lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 5 Aug 2020 08:20:15 +0800
From:   kernel test robot <lkp@...el.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, LKP <lkp@...ts.01.org>
Subject: ed66f991bb ("module: Refactor section attr into bin attribute"): [
   70.645135] BUG: KASAN: slab-out-of-bounds in vsnprintf

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit ed66f991bb19d94cae5d38f77de81f96aac7813f
Author:     Kees Cook <keescook@...omium.org>
AuthorDate: Thu Jul 2 13:47:20 2020 -0700
Commit:     Kees Cook <keescook@...omium.org>
CommitDate: Wed Jul 8 16:00:17 2020 -0700

    module: Refactor section attr into bin attribute
    
    In order to gain access to the open file's f_cred for kallsym visibility
    permission checks, refactor the module section attributes to use the
    bin_attribute instead of attribute interface. Additionally removes the
    redundant "name" struct member.
    
    Cc: stable@...r.kernel.org
    Reviewed-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
    Tested-by: Jessica Yu <jeyu@...nel.org>
    Acked-by: Jessica Yu <jeyu@...nel.org>
    Signed-off-by: Kees Cook <keescook@...omium.org>

160251842c  kallsyms: Refactor kallsyms_show_value() to take cred
ed66f991bb  module: Refactor section attr into bin attribute
c0842fbc1b  random32: move the pseudo-random 32-bit definitions to prandom.h
+-----------------------------------+------------+------------+------------+
|                                   | 160251842c | ed66f991bb | c0842fbc1b |
+-----------------------------------+------------+------------+------------+
| boot_successes                    | 642        | 200        | 30         |
| boot_failures                     | 9          | 20         | 2          |
| BUG:kernel_hang_in_test_stage     | 2          |            |            |
| BUG:kernel_hang_in_boot_stage     | 7          | 1          |            |
| BUG:KASAN:slab-out-of-bounds_in_n | 0          | 5          | 1          |
| BUG:KASAN:slab-out-of-bounds_in_v | 0          | 14         | 1          |
+-----------------------------------+------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>

[   64.103075] trinity-c0 (1011): attempted to duplicate a private mapping with mremap.  This is not supported.
[   64.300797] Lockdown: trinity-c0: unsafe use of perf is restricted; see man kernel_lockdown.7
[   65.342888] Unable to find swap-space signature
[main] 10730 iterations. [F:7458 S:3194 HI:3556]
[   70.643757] ==================================================================
[   70.645135] BUG: KASAN: slab-out-of-bounds in vsnprintf+0xa75/0x1e70
[   70.646293] Write of size 2 at addr ffff888358c37e80 by task trinity-c2/1318
[   70.647661] 
[   70.647974] CPU: 0 PID: 1318 Comm: trinity-c2 Not tainted 5.8.0-rc2-00002-ged66f991bb19d #1
[   70.649549] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   70.651118] Call Trace:
[   70.651761]  dump_stack+0x35/0x50
[   70.652419]  print_address_description+0x2f/0x360
[   70.653490]  ? stack_trace_save+0x96/0xd0
[   70.654239]  ? stack_trace_snprint+0x120/0x120
[   70.655066]  ? vsnprintf+0xa75/0x1e70
[   70.687351]  kasan_report.cold+0xba/0x17e
[   70.688142]  ? vsnprintf+0xa75/0x1e70
[   70.688855]  check_memory_region+0x2b2/0x300
[   70.689687]  memcpy+0x5c/0xa0
[   70.690287]  vsnprintf+0xa75/0x1e70
[   70.690959]  ? pointer+0x8b0/0x8b0
[   70.691736]  sprintf+0xb6/0xf0
[   70.692329]  ? va_format+0x1b0/0x1b0
[   70.693117]  ? prep_new_page+0xa1/0x450
[   70.693836]  ? __might_sleep+0xab/0x1e0
[   70.694586]  module_sect_read+0x64/0xc0
[   70.695324]  sysfs_kf_bin_read+0x15a/0x310
[   70.696093]  kernfs_file_direct_read+0x213/0x4e0
[   70.696935]  kernfs_fop_read+0xd9/0x180
[   70.697650]  do_loop_readv_writev+0xda/0x320
[   70.698440]  do_iter_read+0x2af/0x3a0
[   70.699147]  vfs_readv+0xe1/0x160
[   70.699848]  ? compat_rw_copy_check_uvector+0x550/0x550
[   70.700810]  ? push_pipe+0x283/0x7a0
[   70.701457]  ? iov_iter_get_pages_alloc+0xc82/0x16a0
[   70.702364]  ? iov_iter_pipe+0x300/0x300
[   70.703092]  ? find_get_entry+0x18c/0x3a0
[   70.703850]  ? __lock_page_or_retry+0x360/0x360
[   70.704686]  default_file_splice_read+0x532/0x9f0
[   70.705653]  ? iter_file_splice_write+0xca0/0xca0
[   70.706514]  ? __kasan_check_read+0x21/0x30
[   70.707304]  ? __module_text_address+0x1b/0x1a0
[   70.708156]  ? __kasan_check_read+0x21/0x30
[   70.708929]  ? __fsnotify_update_child_dentry_flags+0x2e0/0x2e0
[   70.710004]  ? __kasan_check_write+0x24/0x30
[   70.710806]  ? __fsnotify_inode_delete+0x30/0x30
[   70.711682]  ? security_file_permission+0x1fb/0x530
[   70.712586]  ? rw_verify_area+0xc8/0x350
[   70.713316]  do_splice_to+0x126/0x1a0
[   70.714009]  splice_direct_to_actor+0x2d7/0xa00
[   70.714830]  ? __generic_file_write_iter+0x363/0x610
[   70.715771]  ? do_splice_from+0x140/0x140
[   70.716522]  ? do_splice_to+0x1a0/0x1a0
[   70.717242]  ? rw_verify_area+0xc8/0x350
[   70.717952]  do_splice_direct+0x16e/0x2e0
[   70.718708]  ? new_sync_write+0x3a4/0x6f0
[   70.723643]  ? splice_direct_to_actor+0xa00/0xa00
[   70.724557]  ? __might_sleep+0xab/0x1e0
[   70.725304]  ? rw_verify_area+0xc8/0x350
[   70.726071]  do_sendfile+0x478/0xe30
[   70.726771]  ? __x64_sys_copy_file_range+0x560/0x560
[   70.727824]  ? __might_sleep+0xab/0x1e0
[   70.728667]  ? __kasan_check_write+0x24/0x30
[   70.729631]  __x64_sys_sendfile64+0x145/0x250
[   70.730560]  ? __x32_compat_sys_sendfile+0x250/0x250
[   70.731694]  ? __prepare_exit_to_usermode+0xa8/0x2d0
[   70.732919]  do_syscall_64+0x6d/0x290
[   70.733856]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   70.735137] RIP: 0033:0x457729
[   70.735882] Code: Bad RIP value.
[   70.736662] RSP: 002b:00007ffd0e5de6c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   70.738494] RAX: ffffffffffffffda RBX: 0000000000000028 RCX: 0000000000457729
[   70.740255] RDX: 0000000000000001 RSI: 000000000000003d RDI: 000000000000011c
[   70.742031] RBP: 00007ffd0e5de770 R08: 00000000000000dd R09: 000000000000ff47
[   70.743729] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000002
[   70.745081] R13: 00007fb7e7ab4058 R14: 0000000001057830 R15: 00007fb7e7ab4000
[   70.746414] 
[   70.746746] Allocated by task 1318:
[   70.747461]  save_stack+0x2b/0x70
[   70.748126]  __kasan_kmalloc+0x111/0x120
[   70.749086]  kasan_kmalloc+0x11/0x20
[   70.749796]  __kmalloc+0x196/0x300
[   70.750470]  kernfs_file_direct_read+0x368/0x4e0
[   70.755459]  kernfs_fop_read+0xd9/0x180
[   70.756218]  do_loop_readv_writev+0xda/0x320
[   70.757045]  do_iter_read+0x2af/0x3a0
[   70.757760]  vfs_readv+0xe1/0x160
[   70.758417]  default_file_splice_read+0x532/0x9f0
[   70.759441]  do_splice_to+0x126/0x1a0
[   70.760165]  splice_direct_to_actor+0x2d7/0xa00
[   70.761060]  do_splice_direct+0x16e/0x2e0
[   70.761812]  do_sendfile+0x478/0xe30
[   70.762511]  __x64_sys_sendfile64+0x145/0x250
[   70.763372]  do_syscall_64+0x6d/0x290
[   70.764092]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   70.765050] 
[   70.765375] Freed by task 0:
[   70.765918] (stack is not available)
[   70.766610] 

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start d9ad7006330c4d6ce3d7369ed85f9404a6629dba v5.7 --
git bisect good 44ebe016df3aad96e3be8f95ec52397728dd7701  # 13:58  G    212     0    1   1  Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
git bisect good 2cfa46dadd203eef88cc70131df7a81ebc34b8ff  # 15:42  G    212     0    1   1  Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
git bisect  bad cb24c61b53c3f47d4ba596fe37076202f7189676  # 16:02  B      0     1   17   0  Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
git bisect good 9bc0b029a8889f2c67c988760aba66a8d7b22af5  # 16:32  G    212     0    0   0  Merge tag 'powerpc-5.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
git bisect good a6bc851ffe0b246ab4f8aa0d01620fbc08d0441f  # 17:52  G    213     0    1   1  Merge tag 'tpmdd-next-v5.8-rc5' of git://git.infradead.org/users/jjs/linux-tpmdd
git bisect good 0bddd227f3dc55975e2b8dfa7fc6f959b062a2c7  # 18:28  G    216     0    1   1  Documentation: update for gcc 4.9 requirement
git bisect  bad 355a3587d4ca09f2b1014778a7c8908351a91468  # 18:52  B     13     1    1   1  kbuild: Move -Wtype-limits to W=2
git bisect  bad ce69fb3b392fbfd6c255aeb0ee371652478c716f  # 19:23  B     11     2    1   1  Merge tag 'kallsyms_show_value-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect  bad b25a7c5af9051850d4f3d93ca500056ab6ec724b  # 19:47  B      3     2    0   0  module: Do not expose section addresses to non-CAP_SYSLOG
git bisect  bad ed66f991bb19d94cae5d38f77de81f96aac7813f  # 20:15  B     15     1    0   0  module: Refactor section attr into bin attribute
git bisect good 160251842cd35a75edfb0a1d76afa3eb674ff40a  # 22:02  G    211     0    2   2  kallsyms: Refactor kallsyms_show_value() to take cred
# first bad commit: [ed66f991bb19d94cae5d38f77de81f96aac7813f] module: Refactor section attr into bin attribute
git bisect good 160251842cd35a75edfb0a1d76afa3eb674ff40a  # 23:22  G    632     0    7   9  kallsyms: Refactor kallsyms_show_value() to take cred
# extra tests with debug options
git bisect  bad ed66f991bb19d94cae5d38f77de81f96aac7813f  # 23:56  B     34     1    0   0  module: Refactor section attr into bin attribute
# extra tests on head commit of linus/master
git bisect  bad c0842fbc1b18c7a044e6ff3e8fa78bfa822c7d1a  # 01:15  B     30     1    1   1  random32: move the pseudo-random 32-bit definitions to prandom.h
# bad: [c0842fbc1b18c7a044e6ff3e8fa78bfa822c7d1a] random32: move the pseudo-random 32-bit definitions to prandom.h
# extra tests on linus/master
# duplicated: [c0842fbc1b18c7a044e6ff3e8fa78bfa822c7d1a] random32: move the pseudo-random 32-bit definitions to prandom.h
# extra tests on linux-next/master
# 119: [1cfc1dba44c2b62b2856bf23624116eea9cd5627] Add linux-next specific files for 20200804

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/lkp@lists.01.org

Download attachment "dmesg-yocto-vm-yocto-41:20200804201519:x86_64-randconfig-a004-20200730:5.8.0-rc2-00002-ged66f991bb19d:1.gz" of type "application/gzip" (24159 bytes)

Download attachment "dmesg-yocto-vm-yocto-22:20200804224700:x86_64-randconfig-a004-20200730:5.8.0-rc2-00001-g160251842cd35:1.gz" of type "application/gzip" (19900 bytes)

View attachment "reproduce-yocto-vm-yocto-41:20200804201519:x86_64-randconfig-a004-20200730:5.8.0-rc2-00002-ged66f991bb19d:1" of type "text/plain" (1191 bytes)

Download attachment "3eeb076bed98a9c2f180dd8c9adc82e2efd41f5a:gcc-9:x86_64-randconfig-a004-20200730:BUG:KASAN:slab-out-of-bounds_in_v.xz" of type "application/x-xz" (13828 bytes)

View attachment "config-5.8.0-rc2-00002-ged66f991bb19d" of type "text/plain" (137381 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ