196145 – BUG: KASAN: use-after-free in find_cpio_data

Bug 196145 - BUG: KASAN: use-after-free in find_cpio_data

Summary: BUG: KASAN: use-after-free in find_cpio_data

Status:	NEW

Alias:	None

Product:	Platform Specific/Hardware
Classification:	Unclassified
Component:	x86-64 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	platform_x86_64@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-06-21 11:24 UTC by Johannes Hirte
Modified:	2017-06-21 11:24 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	4.12.0-rc6
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Johannes Hirte 2017-06-21 11:24:11 UTC

With enabled "CPU microcode loading support" I get this use-after-free:

[39364.873907] x86: Booting SMP configuration:
[39364.873911] smpboot: Booting Node 0 Processor 1 APIC 0x11
[39364.874059] ==================================================================
[39364.874075] BUG: KASAN: use-after-free in find_cpio_data+0x867/0x9d0
[39364.874078] Read of size 1 at addr ffff88003731d000 by task swapper/1/0

[39364.874085] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc6-00018-g9705596d08ac #228
[39364.874087] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.07 11/01/2016
[39364.874089] Call Trace:
[39364.874097]  dump_stack+0x9e/0x125
[39364.874099]  ? _atomic_dec_and_lock+0x15b/0x15b
[39364.874104]  ? load_image_and_restore+0xf6/0xf6
[39364.874106]  ? find_cpio_data+0x867/0x9d0
[39364.874111]  print_address_description+0x73/0x280
[39364.874113]  ? find_cpio_data+0x867/0x9d0
[39364.874115]  kasan_report+0x24e/0x340
[39364.874117]  __asan_report_load1_noabort+0x14/0x20
[39364.874119]  find_cpio_data+0x867/0x9d0
[39364.874121]  ? vsnprintf+0x280/0x14d0
[39364.874123]  ? dump_stack+0x125/0x125
[39364.874125]  ? pointer+0x9f0/0x9f0
[39364.874127]  ? snprintf+0x8f/0xc0
[39364.874128]  ? vsprintf+0x20/0x20
[39364.874132]  find_microcode_in_initrd+0x20b/0x390
[39364.874134]  ? get_builtin_firmware+0x5f/0x120
[39364.874136]  __load_ucode_amd+0x307/0x3b0
[39364.874138]  ? apply_microcode_amd+0x3e0/0x3e0
[39364.874142]  ? debug_smp_processor_id+0x17/0x20
[39364.874147]  ? rcu_note_context_switch+0x189/0x1810
[39364.874150]  ? ktime_get+0xbc/0x160
[39364.874152]  ? rcu_gp_kthread+0x1b80/0x1b80
[39364.874155]  ? switch_mm_irqs_off+0xde/0xfe0
[39364.874157]  load_ucode_amd_ap+0x9c/0x170
[39364.874159]  ? load_ucode_amd_ap+0x9c/0x170
[39364.874161]  ? __load_ucode_amd+0x3b0/0x3b0
[39364.874164]  ? pick_next_task_fair+0x88c/0x1270
[39364.874170]  ? _raw_spin_unlock_irq+0x110/0x110
[39364.874172]  load_ucode_ap+0x7f/0x90
[39364.874175]  cpu_init+0xd7c/0x15a0
[39364.874178]  ? default_send_IPI_single+0x77/0xa0
[39364.874180]  ? native_send_call_func_single_ipi+0x5b/0x70
[39364.874182]  ? syscall_init+0x140/0x140
[39364.874185]  ? flush_smp_call_function_queue+0x430/0x430
[39364.874187]  ? sched_clock_cpu+0x1b/0x1e0
[39364.874188]  ? sched_clock_cpu+0x1b/0x1e0
[39364.874191]  ? preempt_notifier_dec+0x20/0x20
[39364.874194]  ? cpuhp_create+0x90/0x90
[39364.874196]  ? smp_call_function_single+0x245/0x6d0
[39364.874198]  ? debug_smp_processor_id+0x17/0x20
[39364.874200]  ? cpu_report_death+0x73/0x320
[39364.874202]  ? _raw_spin_unlock_irqrestore+0xb8/0x120
[39364.874204]  ? _raw_spin_unlock_irq+0x110/0x110
[39364.874206]  ? cpu_wait_death+0x7f0/0x7f0
[39364.874208]  ? debug_smp_processor_id+0x17/0x20
[39364.874210]  ? native_play_dead+0xf2/0x120
[39364.874213]  ? arch_cpu_idle_dead+0x28/0x40
[39364.874215]  ? do_idle+0x206/0x2b0
[39364.874217]  start_secondary+0x12/0x2c0
[39364.874219]  ? start_secondary+0x12/0x2c0
[39364.874222]  secondary_startup_64+0x9f/0x9f

[39364.874225] The buggy address belongs to the page:
[39364.874230] page:ffffea0000dcc740 count:0 mapcount:0 mapping:          (null) index:0x1
[39364.874233] flags: 0x1000000000000000()
[39364.874237] raw: 1000000000000000 0000000000000000 0000000000000001 00000000ffffffff
[39364.874239] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
[39364.874240] page dumped because: kasan: bad access detected

[39364.874242] Memory state around the buggy address:
[39364.874244]  ffff88003731cf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874245]  ffff88003731cf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874247] >ffff88003731d000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874248]                    ^
[39364.874250]  ffff88003731d080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874251]  ffff88003731d100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[39364.874251] ==================================================================
[39364.874253] Disabling lock debugging due to kernel taint


I've seen this with an initramfs without any CPU microcode added after S3 resume.

Note You need to log in before you can comment on or make changes to this bug.