lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 7 Nov 2017 17:32:44 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     x86@...nel.org
Cc:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com>,
        linux-kernel@...r.kernel.org
Subject: [bzImage64_load] BUG: KASAN: stack-out-of-bounds in
 deref_stack_reg+0xb5/0x11a

Hello,

FYI this happens in v4.14-rc8 -- it's not necessarily a new bug.

[    1.234546] cryptomgr_test (23) used greatest stack depth: 30320 bytes left
[    2.273711] tsc: Refined TSC clocksource calibration: 2693.503 MHz
[    2.274425] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x26d3451f606, max_idle_ns: 440795333933 ns
[    7.795097] Kprobe smoke test: started
[    7.807563] ==================================================================
[    7.808007] BUG: KASAN: stack-out-of-bounds in deref_stack_reg+0xb5/0x11a
[    7.808007] Read of size 8 at addr ffff8800001c7cd8 by task swapper/1
[    7.808007] 
[    7.808007] CPU: 0 PID: 1 Comm: swapper Not tainted 4.14.0-rc8 #26
[    7.808007] Call Trace:
[    7.808007]  <#DB>
[    7.808007]  print_address_description+0x71/0x274
[    7.808007]  ? deref_stack_reg+0xb5/0x11a
[    7.808007]  kasan_report+0x243/0x269
[    7.808007]  deref_stack_reg+0xb5/0x11a
[    7.808007]  ? __read_once_size_nocheck+0xc/0xc
[    7.808007]  ? unwind_get_return_address_ptr+0x91/0x91
[    7.808007]  ? __read_once_size_nocheck+0xc/0xc
[    7.808007]  ? unwind_get_return_address_ptr+0x91/0x91
[    7.808007]  ? bzImage64_load+0xea4/0xea5
[    7.808007]  ? bzImage64_load+0xea5/0xea5
[    7.808007]  unwind_next_frame+0xa83/0x1452
[    7.808007]  ? unwind_get_return_address_ptr+0x91/0x91
[    7.808007]  ? kernel_text_address+0x16/0x5f
[    7.808007]  ? bzImage64_load+0xea5/0xea5
[    7.808007]  __save_stack_trace+0xaf/0xbe
[    7.808007]  ? bzImage64_load+0xea5/0xea5
[    7.808007]  save_trace+0xd9/0x1d3
[    7.808007]  mark_lock+0x5f7/0xdc3
[    7.808007]  __lock_acquire+0x6b4/0x38ef
[    7.808007]  ? kretprobe_table_lock+0x1a/0x42
[    7.808007]  ? debug_show_all_locks+0x222/0x222
[    7.808007]  ? get_usage_char+0x36/0x36
[    7.808007]  ? lock_acquire+0x1a1/0x2aa
[    7.808007]  lock_acquire+0x1a1/0x2aa
[    7.808007]  ? kretprobe_table_lock+0x1a/0x42
[    7.808007]  _raw_spin_lock_irqsave+0x46/0x55
[    7.808007]  ? kretprobe_table_lock+0x1a/0x42
[    7.808007]  kretprobe_table_lock+0x1a/0x42
[    7.808007]  pre_handler_kretprobe+0x3f5/0x521
[    7.808007]  ? __unregister_kprobe_bottom+0x1eb/0x1eb
[    7.808007]  ? rcu_nmi_exit+0x70/0x98
[    7.808007]  ? paranoid_exit_no_swapgs+0x10/0x10
[    7.808007]  ? kprobe_target+0x1/0x11
[    7.808007]  kprobe_int3_handler+0x19c/0x25f
[    7.808007]  do_int3+0x61/0x142
[    7.808007]  int3+0x30/0x60
[    7.808007] RIP: 0010:kprobe_target+0x1/0x11
[    7.808007] RSP: 0000:ffff8800001c7cd0 EFLAGS: 00000246
[    7.808007] RAX: 0000000000000000 RBX: 1ffff10000038f9b RCX: 0000000000000000
[    7.808007] RDX: ffffed0000038f6f RSI: 0000000000000000 RDI: 00000000bd9f051f
[    7.808007] RBP: ffff8800001c7cf8 R08: fffffbffffeaf26e R09: fffffbffffeaf26d
[    7.808007] R10: ffff8800001c7c80 R11: 0000000000000001 R12: ffffffff8208b990
[    7.808007] R13: ffffffff8208b980 R14: 0000000000000001 R15: dffffc0000000000
[    7.808007]  </#DB>
[    7.808007]  bzImage64_load+0xea5/0xea5
[    7.808007]  ? j_kprobe_target+0x33/0x33
[    7.808007]  ? up_write+0x1c/0x31
[    7.808007]  ? blocking_notifier_chain_register+0x97/0xa1
[    7.808007]  ? init_kprobes+0x410/0x43d
[    7.808007]  ? debugfs_kprobe_init+0x10c/0x10c
[    7.808007]  ? wait_for_completion_killable+0x2d/0x2d
[    7.808007]  ? gcov_persist_setup+0xb1/0xb1
[    7.808007]  ? debugfs_kprobe_init+0x10c/0x10c
[    7.808007]  ? do_one_initcall+0xfd/0x20d
[    7.808007]  ? initcall_blacklisted+0x149/0x149
[    7.808007]  ? lock_downgrade+0x4a5/0x4a5
[    7.808007]  ? kernel_init_freeable+0x252/0x2e6
[    7.808007]  ? rest_init+0x222/0x222
[    7.808007]  ? kernel_init+0xc/0xfe
[    7.808007]  ? rest_init+0x222/0x222
[    7.808007]  ? ret_from_fork+0x2a/0x40
[    7.808007] 
[    7.808007] The buggy address belongs to the page:
[    7.808007] page:ffffea00000071c0 count:0 mapcount:0 mapping:          (null) index:0x0
[    7.808007] flags: 0x0()
[    7.808007] raw: 0000000000000000 0000000000000000 0000000000000000 00000000ffffffff

Attached the full dmesg and kconfig.

Thanks,
Fengguang

View attachment "dmesg-yocto-vp-25:20171106135350:x86_64-randconfig-s0-11061342:4.14.0-rc8:26" of type "text/plain" (77993 bytes)

View attachment ".config" of type "text/plain" (92490 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ