lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20180419014235.r6ykoznj6sgyb3m4@wfg-t540p.sh.intel.com>
Date:   Thu, 19 Apr 2018 09:42:35 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     kernel-hardening@...ts.openwall.com, linux-kbuild@...r.kernel.org,
        linux-kernel@...r.kernel.org, lkp@...org
Subject: BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b

Hi Kees,

FYI this happens in mainline kernel 4.17.0-rc1.
It at least dates back to v4.15-rc1 .

I just sent you a bisect report for c61f13eaa1 ("gcc-plugins: Add
structleak for more stack initialization") possibly related to this
error.

[   30.565138] init: Console is alive
[   30.574301] kmodloader (149) used greatest stack depth: 22824 bytes left
[   31.573627] init: - preinit -
[   31.628946] procd: - early -
[   31.715094] ==================================================================
[   31.716334] BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.717242] Write of size 24 at addr ffff880000307b80 by task procd/1
[   31.718361]
[   31.718653] CPU: 0 PID: 1 Comm: procd Tainted: G                T 4.17.0-rc1 #1
[   31.719799] Call Trace:
[   31.720289]  print_address_description+0x69/0x24d:
						print_address_description at mm/kasan/report.c:257
[   31.721257]  ? ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.721910]  kasan_report+0x219/0x34e:
						kasan_report_error at mm/kasan/report.c:355
						 (inlined by) kasan_report at mm/kasan/report.c:412
[   31.722589]  ep_poll+0x1177/0x131b:
						ep_poll at fs/eventpoll.c:1832
[   31.723218]  ? ep_send_events_proc+0x979/0x979:
						ep_poll at fs/eventpoll.c:1741
[   31.724120]  ? sched_clock_cpu+0xa9/0x14a:
						sched_clock_cpu at kernel/sched/clock.c:351
[   31.724861]  ? pvclock_read_flags+0x136/0x136:
						pvclock_clocksource_read at arch/x86/kernel/pvclock.c:79
[   31.725633]  ? print_lockdep_off+0x27/0x27:
						match_held_lock at kernel/locking/lockdep.c:3491
[   31.726387]  ? kvm_sched_clock_read+0x12/0x20:
						__preempt_count_sub at arch/x86/include/asm/preempt.h:81
						 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90
						 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101
[   31.727184]  ? sched_clock+0x34/0x37:
						paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175
						 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228
[   31.727920]  ? __context_tracking_exit+0xb5/0x22b:
						atomic_read at include/asm-generic/atomic-instrumented.h:21
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.728750]  ? kvm_sched_clock_read+0x12/0x20:
						__preempt_count_sub at arch/x86/include/asm/preempt.h:81
						 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90
						 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101
[   31.729508]  ? sched_clock+0x34/0x37:
						paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175
						 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228
[   31.730138]  ? sched_clock_cpu+0xa9/0x14a:
						sched_clock_cpu at kernel/sched/clock.c:351
[   31.730913]  ? clear_sched_clock_stable+0x115/0x115:
						sched_clock_cpu at kernel/sched/clock.c:346
[   31.731763]  ? find_held_lock+0x39/0x18d:
						find_held_lock at kernel/locking/lockdep.c:3536
[   31.732494]  ? lock_downgrade+0x730/0x730:
						lock_release at kernel/locking/lockdep.c:3929
[   31.733221]  ? lock_release+0xe6b/0xe6b:
						lock_acquire at kernel/locking/lockdep.c:3909
[   31.733917]  ? get_vtime_delta+0x19f/0x239:
						steal_account_process_time at kernel/sched/cputime.c:243
						 (inlined by) account_other_time at kernel/sched/cputime.c:260
						 (inlined by) get_vtime_delta at kernel/sched/cputime.c:706
[   31.734777]  ? in_sched_functions+0x35/0x35:
						___might_sleep at kernel/sched/core.c:6146
[   31.735513]  ? account_steal_time+0x35/0x35:
						get_vtime_delta at kernel/sched/cputime.c:695
[   31.736313]  ? mntput_no_expire+0x73/0x6fe:
						rcu_lock_acquire at include/linux/rcupdate.h:246
						 (inlined by) rcu_read_lock at include/linux/rcupdate.h:632
						 (inlined by) mntput_no_expire at fs/namespace.c:1196
[   31.737082]  ? syscall_slow_exit_work+0x5c2/0x5c2:
						syscall_trace_enter at arch/x86/entry/common.c:68
[   31.737969]  ? __fget_light+0xb3/0x305:
						__read_once_size at include/linux/compiler.h:188
						 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31
						 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22
						 (inlined by) __fget_light at fs/file.c:735
[   31.738658]  ? __fget+0x366/0x366:
						__fget_light at fs/file.c:731
[   31.739231]  ? vtime_user_exit+0x134/0x16b:
						raw_write_seqcount_end at include/linux/seqlock.h:235
						 (inlined by) write_seqcount_end at include/linux/seqlock.h:388
						 (inlined by) vtime_user_exit at kernel/sched/cputime.c:770
[   31.739878]  ? __context_tracking_exit+0xb5/0x22b:
						atomic_read at include/asm-generic/atomic-instrumented.h:21
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.740811]  ? __context_tracking_exit+0xc6/0x22b:
						__read_once_size at include/linux/compiler.h:188
						 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31
						 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22
						 (inlined by) static_key_count at include/linux/jump_label.h:194
						 (inlined by) static_key_false at include/linux/jump_label.h:206
						 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48
						 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158
[   31.741616]  ? do_sched_yield+0x2b7/0x2b7:
						default_wake_function at kernel/sched/core.c:3742
[   31.742351]  ? trace_raw_output_preemptirq_template+0xf9/0xf9:
						trace_hardirqs_on at kernel/trace/trace_irqsoff.c:787
[   31.743380]  do_epoll_wait+0x112/0x148:
						fdput at include/linux/file.h:39
						 (inlined by) do_epoll_wait at fs/eventpoll.c:2194
[   31.744126]  __ia32_sys_epoll_wait+0xd8/0xe0:
						__do_sys_epoll_wait at fs/eventpoll.c:2201
						 (inlined by) __se_sys_epoll_wait at fs/eventpoll.c:2198
						 (inlined by) __ia32_sys_epoll_wait at fs/eventpoll.c:2198
[   31.744915]  do_int80_syscall_32+0x436/0x8b6:
						do_syscall_32_irqs_on at arch/x86/entry/common.c:323
						 (inlined by) do_int80_syscall_32 at arch/x86/entry/common.c:346
[   31.745672]  ? do_syscall_64+0x84b/0x84b:
						do_int80_syscall_32 at arch/x86/entry/common.c:343
[   31.746268]  ? vtime_user_enter+0xba/0xef:
						raw_write_seqcount_end at include/linux/seqlock.h:235
						 (inlined by) write_seqcount_end at include/linux/seqlock.h:388
						 (inlined by) vtime_user_enter at kernel/sched/cputime.c:756
[   31.746951]  ? __context_tracking_enter+0x21d/0x266:
						__context_tracking_enter at kernel/context_tracking.c:97
[   31.747929]  ? __context_tracking_enter+0x21d/0x266:
						__context_tracking_enter at kernel/context_tracking.c:97
[   31.748817]  ? context_tracking_recursion_enter+0x4a/0x4a:
						__context_tracking_enter at kernel/context_tracking.c:62
[   31.749791]  ? trace_raw_output_sys_exit+0xc6/0xc6:
						exit_to_usermode_loop at arch/x86/entry/common.c:139
[   31.750662]  ? trace_hardirqs_on_caller+0x1b3/0x1b3:
						trace_hardirqs_off_caller at kernel/trace/trace_irqsoff.c:823
[   31.751532]  ? prepare_exit_to_usermode+0x230/0x262:
						prepare_exit_to_usermode at arch/x86/entry/common.c:184
[   31.752287]  ? trace_hardirqs_off_thunk+0x1a/0x1c:
						trace_hardirqs_off_thunk at arch/x86/entry/thunk_64.S:43
[   31.753106]  entry_INT80_compat+0x84/0x90:
						entry_INT80_compat at arch/x86/entry/entry_64_compat.S:410
[   31.753715]
[   31.753966] The buggy address belongs to the page:
[   31.754784] page:ffffea000000c1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   31.756053] flags: 0x0()

Attached the full dmesg, kconfig and reproduce scripts.

Thanks,
Fengguang

View attachment "dmesg-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (56645 bytes)

View attachment ".config" of type "text/plain" (115199 bytes)

View attachment "job-script" of type "text/plain" (3788 bytes)

View attachment "reproduce-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (1937 bytes)

Powered by blists - more mailing lists