
[39364.874123]  ? dump_stack+0x125/0x125
[39364.874125]  ? pointer+0x9f0/0x9f0
[39364.874127]  ? snprintf+0x8f/0xc0
[39364.874128]  ? vsprintf+0x20/0x20
[39364.874132]  find_microcode_in_initrd+0x20b/0x390
[39364.874134]  ? get_builtin_firmware+0x5f/0x120
[39364.874136]  __load_ucode_amd+0x307/0x3b0
[39364.874138]  ? apply_microcode_amd+0x3e0/0x3e0
[39364.874142]  ? debug_smp_processor_id+0x17/0x20
[39364.874147]  ? rcu_note_context_switch+0x189/0x1810
[39364.874150]  ? ktime_get+0xbc/0x160
[39364.874152]  ? rcu_gp_kthread+0x1b80/0x1b80
[39364.874155]  ? switch_mm_irqs_off+0xde/0xfe0
[39364.874157]  load_ucode_amd_ap+0x9c/0x170
[39364.874159]  ? load_ucode_amd_ap+0x9c/0x170
[39364.874161]  ? __load_ucode_amd+0x3b0/0x3b0
[39364.874164]  ? pick_next_task_fair+0x88c/0x1270
[39364.874170]  ? _raw_spin_unlock_irq+0x110/0x110
[39364.874172]  load_ucode_ap+0x7f/0x90
[39364.874175]  cpu_init+0xd7c/0x15a0
[39364.874178]  ? default_send_IPI_single+0x77/0xa0
[39364.874180]  ? native_send_call_func_single_ipi+0x5b/0x70
[39364.874182]  ? syscall_init+0x140/0x140
[39364.874185]  ? flush_smp_call_function_queue+0x430/0x430
[39364.874187]  ? sched_clock_cpu+0x1b/0x1e0
[39364.874188]  ? sched_clock_cpu+0x1b/0x1e0
[39364.874191]  ? preempt_notifier_dec+0x20/0x20
[39364.874194]  ? cpuhp_create+0x90/0x90
[39364.874196]  ? smp_call_function_single+0x245/0x6d0
[39364.874198]  ? debug_smp_processor_id+0x17/0x20
[39364.874200]  ? cpu_report_death+0x73/0x320
[39364.874202]  ? _raw_spin_unlock_irqrestore+0xb8/0x120
[39364.874204]  ? _raw_spin_unlock_irq+0x110/0x110
[39364.874206]  ? cpu_wait_death+0x7f0/0x7f0
[39364.874208]  ? debug_smp_processor_id+0x17/0x20
[39364.874210]  ? native_play_dead+0xf2/0x120
[39364.874213]  ? arch_cpu_idle_dead+0x28/0x40
[39364.874215]  ? do_idle+0x206/0x2b0
[39364.874217]  start_secondary+0x12/0x2c0
[39364.874219]  ? start_secondary+0x12/0x2c0
[39364.874222]  secondary_startup_64+0x9f/0x9f

[39364.874225] The buggy address belongs to the page:
[39364.874230] page:ffffea0000dcc740 count:0 mapcount:0 mapping:          (null) index:0x1
[39364.874233] flags: 0x1000000000000000()
[39364.874237] raw: 1000000000000000 0000000000000000 0000000000000001 00000000ffffffff
[39364.874239] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[39364.874240] page dumped because: kasan: bad access detected

[39364.874242] Memory state around the buggy address:
[39364.874244]  ffff88003731cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874245]  ffff88003731cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874247] >ffff88003731d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874248]                    ^
[39364.874250]  ffff88003731d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874251]  ffff88003731d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874251] ==================================================================
[39364.874253] Disabling lock debugging due to kernel taint


I've seen this with an initramfs without any CPU microcode added after S3 resume.