lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 28 Apr 2015 08:54:27 +0800
From:	Fengguang Wu <fengguang.wu@...el.com>
To:	Fenghua Yu <fenghua.yu@...el.com>
Cc:	fengguang.wu@...el.com, LKP <lkp@...org>,
	linux-kernel@...r.kernel.org
Subject: [x86/xsaves] BUG: KASan: out of bounds access in save_xstate_sig at
 addr ffff880000184208

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://github.com/fyu1/linux.git xsaves_fix_2

commit eb8d15e446f5b770ebe9654bf7ca0001e332ef9c
Author:     Fenghua Yu <fenghua.yu@...el.com>
AuthorDate: Tue Apr 14 10:34:07 2015 -0700
Commit:     Fenghua Yu <fenghua.yu@...el.com>
CommitDate: Sat Apr 18 10:13:04 2015 -0700

    x86/xsaves: Define and use user_xstate_size for xstate size in signal context
    
    If "xsaves" is enabled, kernel always uses compact format of xsave area.
    But user space still uses standard format of xsave area. Thus, xstate size
    in kernel's xsave are is smaller than xstate size in user's xsave area.
    xstate in signal frame should be in standard format for user's signal
    handler to access.
    
    In no "xsaves" case, xsave area in both user space and kernel space are in
    standard format. Therefore, user's and kernel's xstate sizes are equal.
    
    In "xsaves" case, xsave area in user space is in standard format while
    xsave area in kernel space is in compact format. Therefore, kernel's
    xstate size is less than user's xstate size.
    
    So here is the problem: currently kernel uses the kernel's xstate size
    for xstate size in signal frame. This is not a problem in no "xsaves" case.
    But it is an issue in "xsaves" case because kernel's xstate size is smaller
    than user's xstate size. When setting up signal math frame in
    alloc_ mathframe(), the fpstate is in standard format; but a smaller size
    of fpstate buffer is allocated in signal frame for standard format
    xstate. Then kernel saves only part of xstate registers into this smaller
    user's fpstate buffer and user will see part of the xstate registers in
    signal context. Similar issue happens after returning from signal handler:
    kernel will only restore part of xstate registers from user's fpstate
    buffer in signal frame.
    
    This patch defines and uses user_xstate_size for xstate size in signal
    frame. It's read from returned value in ebx from CPUID leaf 0x0D subleaf
    0x0. This is maximum size required by enabled states in XCR0 and may be
    different from ecx when states at the end of the xsave area are not
    enabled. This value indicates the size required for XSAVE to save all
    supported user states in legacy/standard format.
    
    And in order to copy kernel's xsave area in compact format to user xsave
    area in standard format, we use copy_to_user_xstate().
    
    Signed-off-by: Fenghua Yu <fenghua.yu@...el.com>
    Reviewed-by: Dave Hansen <dave.hansen@...el.com>

+-----------------------------------------------------------+------------+------------+------------+
|                                                           | c77494ed7b | eb8d15e446 | 579c948348 |
+-----------------------------------------------------------+------------+------------+------------+
| boot_successes                                            | 108        | 8          | 10         |
| boot_failures                                             | 0          | 30         | 17         |
| BUG:KASan:out_of_bounds_access_in_save_xstate_sig_at_addr | 0          | 30         | 17         |
| BUG_task_xstate(Not_tainted):kasan:bad_access_detected    | 0          | 30         | 17         |
| INFO:Allocated_in_init_fpu_age=#cpu=#pid=                 | 0          | 30         | 17         |
| INFO:Slab#objects=#used=#fp=#flags=                       | 0          | 30         | 17         |
| INFO:Object#@...set=#fp=                                  | 0          | 30         | 17         |
| Kernel_panic-not_syncing:Attempted_to_kill_init!exitcode= | 0          | 28         | 12         |
| backtrace:init_fpu                                        | 0          | 30         | 17         |
| backtrace:do_group_exit                                   | 0          | 28         | 12         |
| backtrace:SyS_exit_group                                  | 0          | 28         | 12         |
| backtrace:irq_exit                                        | 0          | 1          |            |
| BUG_task_xstate(Tainted:G_B):kasan:bad_access_detected    | 0          | 2          | 4          |
| INFO:Freed_in_arch_release_task_struct_age=#cpu=#pid=     | 0          | 2          | 4          |
+-----------------------------------------------------------+------------+------------+------------+

[   13.557910] Freeing unused kernel memory: 180K (ffff880001fd3000 - ffff880002000000)
[   13.576155] random: init urandom read with 4 bits of entropy available
[   13.594839] ==================================================================
[   13.595511] BUG: KASan: out of bounds access in save_xstate_sig+0x1bf/0x470 at addr ffff880000184208
[   13.596280] Read of size 8 by task init/1
[   13.596628] =============================================================================
[   13.596682] BUG task_xstate (Not tainted): kasan: bad access detected
[   13.596682] -----------------------------------------------------------------------------
[   13.596682] 
[   13.596682] Disabling lock debugging due to kernel taint
[   13.596682] INFO: Allocated in init_fpu+0xdd/0x150 age=12 cpu=0 pid=1
[   13.599390] INFO: Slab 0xffffea0000006100 objects=18 used=5 fp=0xffff880000184a80 flags=0x4080
[   13.599390] INFO: Object 0xffff880000184000 @offset=0 fp=0xffff880000184380
[   13.599390] 
[   13.599390] Object ffff880000184000: 7f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.599390] Object ffff880000184010: 00 00 00 00 00 00 00 00 80 1f 00 00 ff ff 00 00  ................
[   13.604684] Object ffff880000184020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.607765] 99-trinity[116]: segfault at 0 ip           (null) sp 00007ffdec282910 error 14 in bash[400000+e0000]
[   13.608569] 99-trinity (116) used greatest stack depth: 29672 bytes left
[   13.609014] run-parts (115) used greatest stack depth: 29648 bytes left
[   13.609079] traps: rc.local[112] general protection ip:7f33f1cac708 sp:7ffe90950df8 error:0 in libc-2.15.so[7f33f1c76000+1b3000]
[   13.609929] rc.local (112) used greatest stack depth: 29200 bytes left
[   13.604684] Object ffff880000184060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001840a0: 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001840b0: 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25 25  %%%%%%%%%%%%%%%%
[   13.604684] Object ffff8800001840c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001840d0: 00 00 00 00 00 ff 00 00 00 00 00 00 00 ff 00 00  ................
[   13.604684] Object ffff8800001840e0: 00 00 00 00 00 00 00 00 71 00 00 00 00 00 00 00  ........q.......
[   13.604684] Object ffff8800001840f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff880000184190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Object ffff8800001841f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[   13.604684] Redzone ffff880000184200: cc cc cc cc cc cc cc cc                          ........
[   13.604684] Padding ffff880000184340: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   13.604684] Padding ffff880000184350: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   13.604684] Padding ffff880000184360: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   13.604684] Padding ffff880000184370: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   13.604684] CPU: 0 PID: 1 Comm: init Tainted: G    B           4.0.0-08095-geb8d15e #13
[   13.604684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[   13.604684]  ffff880000184000 ffff88000dfcfbe8 ffffffff81b2a7db 000000000000005b
[   13.604684]  ffff88000de67180 ffff88000dfcfc18 ffffffff8127a018 ffff88000de67180
[   13.604684]  ffffea0000006100 ffff880000184000 ffff88000de67180 ffff88000dfcfc48
[   13.604684] Call Trace:
[   13.604684]  [<ffffffff81b2a7db>] dump_stack+0x4c/0x65
[   13.604684]  [<ffffffff8127a018>] print_trailer+0xf8/0x160
[   13.604684]  [<ffffffff81282545>] object_err+0x35/0x40
[   13.604684]  [<ffffffff81285619>] kasan_report_error+0x209/0x420
[   13.604684]  [<ffffffff8113c9a5>] ? lock_release_non_nested+0x2b5/0x420
[   13.604684]  [<ffffffff81135200>] ? check_chain_key+0xf0/0x2c0
[   13.604684]  [<ffffffff8101812f>] ? save_xstate_sig+0x1bf/0x470
[   13.604684]  [<ffffffff81285959>] kasan_report+0x79/0x90
[   13.604684]  [<ffffffff8101812f>] ? save_xstate_sig+0x1bf/0x470
[   13.604684]  [<ffffffff81284b39>] __asan_load8+0x69/0xa0
[   13.604684]  [<ffffffff81254055>] ? might_fault+0xe5/0xf0
[   13.604684]  [<ffffffff81253fe2>] ? might_fault+0x72/0xf0
[   13.604684]  [<ffffffff81654282>] ? __clear_user+0x12/0x60
[   13.604684]  [<ffffffff8101812f>] save_xstate_sig+0x1bf/0x470
[   13.604684]  [<ffffffff81005439>] do_signal+0x1089/0x12e0
[   13.604684]  [<ffffffff81139706>] ? mark_held_locks+0x36/0xc0
[   13.604684]  [<ffffffff811e3219>] ? ftrace_likely_update+0xf9/0x2c0
[   13.604684]  [<ffffffff81b36e5b>] ? int_very_careful+0x5/0x46
[   13.604684]  [<ffffffff81005780>] do_notify_resume+0xf0/0x100
[   13.604684]  [<ffffffff81b36eae>] int_signal+0x12/0x17
[   13.604684] Memory state around the buggy address:
[   13.604684]  ffff880000184100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   13.604684]  ffff880000184180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

git bisect start 579c948348cffef5819f4e30b648eb3898088387 39a8804455fb23f09157341d3ba7db6d7ae6ee76 --
git bisect  bad 1184ebc2a0dbda9a921482ce803bbac887654501  # 03:37      0-      8  Merge 'fenghua/xsaves_fix_2' into devel-athens-smoke-201504190253
git bisect good 2fd2cf178bce270a3eed71be018eaf6ec7256cca  # 04:52     36+      0  0day base guard for 'devel-athens-smoke-201504190253'
git bisect good f85c62d97ee827c52a35417164c347099772d185  # 05:57     36+      0  Merge 'iio/fixes-togreg' into devel-athens-smoke-201504190253
git bisect good c1c21f4e60ed4523292f1a89ff45a208bddd3849  # 09:19     36+      0  i2c: core: Export bus recovery functions
git bisect good e693d73c20ffdb06840c9378f367bad849ac0d5d  # 11:42     36+      0  parisc: remove use of seq_printf return value
git bisect good d19d5efd8c8840aa4f38a6dfbfe500d8cc27de46  # 14:16     36+      1  Merge tag 'powerpc-4.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
git bisect good 96d928ed75c4ba4253e82910a697ec7b06ace8b4  # 16:06     36+      2  Merge tag 'xtensa-20150416' of git://github.com/czankel/xtensa-linux
git bisect good e2fdae7e7c5a690b10b2d2891ec819e554dc033d  # 18:14     36+      0  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc
git bisect good 7505256626b0b3d11ea5a3ec1a89046d07c3c366  # 20:26     36+      0  Merge tag 'devicetree-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/glikely/linux
git bisect good 10027551ccf5459cc771c31ac8bc8e5cc8db45f8  # 23:39     36+      0  f2fs: pass checkpoint reason on roll-forward recovery
git bisect good 06a60deca87dba8e2c186ea7f12ea87d6785188e  # 01:34     36+      2  Merge tag 'for-f2fs-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs
git bisect good 396c9df2231865ef55aa031e3f5df9d99e036869  # 03:07     36+      0  Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 96b90f27bcf22f1d06cc16d9475cefa6ea4c4718  # 05:02     36+      0  Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 90d1c087861dcc3d1175993fc03492c137fd21bb  # 06:39     36+      0  Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 34a984f7b0cc6355a1e0c184251d0d4cc86f44d2  # 09:38     36+      0  Merge branch 'x86-pmem-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect  bad eb8d15e446f5b770ebe9654bf7ca0001e332ef9c  # 10:10      0-      3  x86/xsaves: Define and use user_xstate_size for xstate size in signal context
git bisect good c77494ed7b1f7a0c8b88e838bb5c4cf65c1f7f54  # 13:38     36+      0  x86/xsave.c: Fix xstate offsets and sizes enumeration
# first bad commit: [eb8d15e446f5b770ebe9654bf7ca0001e332ef9c] x86/xsaves: Define and use user_xstate_size for xstate size in signal context
git bisect good c77494ed7b1f7a0c8b88e838bb5c4cf65c1f7f54  # 23:59    108+      0  x86/xsave.c: Fix xstate offsets and sizes enumeration
# extra tests with DEBUG_INFO
git bisect good eb8d15e446f5b770ebe9654bf7ca0001e332ef9c  # 15:12    108+     81  x86/xsaves: Define and use user_xstate_size for xstate size in signal context
# extra tests on HEAD of linux-devel/devel-athens-smoke-201504190253
git bisect  bad 579c948348cffef5819f4e30b648eb3898088387  # 15:12      0-     17  0day head guard for 'devel-athens-smoke-201504190253'
# extra tests on tree/branch fenghua/xsaves_fix_2
git bisect  bad 581dbc6b9524c330d24ec92af077856daead0d82  # 15:42      0-      1  x86/xsave: Don't add new states in xsave_struct
# extra tests on tree/branch linus/master
git bisect good b787f68c36d49bb1d9236f403813641efa74a031  # 21:25    108+      0  Linux 4.1-rc1
# extra tests on tree/branch next/master
git bisect good b722a93ff1074b1c3f2273c669bd51368aeedf66  # 07:03    108+      2  Add linux-next specific files for 20150427


This script may reproduce the error.

----------------------------------------------------------------------------
#!/bin/bash

kernel=$1
initrd=quantal-core-x86_64.cgz

wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu kvm64
	-kernel $kernel
	-initrd $initrd
	-m 300
	-smp 2
	-device e1000,netdev=net0
	-netdev user,id=net0
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null 
)

append=(
	hung_task_panic=1
	earlyprintk=ttyS0,115200
	rd.udev.log-priority=err
	systemd.log_target=journal
	systemd.log_level=warning
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	panic=-1
	softlockup_panic=1
	nmi_watchdog=panic
	oops=panic
	load_ramdisk=2
	prompt_ramdisk=0
	console=ttyS0,115200
	console=tty0
	vga=normal
	root=/dev/ram0
	rw
	drbd.minor_count=8
)

"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------

Thanks,
Fengguang

View attachment "dmesg-quantal-kbuild-4:20150425043034:x86_64-randconfig-a0-04190253:4.0.0-08095-geb8d15e:13" of type "text/plain" (85305 bytes)

View attachment "config-4.0.0-08095-geb8d15e" of type "text/plain" (105942 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ