Hi, I'm working on a memory error detector AddressSanitizer for Linux kernel (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel), it can detect use-after-free and buffer-overflow errors. Currently the tool is in very early stage and it can contain bugs.
Here is one of the reports produced during testing: [ 196.951434] ERROR: AddressSanitizer: heap-use-after-free on address ffff880008a632c4 [ 196.952135] Stack trace: [ 196.952380] [<ffffffff810dd1f5>] asan_report_error+0x85/0x2c0 [ 196.952890] [<ffffffff810dc700>] asan_check_region+0x30/0x40 [ 196.953466] [<ffffffff810dd553>] __tsan_write4+0x13/0x20 [ 196.953987] [<ffffffff8110a76a>] ____call_usermodehelper+0x21a/0x240 [ 196.954651] [<ffffffff8110a7cc>] call_helper+0x3c/0x50 [ 196.955155] [<ffffffff81924b5c>] ret_from_fork+0x7c/0xb0 [ 196.955686] [<ffffffffffffffff>] 0xffffffffffffffff [ 196.956230] Free stack trace: [ 196.956532] [<ffffffff810dc831>] asan_slab_free+0x61/0xb0 [ 196.957052] [<ffffffff8128070a>] kfree+0x9a/0x240 [ 196.957558] [<ffffffff8110a165>] call_usermodehelper_freeinfo+0x35/0x40 [ 196.958308] [<ffffffff8110aabe>] call_usermodehelper_exec+0xae/0x1d0 [ 196.958920] [<ffffffff8110af81>] call_usermodehelper+0x61/0x90 [ 196.959490] [<ffffffff814d7e4e>] kobject_uevent_env+0x5be/0x5f0 [ 196.960161] [<ffffffff814d7ea3>] kobject_uevent+0x23/0x40 [ 196.960706] [<ffffffff814d63ad>] kobject_release+0xad/0xc0 [ 196.961274] [<ffffffff814d618a>] kobject_put+0x3a/0x80 [ 196.961889] [<ffffffff8181af6c>] net_rx_queue_update_kobjects+0x12c/0x170 [ 196.962701] [<ffffffff8181b1b2>] netdev_unregister_kobject+0x62/0xa0 [ 196.963475] [<ffffffff817f342b>] rollback_registered_many+0x27b/0x340 [ 196.964175] [<ffffffff817f35d5>] unregister_netdevice_many+0x35/0xe0 [ 196.964836] [<ffffffff817f43f7>] default_device_exit_batch+0x107/0x180 [ 196.965568] [<ffffffff817ebb1c>] ops_exit_list.isra.3+0x8c/0xa0 I've looked at the sources, but I can't say that I fully understand them. The report looks valid, though. I see several potential issues in the code. 1. When wait=UMH_WAIT_EXEC and do_execve() fails, ____call_usermodehelper() writes sub_info->retval=retval to freed memory. This is the use-after-free reported by the tool. 2. When wait=UMH_NO_WAIT, __call_usermodehelper() starts child thread and instantly frees subprocess_info. The child thread reads subprocess_info. Looks like another use-after-free. 3. UMH_WAIT_EXEC does not actually wait for exec, it only waits for starting the child thread that will do exec. I don't know whether it's a problem with the code or with the name. The kernel version is 3.11-rc4 (last commit: b7bc9e7d808ba55729bd263b0210cda36965be32). Please help to confirm these issues, and advice what to do next with them. TIA -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
