lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20170314020705.f5dvvd5rlfgzrgpg@wfg-t540p.sh.intel.com>
Date:   Tue, 14 Mar 2017 10:07:05 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        linux-kernel@...r.kernel.org, LKP <lkp@...org>
Subject: [x86/kasan] 1771c6e1a5 BUG: KASAN: slab-out-of-bounds in memdup_user
 at addr ffff8800001f3940

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit 1771c6e1a567ea0ba2cccc0a4ffe68a1419fd8ef
Author:     Andrey Ryabinin <aryabinin@...tuozzo.com>
AuthorDate: Fri May 20 16:59:31 2016 -0700
Commit:     Linus Torvalds <torvalds@...ux-foundation.org>
CommitDate: Fri May 20 17:58:30 2016 -0700

     x86/kasan: instrument user memory access API
     
     Exchange between user and kernel memory is coded in assembly language.
     Which means that such accesses won't be spotted by KASAN as a compiler
     instruments only C code.
     
     Add explicit KASAN checks to user memory access API to ensure that
     userspace writes to (or reads from) a valid kernel memory.
     
     Note: Unlike others strncpy_from_user() is written mostly in C and KASAN
     sees memory accesses in it.  However, it makes sense to add explicit
     check for all @count bytes that *potentially* could be written to the
     kernel.
     
     [aryabinin@...tuozzo.com: move kasan check under the condition]
       Link: http://lkml.kernel.org/r/1462869209-21096-1-git-send-email-aryabinin@virtuozzo.com
     Link: http://lkml.kernel.org/r/1462538722-1574-4-git-send-email-aryabinin@virtuozzo.com
     Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
     Cc: Alexander Potapenko <glider@...gle.com>
     Cc: Dmitry Vyukov <dvyukov@...gle.com>
     Cc: Ingo Molnar <mingo@...e.hu>
     Cc: "H. Peter Anvin" <hpa@...or.com>
     Cc: Thomas Gleixner <tglx@...utronix.de>
     Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
     Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>

64f8ebaf11  mm/kasan: add API to check memory regions
1771c6e1a5  x86/kasan: instrument user memory access API
065f3e4951  Merge tag 'platform-drivers-x86-v4.11-2' of git://git.infradead.org/linux-platform-drivers-x86
5be4921c99  Add linux-next specific files for 20170310
+------------------------------------------------+------------+------------+------------+---------------+
|                                                | 64f8ebaf11 | 1771c6e1a5 | 065f3e4951 | next-20170310 |
+------------------------------------------------+------------+------------+------------+---------------+
| boot_successes                                 | 26         | 0          | 0          | 0             |
| boot_failures                                  | 18         | 11         | 11         | 25            |
| BUG:soft_lockup-CPU##stuck_for#s               | 18         |            |            |               |
| RIP:ptdump_walk_pgd_level_core                 | 9          |            |            |               |
| calltrace:mark_rodata_ro                       | 18         |            |            |               |
| Kernel_panic-not_syncing:softlockup:hung_tasks | 18         |            |            |               |
| RIP:note_page                                  | 9          |            |            |               |
| BUG:KASAN:slab-out-of-bounds                   | 0          | 11         | 11         | 25            |
| calltrace:SyS_mount                            | 0          | 11         |            |               |
| calltrace:devtmpfsd                            | 0          | 11         |            |               |
+------------------------------------------------+------------+------------+------------+---------------+

[    0.385456] x86: Booted up 1 node, 1 CPUs
[    0.386626] smpboot: Total of 1 processors activated (5387.01 BogoMIPS)
[    0.386626] smpboot: Total of 1 processors activated (5387.01 BogoMIPS)
[    0.391649] ==================================================================
[    0.391649] ==================================================================
[    0.393756] BUG: KASAN: slab-out-of-bounds in memdup_user+0x46/0x7c at addr ffff8800001f3940
[    0.393756] BUG: KASAN: slab-out-of-bounds in memdup_user+0x46/0x7c at addr ffff8800001f3940
[    0.396381] Write of size 9 by task kdevtmpfs/12
[    0.396381] Write of size 9 by task kdevtmpfs/12
[    0.397828] CPU: 0 PID: 12 Comm: kdevtmpfs Not tainted 4.6.0-06644-g1771c6e #1
[    0.397828] CPU: 0 PID: 12 Comm: kdevtmpfs Not tainted 4.6.0-06644-g1771c6e #1
[    0.400059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[    0.400059] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[    0.402897]  0000000000000000
[    0.402897]  0000000000000000 ffff8800188d7d18 ffff8800188d7d18 ffffffff98de3224 ffffffff98de3224 ffff8800001f3940 ffff8800001f3940

[    0.405982]  ffffed000003e729
[    0.405982]  ffffed000003e729 ffff8800188d7da8 ffff8800188d7da8 ffffffff98d2c370 ffffffff98d2c370 ffff8800188d7d68 ffff8800188d7d68

[    0.408131]  ffff8800001f3960
[    0.408131]  ffff8800001f3960 00000000024000c0 00000000024000c0 0000000000000292 0000000000000292 ffff880000098a00 ffff880000098a00

[    0.410372] Call Trace:
[    0.410372] Call Trace:
[    0.411072]  [<ffffffff98de3224>] dump_stack+0x63/0x7f
[    0.411072]  [<ffffffff98de3224>] dump_stack+0x63/0x7f
[    0.412528]  [<ffffffff98d2c370>] kasan_report+0x2d0/0x51c
[    0.412528]  [<ffffffff98d2c370>] kasan_report+0x2d0/0x51c
[    0.414082]  [<ffffffff98d296c1>] ? __kmalloc_track_caller+0xf8/0x111
[    0.414082]  [<ffffffff98d296c1>] ? __kmalloc_track_caller+0xf8/0x111
[    0.415889]  [<ffffffff98d2b77d>] check_memory_region+0x10b/0x10d
[    0.415889]  [<ffffffff98d2b77d>] check_memory_region+0x10b/0x10d
[    0.417601]  [<ffffffff98d2b7b8>] kasan_check_write+0x14/0x16
[    0.417601]  [<ffffffff98d2b7b8>] kasan_check_write+0x14/0x16
[    0.419230]  [<ffffffff98d04a37>] memdup_user+0x46/0x7c
[    0.419230]  [<ffffffff98d04a37>] memdup_user+0x46/0x7c
[    0.420784]  [<ffffffff98d04aa4>] strndup_user+0x37/0x4d
[    0.420784]  [<ffffffff98d04aa4>] strndup_user+0x37/0x4d
[    0.422276]  [<ffffffff98d56da4>] copy_mount_string+0x15/0x17
[    0.422276]  [<ffffffff98d56da4>] copy_mount_string+0x15/0x17
[    0.423890]  [<ffffffff98d57a1d>] SyS_mount+0x23/0xa1
[    0.423890]  [<ffffffff98d57a1d>] SyS_mount+0x23/0xa1
[    0.425323]  [<ffffffff98eaf072>] ? handle_create+0x1e0/0x1e0
[    0.425323]  [<ffffffff98eaf072>] ? handle_create+0x1e0/0x1e0
[    0.427107]  [<ffffffff98eaf0c9>] devtmpfsd+0x57/0x14a
[    0.427107]  [<ffffffff98eaf0c9>] devtmpfsd+0x57/0x14a
[    0.428567]  [<ffffffff98c8cd30>] kthread+0xab/0xb3
[    0.428567]  [<ffffffff98c8cd30>] kthread+0xab/0xb3
[    0.429958]  [<ffffffff9904cc9f>] ret_from_fork+0x1f/0x40
[    0.429958]  [<ffffffff9904cc9f>] ret_from_fork+0x1f/0x40
[    0.431528]  [<ffffffff98c8cc85>] ? kthread_parkme+0x1f/0x1f
[    0.431528]  [<ffffffff98c8cc85>] ? kthread_parkme+0x1f/0x1f
[    0.433125] Object at ffff8800001f3940, in cache kmalloc-32
[    0.433125] Object at ffff8800001f3940, in cache kmalloc-32
[    0.434675] Object allocated with size 9 bytes.
[    0.434675] Object allocated with size 9 bytes.
[    0.435954] Allocation:
[    0.435954] Allocation:
[    0.436656] PID = 12
[    0.436656] PID = 12
[    0.437279]  
[    0.437279]  [<ffffffff98c2048f>] save_stack_trace+0x27/0x44
[<ffffffff98c2048f>] save_stack_trace+0x27/0x44
[    0.438894]  
[    0.438894]  [<ffffffff98d2b863>] save_stack+0x37/0xb0
[<ffffffff98d2b863>] save_stack+0x37/0xb0
[    0.440370]  
[    0.440370]  [<ffffffff98d2ba2d>] kasan_kmalloc+0xb8/0xca
[<ffffffff98d2ba2d>] kasan_kmalloc+0xb8/0xca
[    0.442128]  
[    0.442128]  [<ffffffff98d296c1>] __kmalloc_track_caller+0xf8/0x111
[<ffffffff98d296c1>] __kmalloc_track_caller+0xf8/0x111
[    0.444113]  
[    0.444113]  [<ffffffff98d04a13>] memdup_user+0x22/0x7c
[<ffffffff98d04a13>] memdup_user+0x22/0x7c
[    0.445760]  
[    0.445760]  [<ffffffff98d04aa4>] strndup_user+0x37/0x4d
[<ffffffff98d04aa4>] strndup_user+0x37/0x4d
[    0.447446]  
[    0.447446]  [<ffffffff98d56da4>] copy_mount_string+0x15/0x17
[<ffffffff98d56da4>] copy_mount_string+0x15/0x17
[    0.449278]  
[    0.449278]  [<ffffffff98d57a1d>] SyS_mount+0x23/0xa1
[<ffffffff98d57a1d>] SyS_mount+0x23/0xa1
[    0.450895]  
[    0.450895]  [<ffffffff98eaf0c9>] devtmpfsd+0x57/0x14a
[<ffffffff98eaf0c9>] devtmpfsd+0x57/0x14a
[    0.452548]  
[    0.452548]  [<ffffffff98c8cd30>] kthread+0xab/0xb3
[<ffffffff98c8cd30>] kthread+0xab/0xb3
[    0.453943]  
[    0.453943]  [<ffffffff9904cc9f>] ret_from_fork+0x1f/0x40
[<ffffffff9904cc9f>] ret_from_fork+0x1f/0x40
[    0.455479] Memory state around the buggy address:
[    0.455479] Memory state around the buggy address:
[    0.456831]  ffff8800001f3800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    0.456831]  ffff8800001f3800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    0.458861]  ffff8800001f3880: fc fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start v4.7 v4.6 --
git bisect  bad 4340fa55298d17049e71c7a34e04647379c269f3  # 06:00  B      0    11   22   0  Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
git bisect good 0eff4589c36edd03d50b835d0768b2c2ef3f20bd  # 06:15  G     11     0    1   1  Merge tag 'clk-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
git bisect  bad 0e77816e096c4ae27e98977fef56b6b9169f9017  # 06:23  B      0     4   15   0  Merge tag 'mmc-v4.7-rc1' of git://git.linaro.org/people/ulf.hansson/mmc
git bisect  bad 36b150bbcc1125abaad89963420a37ff70686d5a  # 06:35  B      0    11   22   0  Merge tag 'microblaze-4.7-rc1' of git://git.monstr.eu/linux-2.6-microblaze
git bisect  bad bd28b14591b98f696bc9f94c5ba2e598ca487dfd  # 06:45  B      0     8   20   1  x86: remove more uaccess_32.h complexity
git bisect  bad 5469dc270cd44c451590d40c031e6a71c1f637e8  # 06:58  B      0    11   22   0  Merge branch 'akpm' (patches from Andrew)
git bisect good 5af2344013454640e0133bb62e8cf2e30190a472  # 07:06  G     11     0   11  11  Merge tag 'char-misc-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
git bisect good 3aa2fc1667acdd9cca816a2bc9529f494bd61b05  # 07:16  G     11     0    9   9  Merge tag 'driver-core-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
git bisect good 2f37dd131c5d3a2eac21cd5baf80658b1b02a8ac  # 07:24  G     11     0    7   7  Merge tag 'staging-4.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
git bisect  bad 42a0bb3f71383b457a7db362f1c69e7afb96732b  # 07:35  B      0     5   16   0  printk/nmi: generic solution for safe printk in NMI
git bisect good 7b8da4c7f0777489f8690115b5fd7704ac0abb8f  # 07:45  G     11     0    0   0  vmstat: get rid of the ugly cpu_stat_off variable
git bisect good 936bb4bbbb832f81055328b84e5afe1fc7246a8d  # 07:57  G     11     0    0   0  mm/kasan: print name of mem[set,cpy,move]() caller in report
git bisect  bad 200867af4dedfe7cb707f96773684de1d1fd21e6  # 08:05  B      0     5   16   0  mm/zswap: use workqueue to destroy pool
git bisect  bad 830e4bc5baa9fda5d45257e9a3dbb3555c6c180e  # 08:32  B      0     1   12   0  zsmalloc: clean up many BUG_ON
git bisect  bad 1771c6e1a567ea0ba2cccc0a4ffe68a1419fd8ef  # 08:46  B      0     2   13   0  x86/kasan: instrument user memory access API
git bisect good 64f8ebaf115bcddc4aaa902f981c57ba6506bc42  # 09:01  G     10     0   10  10  mm/kasan: add API to check memory regions
# first bad commit: [1771c6e1a567ea0ba2cccc0a4ffe68a1419fd8ef] x86/kasan: instrument user memory access API
git bisect good 64f8ebaf115bcddc4aaa902f981c57ba6506bc42  # 09:10  G     30     0    8  18  mm/kasan: add API to check memory regions
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect  bad 1771c6e1a567ea0ba2cccc0a4ffe68a1419fd8ef  # 09:17  B      0     1   12   0  x86/kasan: instrument user memory access API
# extra tests on HEAD of linux-devel/devel-catchup-201703140350
git bisect  bad 702bbfb9a586a1f445aec794f66d4a625a19b6bf  # 09:22  B      0    13   27   0  0day head guard for 'devel-catchup-201703140350'
# extra tests on tree/branch linus/master
git bisect  bad 065f3e4951f11701729ad310ca0b610f61d91e2a  # 09:33  B      0     1   12   0  Merge tag 'platform-drivers-x86-v4.11-2' of git://git.infradead.org/linux-platform-drivers-x86
# extra tests on tree/branch linux-next/master
git bisect  bad 5be4921c9958ec02a67506bd6f7a52fce663c201  # 09:38  B      0    25   36   0  Add linux-next specific files for 20170310

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-yocto-kbuild-51:20170314084603:x86_64-randconfig-in0-03140242:4.6.0-06644-g1771c6e:1.gz" of type "application/gzip" (12323 bytes)

Download attachment "dmesg-yocto-kbuild-18:20170314090101:x86_64-randconfig-in0-03140242:4.6.0-06643-g64f8eba:1.gz" of type "application/gzip" (12130 bytes)

View attachment "reproduce-yocto-kbuild-51:20170314084603:x86_64-randconfig-in0-03140242:4.6.0-06644-g1771c6e:1" of type "text/plain" (903 bytes)

View attachment "config-4.6.0-06644-g1771c6e" of type "text/plain" (102020 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ