lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Yqa=BmamNsMBc1cVzE28MWAgJ-J4xPQuf5Mo+Y7zNBrg@mail.gmail.com>
Date:   Wed, 18 Oct 2017 18:40:46 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: orc unwinder: stack-out-of-bounds accesses

Hello,

I am seeing lots of KASAN-detected stack-out-of-bounds accesses in the
new ORC unwinder. Examples of reports below. linux-next on
a7dd40274d75326ca868479c62090b1198a357ad.
You can reproduce this by enabling CONFIG_KASAN with gcc7+ (which
supports stack instrumentation).


==================================================================
BUG: KASAN: stack-out-of-bounds in __read_once_size
include/linux/compiler.h:276 [inline]
BUG: KASAN: stack-out-of-bounds in deref_stack_reg+0x1b8/0x1d0
arch/x86/kernel/unwind_orc.c:282
Read of size 8 at addr ffff8801c6c3f210 by task syz-executor0/18988

CPU: 0 PID: 18988 Comm: syz-executor0 Not tainted 4.14.0-rc5-next-20171017+ #34
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x173/0x237 lib/dump_stack.c:52
 print_address_description+0x6e/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x251/0x340 mm/kasan/report.c:409
 __read_once_size include/linux/compiler.h:276 [inline]
 deref_stack_reg+0x1b8/0x1d0 arch/x86/kernel/unwind_orc.c:282
 unwind_next_frame+0xebc/0x1df0 arch/x86/kernel/unwind_orc.c:426
 __save_stack_trace+0x6e/0xd0 arch/x86/kernel/stacktrace.c:44
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3492 [inline]
 kfree+0xc8/0x250 mm/slab.c:3807
 security_cred_free+0x42/0x80 security/security.c:994
 put_cred_rcu+0xee/0x3c0 kernel/cred.c:117
 __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
 rcu_do_batch kernel/rcu/tree.c:2676 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
 rcu_process_callbacks+0xcd4/0x1600 kernel/rcu/tree.c:2914
 __do_softirq+0x2ba/0xafb kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1c7/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:540 [inline]
 smp_apic_timer_interrupt+0x154/0x6b0 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:770
 </IRQ>
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:772 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/paravirt.h:794 [inline]
RIP: 0010:lock_is_held_type+0x84/0x200 kernel/locking/lockdep.c:4025
RSP: 0018:ffff8801c6c3f098 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
RAX: dffffc0000000000 RBX: ffff8801d588e480 RCX: 0000000000000000
RDX: 1ffffffff0ad8f50 RSI: 00000000ffffffff RDI: ffffffff856c7a80
RBP: ffff8801dac78680 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff85737c60
R13: ffffffff81941b12 R14: ffff8801c9d83b40 R15: ffff8801c9d83678
 anon_vma_chain_free mm/rmap.c:133 [inline]
 unlink_anon_vmas+0x1e2/0x900 mm/rmap.c:400

The buggy address belongs to the page:
page:ffffea00071b0fc0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c6c3f100: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2
 ffff8801c6c3f180: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
>ffff8801c6c3f200: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
                         ^
 ffff8801c6c3f280: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
 ffff8801c6c3f300: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3
==================================================================


==================================================================
BUG: KASAN: stack-out-of-bounds in __read_once_size
include/linux/compiler.h:276 [inline]
BUG: KASAN: stack-out-of-bounds in deref_stack_reg+0x1b8/0x1d0
arch/x86/kernel/unwind_orc.c:282
Read of size 8 at addr ffff8801d4cdf340 by task syz-executor6/7070

CPU: 0 PID: 7070 Comm: syz-executor6 Not tainted 4.14.0-rc5-mm1+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x173/0x237 lib/dump_stack.c:52
 print_address_description+0x6e/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x251/0x340 mm/kasan/report.c:409
 __read_once_size include/linux/compiler.h:276 [inline]
 deref_stack_reg+0x1b8/0x1d0 arch/x86/kernel/unwind_orc.c:282
 unwind_next_frame+0xebc/0x1df0 arch/x86/kernel/unwind_orc.c:426
 __save_stack_trace+0x6e/0xd0 arch/x86/kernel/stacktrace.c:44
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3492 [inline]
 kmem_cache_free+0x72/0x280 mm/slab.c:3750
 __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
 rcu_do_batch kernel/rcu/tree.c:2676 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
 rcu_process_callbacks+0xcd4/0x1600 kernel/rcu/tree.c:2914
 __do_softirq+0x2ba/0xafb kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1c7/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:540 [inline]
 smp_apic_timer_interrupt+0x154/0x6b0 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:770
 </IRQ>
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:772 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/paravirt.h:794 [inline]
RIP: 0010:lock_is_held_type+0x84/0x200 kernel/locking/lockdep.c:4025
RSP: 0000:ffff8801d4cdf220 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
RAX: dffffc0000000000 RBX: ffff8801ce78e3c0 RCX: 0000000000000000
RDX: 1ffffffff0ad8f48 RSI: 00000000ffffffff RDI: ffffffff856c7a40
RBP: 0000000000000030 R08: 0000000000000003 R09: 000000007f61a653
R10: 00000000cb829ad9 R11: 0000000000000000 R12: ffffffff85737ce0
R13: 0000000000000040 R14: 0000000001408040 R15: ffff8801c5f47000
 kmem_cache_zalloc include/linux/slab.h:681 [inline]
 jbd2_alloc_handle include/linux/jbd2.h:1316 [inline]
 new_handle fs/jbd2/transaction.c:403 [inline]
 jbd2__journal_start+0x1bf/0x980 fs/jbd2/transaction.c:428
 rcu_note_context_switch+0x6f0/0x6f0 include/linux/compiler.h:276

The buggy address belongs to the page:
page:ffffea00075337c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d4cdf200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d4cdf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801d4cdf300: 00 f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2
                                           ^
 ffff8801d4cdf380: f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d4cdf400: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
==================================================================


==================================================================
BUG: KASAN: stack-out-of-bounds in __read_once_size
include/linux/compiler.h:276 [inline]
BUG: KASAN: stack-out-of-bounds in deref_stack_reg+0x1b8/0x1d0
arch/x86/kernel/unwind_orc.c:282
Read of size 8 at addr ffff8801c509fc20 by task blkid/6164

CPU: 0 PID: 6164 Comm: blkid Not tainted 4.14.0-rc5-mm1+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x173/0x237 lib/dump_stack.c:52
 print_address_description+0x6e/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x251/0x340 mm/kasan/report.c:409
 __read_once_size include/linux/compiler.h:276 [inline]
 deref_stack_reg+0x1b8/0x1d0 arch/x86/kernel/unwind_orc.c:282
 unwind_next_frame+0xebc/0x1df0 arch/x86/kernel/unwind_orc.c:426
 __save_stack_trace+0x6e/0xd0 arch/x86/kernel/stacktrace.c:44
 save_stack+0x32/0xb0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3492 [inline]
 kfree+0xc8/0x250 mm/slab.c:3807
 security_cred_free+0x42/0x80 security/security.c:994
 put_cred_rcu+0xee/0x3c0 kernel/cred.c:117
 __rcu_reclaim kernel/rcu/rcu.h:172 [inline]
 rcu_do_batch kernel/rcu/tree.c:2676 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
 rcu_process_callbacks+0xcd4/0x1600 kernel/rcu/tree.c:2914
 __do_softirq+0x2ba/0xafb kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1c7/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:540 [inline]
 smp_apic_timer_interrupt+0x154/0x6b0 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0x96/0xa0 arch/x86/entry/entry_64.S:770
 </IRQ>
RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:772 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/paravirt.h:794 [inline]
RIP: 0010:lock_is_held_type+0x84/0x200 kernel/locking/lockdep.c:4025
RSP: 0018:ffff8801c509fa50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
RAX: dffffc0000000000 RBX: ffff8801c56ba680 RCX: 0000000000000000
RDX: 1ffffffff0ad8f48 RSI: 00000000ffffffff RDI: ffffffff856c7a40
RBP: 00000000000000c8 R08: 0000000000000002 R09: 0000000038502891
R10: 00000000de5196b2 R11: 0000000000000000 R12: ffffffff85737ce0
R13: 0000000000000108 R14: 00000000014080c0 R15: ffff8801c6114880
 kmem_cache_zalloc include/linux/slab.h:681 [inline]
 mmap_region+0x749/0x1470 mm/mmap.c:1658

The buggy address belongs to the page:
page:ffffea00071427c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c509fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
 ffff8801c509fb80: f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2
>ffff8801c509fc00: f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3
                               ^
 ffff8801c509fc80: f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
 ffff8801c509fd00: f1 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00
==================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ