lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171107101023.qst2jkbm7tih5po3@wfg-t540p.sh.intel.com>
Date:   Tue, 7 Nov 2017 18:10:23 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     linux-kernel@...r.kernel.org
Cc:     Andrew Lunn <andrew@...n.ch>,
        Florian Fainelli <f.fainelli@...il.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        "David S. Miller" <davem@...emloft.net>,
        Roger Quadros <rogerq@...com>,
        Sergei Shtylyov <sergei.shtylyov@...entembedded.com>,
        Russell King <rmk+kernel@...linux.org.uk>,
        Uwe Kleine-König <uwe@...ine-koenig.org>,
        Jon Mason <jon.mason@...adcom.com>,
        Fabio Estevam <fabio.estevam@....com>, netdev@...r.kernel.org
Subject: [mdiobus_free] BUG: KASAN: slab-out-of-bounds in
 _copy_from_user+0x5d/0x8f

Hello,

FYI this happens in v4.14-rc8 -- it's not necessarily a new bug.

[  387.634056] rc (229) used greatest stack depth: 29472 bytes left
[  387.694912] mount (235) used greatest stack depth: 28864 bytes left
Starting udev
[  388.211887] udevd[246]: starting version 3.1.5
[  388.688553] ==================================================================
[  388.699408] BUG: KASAN: slab-out-of-bounds in _copy_from_user+0x5d/0x8f
[  388.709223] Write of size 3 at addr ffff8800002c6270 by task udevadm/249
[  388.719049] 
[  388.721371] CPU: 0 PID: 249 Comm: udevadm Not tainted 4.14.0-rc8 #6
[  388.730678] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  388.742827] Call Trace:
[  388.746654]  dump_stack+0x19/0x1b
[  388.751779]  print_address_description+0x71/0x246
[  388.759095]  ? _copy_from_user+0x5d/0x8f
[  388.765154]  kasan_report+0x22e/0x25c
[  388.770888]  check_memory_region+0x10b/0x10d
[  388.777372]  kasan_check_write+0x14/0x16
[  388.783534]  _copy_from_user+0x5d/0x8f
[  388.789268]  kernfs_fop_write+0xa1/0x165
[  388.795520]  ? file_start_write+0x2a/0x2c
[  388.801739]  __vfs_write+0x23/0xa1
[  388.806955]  ? __sb_start_write+0x143/0x164
[  388.813183]  ? file_start_write+0x2a/0x2c
[  388.819308]  ? kmem_cache_free+0x54/0x120
[  388.825499]  vfs_write+0xb3/0xda
[  388.830427]  SyS_write+0x57/0x83
[  388.835544]  ? lockdep_sys_exit_thunk+0x16/0x27
[  388.842515]  entry_SYSCALL_64_fastpath+0x1e/0xad
[  388.849571] RIP: 0033:0x7fd496e36950
[  388.855112] RSP: 002b:00007fff4d46a1a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  388.866746] RAX: ffffffffffffffda RBX: 00007fd4970f7b78 RCX: 00007fd496e36950
[  388.877411] RDX: 0000000000000003 RSI: 00007fff4d46cc58 RDI: 0000000000000003
[  388.888262] RBP: 0000000000002710 R08: 000000000000fefe R09: 726f772f6c617574
[  388.899064] R10: 000000000000086f R11: 0000000000000246 R12: 00007fd4970f7b78
[  388.909881] R13: 0000000000000040 R14: 0000000000650fd0 R15: 00007fd4970f7b20
[  388.920774] 
[  388.923199] Allocated by task 249:
[  388.928450]  save_stack_trace+0x15/0x17
[  388.934512]  save_stack+0x37/0xb0
[  388.939693]  kasan_kmalloc+0x9a/0xac
[  388.945201]  __kmalloc+0x164/0x176
[  388.950354]  kernfs_fop_write+0x80/0x165
[  388.956447]  __vfs_write+0x23/0xa1
[  388.961700]  vfs_write+0xb3/0xda
[  388.966751]  SyS_write+0x57/0x83
[  388.971718]  entry_SYSCALL_64_fastpath+0x1e/0xad
[  388.978782] 
[  388.981214] Freed by task 11:
[  388.985908]  save_stack_trace+0x15/0x17
[  388.991805]  save_stack+0x37/0xb0
[  388.996860]  kasan_slab_free+0x74/0x99
[  389.002568]  slab_free_freelist_hook+0x79/0x96
[  389.009401]  kfree+0xd9/0x151
[  389.013974]  kfree_const+0x1b/0x1d
[  389.019301]  kobject_put+0x82/0x8a
[  389.024617]  put_device+0x12/0x14
[  389.029899]  mdiobus_free+0x33/0x35
[  389.035339]  _devm_mdiobus_free+0xc/0xe
[  389.041335]  release_nodes+0x14d/0x173
[  389.047235]  devres_release_all+0x41/0x46
[  389.053398]  driver_probe_device+0x187/0x335
[  389.060000]  __device_attach_driver+0x7f/0x88
[  389.066645]  bus_for_each_drv+0x57/0x8d
[  389.072448]  __device_attach+0x9e/0xff
[  389.078154]  device_initial_probe+0xe/0x10
[  389.084508]  bus_probe_device+0x30/0x9c
[  389.090427]  deferred_probe_work_func+0xf2/0x12f
[  389.097589]  process_one_work+0x204/0x3a7
[  389.103785]  worker_thread+0x20c/0x283
[  389.109551]  kthread+0xfe/0x106
[  389.114570]  ret_from_fork+0x25/0x30
[  389.120021] 
[  389.122579] The buggy address belongs to the object at ffff8800002c6270
[  389.122579]  which belongs to the cache kmalloc-8 of size 8
[  389.140803] The buggy address is located 0 bytes inside of
[  389.140803]  8-byte region [ffff8800002c6270, ffff8800002c6278)

Attached the full dmesg and kconfig.

Thanks,
Fengguang

View attachment "dmesg-vm-lkp-wsx03-yocto-x86_64-10:20171107051201:x86_64-randconfig-in0-11070110:4.14.0-rc8:6" of type "text/plain" (305538 bytes)

View attachment ".config" of type "text/plain" (128872 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ