search

GrapheneOS / linux-hardened

Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.freenode.net ##linux-hardened. Currently maintained at https://github.com/anthraxx/linux-hardened.
https://grapheneos.org/
Other
390 stars 102 forks source link

refcount_t: saturated; leaking memory #63

Closed michabuntu closed 6 years ago

michabuntu commented 6 years ago

this happens to 4.13.8 on Arch-Linux( also .6 and .5.) does not happen with stock 4.13.7 Kernel! from the kernel.log:

Oct 21 12:42:03 archtux kernel: [15293.331713] refcount_t: saturated; leaking memory. Oct 21 12:42:03 archtux kernel: [15293.331726] ------------[ cut here ]------------ Oct 21 12:42:03 archtux kernel: [15293.331734] WARNING: CPU: 3 PID: 7502 at lib/refcount.c:77 refcount_add_not_zero+0x65/0x70 Oct 21 12:42:03 archtux kernel: [15293.331735] Modules linked in: wp512 tgr192 rmd320 rmd256 rmd128 algif_hash af_alg nfnetlink_queue nfnetlink fuse msr nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp iptable_filter ip_tables xt_iprange xt_state nf_conntrack libcrc32c crc32c_generic xt_mark xt_NFQUEUE x_tables tun loop nct6775 hwmon_vid sg eeepc_wmi asus_wmi sparse_keymap wmi_bmof rfkill mxm_wmi intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd intel_cstate intel_rapl_perf evdev input_leds led_class joydev mousedev mac_hid i2c_i801 nvidia_drm(PO) nvidia_modeset(PO) nvidia(PO) thermal fan drm_kms_helper battery drm snd_ice1712 snd_cs8427 snd_i2c snd_ice17xx_ak4xxx Oct 21 12:42:03 archtux kernel: [15293.331784] syscopyarea snd_ak4xxx_adda sysfillrect sysimgblt fb_sys_fops button wmi snd_ac97_codec video snd_mpu401_uart snd_rawmidi snd_seq_device snd_pcm snd_timer snd soundcore mei_me ac97_bus mei e1000e e1000 vboxnetadp(O) vboxnetflt(O) ptp pps_core ie31200_edac shpchp vboxdrv(O) speedstep_lib ext4 crc16 mbcache jbd2 fscrypto sr_mod cdrom hid_generic usbhid hid sd_mod serio ehci_pci ehci_hcd ahci libahci libata scsi_mod xhci_pci xhci_hcd usbcore usb_common Oct 21 12:42:03 archtux kernel: [15293.331818] CPU: 3 PID: 7502 Comm: openvpn Tainted: P O 4.13.8-1-hardened #1 Oct 21 12:42:03 archtux kernel: [15293.331820] Hardware name: System manufacturer System Product Name/P8Z77-V PRO, BIOS 1805 12/19/2012 Oct 21 12:42:03 archtux kernel: [15293.331821] task: ffff9f6f39955b80 task.stack: ffffb8050a904000 Oct 21 12:42:03 archtux kernel: [15293.331824] RIP: 0010:refcount_add_not_zero+0x65/0x70 Oct 21 12:42:03 archtux kernel: [15293.331825] RSP: 0018:ffffb8050a9074a0 EFLAGS: 00010286 Oct 21 12:42:03 archtux kernel: [15293.331826] RAX: 0000000000000026 RBX: ffff9f6ee5599801 RCX: 0000000000000000 Oct 21 12:42:03 archtux kernel: [15293.331828] RDX: 0000000000000000 RSI: ffff9f6fded8dc78 RDI: ffff9f6fded8dc78 Oct 21 12:42:03 archtux kernel: [15293.331829] RBP: ffffb8050a9074a8 R08: 000000000000034e R09: 0000000000000004 Oct 21 12:42:03 archtux kernel: [15293.331830] R10: 000000008ea3b01a R11: 0000000000000001 R12: ffff9f6f3ee50400 Oct 21 12:42:03 archtux kernel: [15293.331831] R13: 000000008ea3b518 R14: ffff9f6ee55998e8 R15: ffff9f6f3ee50700 Oct 21 12:42:03 archtux kernel: [15293.331832] FS: 0000606e3bbd7740(0000) GS:ffff9f6fded80000(0000) knlGS:0000000000000000 Oct 21 12:42:03 archtux kernel: [15293.331834] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Oct 21 12:42:03 archtux kernel: [15293.331835] CR2: 00007f3666e71730 CR3: 00000003783cd000 CR4: 00000000001426e0 Oct 21 12:42:03 archtux kernel: [15293.331836] Call Trace: Oct 21 12:42:03 archtux kernel: [15293.331841] refcount_add+0x9/0x30 Oct 21 12:42:03 archtux kernel: [15293.331845] tcp_gso_segment+0x472/0x4f0 Oct 21 12:42:03 archtux kernel: [15293.331848] tcp4_gso_segment+0x3e/0xa0 Oct 21 12:42:03 archtux kernel: [15293.331851] inet_gso_segment+0x168/0x3c0 Oct 21 12:42:03 archtux kernel: [15293.331854] ? __kmalloc_reserve.isra.38+0x31/0x90 Oct 21 12:42:03 archtux kernel: [15293.331857] skb_mac_gso_segment+0xb5/0x130 Oct 21 12:42:03 archtux kernel: [15293.331858] __skb_gso_segment+0xc7/0x190 Oct 21 12:42:03 archtux kernel: [15293.331860] validate_xmit_skb+0x154/0x290 Oct 21 12:42:03 archtux kernel: [15293.331862] validate_xmit_skb_list+0x43/0x70 Oct 21 12:42:03 archtux kernel: [15293.331865] sch_direct_xmit+0x131/0x1c0 Oct 21 12:42:03 archtux kernel: [15293.331867] __dev_queue_xmit+0x4ec/0x690 Oct 21 12:42:03 archtux kernel: [15293.331873] ? __nf_conntrack_find_get+0x227/0x350 [nf_conntrack] Oct 21 12:42:03 archtux kernel: [15293.331875] dev_queue_xmit+0x10/0x20 Oct 21 12:42:03 archtux kernel: [15293.331877] ? dev_queue_xmit+0x10/0x20 Oct 21 12:42:03 archtux kernel: [15293.331880] neigh_direct_output+0x11/0x20 Oct 21 12:42:03 archtux kernel: [15293.331883] ip_finish_output2+0x15e/0x3a0 Oct 21 12:42:03 archtux kernel: [15293.331886] ip_finish_output+0x190/0x250 Oct 21 12:42:03 archtux kernel: [15293.331889] ? ip_finish_output+0x190/0x250 Oct 21 12:42:03 archtux kernel: [15293.331892] ip_output+0x72/0x100 Oct 21 12:42:03 archtux kernel: [15293.331895] ? ip_fragment.constprop.47+0x80/0x80 Oct 21 12:42:03 archtux kernel: [15293.331898] ip_local_out+0x35/0x40 Oct 21 12:42:03 archtux kernel: [15293.331901] ip_queue_xmit+0x166/0x400 Oct 21 12:42:03 archtux kernel: [15293.331904] tcp_transmit_skb+0x53d/0x9e0 Oct 21 12:42:03 archtux kernel: [15293.331908] tcp_write_xmit+0x1ae/0xed0 Oct 21 12:42:03 archtux kernel: [15293.331911] __tcp_push_pending_frames+0x35/0xd0 Oct 21 12:42:03 archtux kernel: [15293.331913] tcp_rcv_established+0x46a/0x770 Oct 21 12:42:03 archtux kernel: [15293.331916] tcp_v4_do_rcv+0x90/0x1e0 Oct 21 12:42:03 archtux kernel: [15293.331917] tcp_v4_rcv+0x93e/0x9e0 Oct 21 12:42:03 archtux kernel: [15293.331921] ip_local_deliver_finish+0x6a/0x220 Oct 21 12:42:03 archtux kernel: [15293.331923] ip_local_deliver+0xf8/0x110 Oct 21 12:42:03 archtux kernel: [15293.331926] ? ip_rcv_finish+0x410/0x410 Oct 21 12:42:03 archtux kernel: [15293.331929] ip_rcv_finish+0x120/0x410 Oct 21 12:42:03 archtux kernel: [15293.331931] ip_rcv+0x28c/0x3b0 Oct 21 12:42:03 archtux kernel: [15293.331934] ? inet_del_offload+0x40/0x40 Oct 21 12:42:03 archtux kernel: [15293.331937] __netif_receive_skb_core+0x3f2/0xae0 Oct 21 12:42:03 archtux kernel: [15293.331940] ? skb_splice_bits+0xc6/0xf0 Oct 21 12:42:03 archtux kernel: [15293.331943] __netif_receive_skb+0x18/0x60 Oct 21 12:42:03 archtux kernel: [15293.331946] ? __netif_receive_skb+0x18/0x60 Oct 21 12:42:03 archtux kernel: [15293.331948] netif_receive_skb_internal+0x96/0x470 Oct 21 12:42:03 archtux kernel: [15293.331951] ? skb_probe_transport_header.constprop.54+0x7a/0xc0 [tun] Oct 21 12:42:03 archtux kernel: [15293.331953] netif_receive_skb+0x1c/0x70 Oct 21 12:42:03 archtux kernel: [15293.331955] tun_get_user+0x564/0xa10 [tun] Oct 21 12:42:03 archtux kernel: [15293.331959] ? _copy_to_user+0x2a/0x40 Oct 21 12:42:03 archtux kernel: [15293.331962] ? move_addr_to_user+0xc0/0xe0 Oct 21 12:42:03 archtux kernel: [15293.331964] tun_chr_write_iter+0x4a/0x70 [tun] Oct 21 12:42:03 archtux kernel: [15293.331968] __vfs_write+0xf4/0x150 Oct 21 12:42:03 archtux kernel: [15293.331971] vfs_write+0xb1/0x1c0 Oct 21 12:42:03 archtux kernel: [15293.331974] SyS_write+0x55/0xc0 Oct 21 12:42:03 archtux kernel: [15293.331978] entry_SYSCALL_64_fastpath+0x1a/0xa5 Oct 21 12:42:03 archtux kernel: [15293.331979] RIP: 0033:0x606e3b3bb884 Oct 21 12:42:03 archtux kernel: [15293.331980] RSP: 002b:00007e2de974daf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 Oct 21 12:42:03 archtux kernel: [15293.331982] RAX: ffffffffffffffda RBX: 000000003c7c3610 RCX: 0000606e3b3bb884 Oct 21 12:42:03 archtux kernel: [15293.331983] RDX: 0000000000000028 RSI: 000000003c7a5d81 RDI: 0000000000000004 Oct 21 12:42:03 archtux kernel: [15293.331984] RBP: 000000003c7c3628 R08: 0000000000000028 R09: 0000000000000000 Oct 21 12:42:03 archtux kernel: [15293.331985] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 Oct 21 12:42:03 archtux kernel: [15293.331986] R13: 0000000000000000 R14: 00007e2de974da50 R15: 0000000000000000 Oct 21 12:42:03 archtux kernel: [15293.331988] Code: 89 c2 eb e0 85 c0 74 27 83 f8 ff 75 cf eb e3 80 3d 96 46 97 00 00 75 da 48 c7 c7 68 96 96 95 c6 05 86 46 97 00 01 e8 8c 20 d6 ff <0f> ff eb c8 31 db eb c4 0f 1f 00 55 48 89 e5 e8 87 ff ff ff 84

thestinger commented 6 years ago

The Arch Linux linux-hardened package sets CONFIG_REFCOUNT_FULL=y while the linux package does not which is why the bug is detected with one and not the other. However, this isn't a linux-hardened feature. You should enable that configuration option for the linux package, replicate the issue and report it upstream. It's not occurring due to any of the patches here but rather a difference in upstream configuration options between those distribution packages.