[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+bCUwcMDbhuu3WSoFy+2YaFmSUd15M1wnGG8hZ6DhVvZw@mail.gmail.com>
Date: Wed, 20 Jun 2018 09:50:54 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzbot <syzbot+3ae3575e398ca1d88e5d@...kaller.appspotmail.com>
Cc: "H. Peter Anvin" <hpa@...or.com>,
Josh Poimboeuf <jpoimboe@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Ingo Molnar <mingo@...hat.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>,
"the arch/x86 maintainers" <x86@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>,
KVM list <kvm@...r.kernel.org>
Subject: Re: KASAN: stack-out-of-bounds Read in unwind_next_frame
On Wed, Jun 20, 2018 at 8:04 AM, syzbot
<syzbot+3ae3575e398ca1d88e5d@...kaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: ba4dbdedd3ed Merge tag 'jfs-4.18' of git://github.com/klei..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17fe8bd8400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=f390986c4f7cd566
> dashboard link: https://syzkaller.appspot.com/bug?extid=3ae3575e398ca1d88e5d
> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+3ae3575e398ca1d88e5d@...kaller.appspotmail.com
Not sure what's with the unwind here, but it looks like the culprit is
msr_write_intercepted. So +KVM maintainers and:
#syz dup: KASAN: use-after-free Read in do_general_protection
> kvm: pic: single mode not supported
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in __read_once_size
> include/linux/compiler.h:188 [inline]
> BUG: KASAN: stack-out-of-bounds in unwind_next_frame.part.7+0x801/0x9e0
> arch/x86/kernel/unwind_frame.c:326
> Read of size 8 at addr ffff88017c386c78 by task syz-executor0/22016
>
> CPU: 1 PID: 22016 Comm: syz-executor0 Not tainted 4.18.0-rc1+ #109
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
> print_address_description+0x6c/0x20b mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
> __read_once_size include/linux/compiler.h:188 [inline]
> unwind_next_frame.part.7+0x801/0x9e0 arch/x86/kernel/unwind_frame.c:326
> unwind_next_frame+0x3e/0x50 arch/x86/kernel/unwind_frame.c:287
> __save_stack_trace+0x7d/0xf0 arch/x86/kernel/stacktrace.c:44
> save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
> save_trace+0xe0/0x290 kernel/locking/lockdep.c:404
> check_prev_add kernel/locking/lockdep.c:1915 [inline]
> check_prevs_add kernel/locking/lockdep.c:1980 [inline]
> validate_chain kernel/locking/lockdep.c:2421 [inline]
> __lock_acquire+0x39a8/0x5020 kernel/locking/lockdep.c:3435
> lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
> __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
> _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144
> vprintk_emit+0x191/0xdf0 kernel/printk/printk.c:1848
> vprintk_default+0x28/0x30 kernel/printk/printk.c:1948
> vprintk_func+0x7a/0xe7 kernel/printk/printk_safe.c:382
> printk+0xa7/0xcf kernel/printk/printk.c:1981
> kasan_die_handler.cold.22+0x11/0x30 arch/x86/mm/kasan_init_64.c:251
> notifier_call_chain+0x180/0x390 kernel/notifier.c:93
> __atomic_notifier_call_chain kernel/notifier.c:183 [inline]
> atomic_notifier_call_chain+0x98/0x190 kernel/notifier.c:193
> notify_die+0x1be/0x2e0 kernel/notifier.c:549
> do_general_protection+0x248/0x2f0 arch/x86/kernel/traps.c:559
> general_protection+0x1e/0x30 arch/x86/entry/entry_64.S:1159
> RIP: 0010:msr_write_intercepted arch/x86/kvm/vmx.c:2327 [inline]
> RIP: 0010:vmx_vcpu_run+0x131a/0x2600 arch/x86/kvm/vmx.c:10149
> Code: 00 00 10 89 de e8 36 65 5c 00 85 db 0f 84 91 00 00 00 e8 19 64 5c 00
> 48 8b 54 24 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85
> 8c 10 00 00 48 8b 04 24 48 8b 98 40 57 00 00 48
> RSP: 0018:ffff88017c387370 EFLAGS: 00010002
> RAX: dffffc0000000000 RBX: 0000000010000000 RCX: ffffffff811f467a
> RDX: 000000000000045b RSI: ffffffff811f4687 RDI: 0000000000000005
> RBP: ffff88017c3873a8 R08: ffff8801b0e4a080 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>
> The buggy address belongs to the page:
> page:ffffea0005f0e180 count:0 mapcount:0 mapping:0000000000000000
> index:0xffff88017c386940
> flags: 0x2fffc0000000000()
> raw: 02fffc0000000000 0000000000000000 dead000000000200 0000000000000000
> raw: ffff88017c386940 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88017c386b00: f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
> ffff88017c386b80: f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
>>
>> ffff88017c386c00: f2 f2 f8 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2
>
> ^
> ffff88017c386c80: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f1 f1 f1 f1 00 f2
> ffff88017c386d00: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 00 00 00 00
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
Powered by blists - more mailing lists