lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+agcezesdRUKtrho6sRmoRiCH6q4GU1J2QrTYqVkmJpKA@mail.gmail.com>
Date:   Thu, 5 Jan 2017 15:59:52 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzkaller <syzkaller@...glegroups.com>
Cc:     Andrey Konovalov <andreyknvl@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        kasan-dev <kasan-dev@...glegroups.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>,
        Kostya Serebryany <kcc@...gle.com>
Subject: Re: x86: warning in unwind_get_return_address

On Thu, Jan 5, 2017 at 3:49 PM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
> On Tue, Dec 27, 2016 at 05:38:59PM +0100, Dmitry Vyukov wrote:
>> On Thu, Dec 22, 2016 at 6:17 AM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
>> > On Wed, Dec 21, 2016 at 01:46:36PM +0100, Andrey Konovalov wrote:
>> >> On Wed, Dec 21, 2016 at 12:36 AM, Josh Poimboeuf <jpoimboe@...hat.com> wrote:
>> >> >
>> >> > Thanks.  Looking at the stack trace, my guess is that an interrupt hit
>> >> > while running in generated BPF code, and the unwinder got confused
>> >> > because regs->ip points to the generated code.  I may need to disable
>> >> > that warning until we figure out a better solution.
>> >> >
>> >> > Can you share your .config file?
>> >>
>> >> Sure, attached.
>> >
>> > Ok, I was able to recreate with your config.  The culprit was generated
>> > code, as I suspected, though it wasn't BPF, it was a kprobe (created by
>> > dccpprobe_init()).
>> >
>> > I'll make a patch to disable the warning.
>>
>> Hi,
>>
>> I am also seeing the following warnings:
>>
>> [  281.889259] WARNING: kernel stack regs at ffff8801c29a7ea8 in
>> syz-executor8:1302 has bad 'bp' value ffff8801c29a7f28
>> [  833.994878] WARNING: kernel stack regs at ffff8801c4e77ea8 in
>> syz-executor1:13094 has bad 'bp' value ffff8801c4e77f28
>>
>> Can it also be caused by bpf/kprobe?
>
> This is a different warning.  I suspect it's due to unwinding the stack
> of another CPU while it's running, which is still possible in a few
> places.  I'm going to have to disable all these warnings for now.


I also have the following diff locally. These loads trigger episodic
KASAN warnings about stack-of-bounds reads on rcu stall warnings when
it does backtrace of all cpus.
If it looks correct to you, can you please also incorporate it into your patch?


diff --git a/arch/x86/include/asm/stacktrace.h
b/arch/x86/include/asm/stacktrace.h
index a3269c897ec5..d8d4fc66ffec 100644
--- a/arch/x86/include/asm/stacktrace.h
+++ b/arch/x86/include/asm/stacktrace.h
@@ -58,7 +58,7 @@ get_frame_pointer(struct task_struct *task, struct
pt_regs *regs)
        if (task == current)
                return __builtin_frame_address(0);

-       return (unsigned long *)((struct inactive_task_frame
*)task->thread.sp)->bp;
+       return (unsigned long *)READ_ONCE_NOCHECK(((struct
inactive_task_frame *)task->thread.sp)->bp);
 }
 #else
 static inline unsigned long *
diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c
index 4443e499f279..f3a225ffa231 100644
--- a/arch/x86/kernel/unwind_frame.c
+++ b/arch/x86/kernel/unwind_frame.c
@@ -162,7 +162,7 @@ bool unwind_next_frame(struct unwind_state *state)
        if (state->regs)
                next_bp = (unsigned long *)state->regs->bp;
        else
-               next_bp = (unsigned long *)*state->bp;
+               next_bp = (unsigned long *)READ_ONCE_NOCHECK(*state->bp);

        /* is the next frame pointer an encoded pointer to pt_regs? */
        regs = decode_frame_pointer(next_bp);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ