| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171107093921.ulnjqoaycig5qqoy@wfg-t540p.sh.intel.com>
Date: Tue, 7 Nov 2017 17:39:21 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: linux-kernel@...r.kernel.org
Cc: Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Aleksey Makarov <aleksey.makarov@...aro.org>,
Ingo Molnar <mingo@...nel.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>
Subject: [devkmsg_write] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170
Hello,
FYI this happens in v4.14-rc8 -- it's not necessarily a new bug.
[ 22.184920] Freeing unused kernel memory: 824K
[ 22.199198] Freeing unused kernel memory: 1436K
[ 22.228460] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 22.230474] rodata_test: all tests were successful
[ 22.254830] ==================================================================
[ 22.257125] BUG: KASAN: slab-out-of-bounds in copyin+0xea/0x170
[ 22.258648] Write of size 26 at addr ffff880013432540 by task init/1
[ 22.260272]
[ 22.260860] CPU: 0 PID: 1 Comm: init Not tainted 4.14.0-rc8 #14
[ 22.262379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 22.264441] Call Trace:
[ 22.265206] dump_stack+0x5d/0x81
[ 22.266147] print_address_description+0xa7/0x280
[ 22.267369] ? copyin+0xea/0x170
[ 22.268282] ? copyin+0xea/0x170
[ 22.268990] kasan_report+0xd3/0x150
[ 22.269551] ? quarantine_reduce+0x1/0x1a0
[ 22.270177] ? copyin+0xea/0x170
[ 22.270703] copyin+0xea/0x170
[ 22.271202] _copy_from_iter_full+0x14f/0x4f0
[ 22.271857] ? __kmalloc+0x1ad/0x2e0
[ 22.272420] devkmsg_write+0xb9/0x1a0
[ 22.272999] new_sync_write+0xd8/0x130
[ 22.273579] vfs_write+0x174/0x2b0
[ 22.274113] SyS_write+0x50/0xc0
[ 22.274611] do_int80_syscall_32+0x7a/0x1b0
[ 22.275216] entry_INT80_compat+0x2d/0x40
[ 22.275802]
[ 22.276103] Allocated by task 1:
[ 22.276597] kasan_kmalloc+0x61/0xf0
[ 22.277202] __kmalloc+0x1ad/0x2e0
[ 22.277720] devkmsg_write+0x76/0x1a0
[ 22.278268] new_sync_write+0xd8/0x130
[ 22.278826] vfs_write+0x174/0x2b0
[ 22.279342] SyS_write+0x50/0xc0
[ 22.279840] do_int80_syscall_32+0x7a/0x1b0
[ 22.280441] entry_INT80_compat+0x2d/0x40
[ 22.281025]
[ 22.281326] Freed by task 1:
[ 22.281788] kasan_slab_free+0xac/0x180
[ 22.282354] kfree+0x105/0x310
[ 22.282837] unpack_to_rootfs+0x260/0x2a1
[ 22.283420] populate_rootfs+0x5d/0x86
[ 22.283977] do_one_initcall+0x3b/0x180
[ 22.284544] do_basic_setup+0xb4/0xd0
[ 22.285091] kernel_init_freeable+0x7b/0xed
[ 22.285680] kernel_init+0xe/0x110
[ 22.286171] ret_from_fork+0x25/0x30
[ 22.286683]
[ 22.286967] The buggy address belongs to the object at ffff880013432540
[ 22.286967] which belongs to the cache kmalloc-32 of size 32
[ 22.288469] The buggy address is located 0 bytes inside of
[ 22.288469] 32-byte region [ffff880013432540, ffff880013432560)
Attached the full dmesg and kconfig.
Thanks,
Fengguang
View attachment "dmesg-vm-lkp-hsw01-openwrt-ia32-11:20171107070504:x86_64-randconfig-w0-11070616:4.14.0-rc8:14" of type "text/plain" (69841 bytes)
View attachment ".config" of type "text/plain" (147793 bytes)
Powered by blists - more mailing lists