lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180829134620.GD7369@quack2.suse.cz>
Date:   Wed, 29 Aug 2018 15:46:20 +0200
From:   Jan Kara <jack@...e.cz>
To:     syzbot <syzbot+45a34334c61a8ecf661d@...kaller.appspotmail.com>
Cc:     jack@...e.com, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        tytso@....edu
Subject: Re: KASAN: stack-out-of-bounds Read in __schedule

On Tue 28-08-18 08:30:02, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    5b394b2ddf03 Linux 4.19-rc1
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14f4d8e1400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=49927b422dcf0b29
> dashboard link: https://syzkaller.appspot.com/bug?extid=45a34334c61a8ecf661d
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13127e5a400000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+45a34334c61a8ecf661d@...kaller.appspotmail.com
> 
> IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in schedule_debug kernel/sched/core.c:3285
> [inline]
> BUG: KASAN: stack-out-of-bounds in __schedule+0x1977/0x1df0
> kernel/sched/core.c:3395
> Read of size 8 at addr ffff8801ad090000 by task syz-executor0/4718

Weird, can you please help me decipher this? So here KASAN complains about
wrong memory access in the scheduler. However the stacktrace below shows a
problem in find_stack() function called by KASAN? And this does not seem to
be fs related at all? Also the reproducer has no sign of any filesystem
related activity...

								Honza

> CPU: 0 PID: 4718 Comm: syz-executor0 Not tainted 4.19.0-rc1+ #211
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> 
> The buggy address belongs to the page:
> page:ffffea0006b42400 count:1 mapcount:-512 mapping:0000000000000000
> index:0x0
> flags: 0x2fffc0000000000()
> raw: 02fffc0000000000 dead000000000100 dead000000000200 0000000000000000
> raw: 0000000000000000 0000000000000000 00000001fffffdff ffff8801d29544c0
> page dumped because: kasan: bad access detected
> page->mem_cgroup:ffff8801d29544c0
> 
> Memory state around the buggy address:
>  ffff8801ad08ff00: f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00
>  ffff8801ad08ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
> > ffff8801ad090000: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2
>                    ^
>  ffff8801ad090080: f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00
>  ffff8801ad090100: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> ==================================================================
> Kernel panic - not syncing: panic_on_warn set ...
> 
> BUG: unable to handle kernel paging request at 0000000100000007
> PGD 1b34a2067 P4D 1b34a2067 PUD 0
> Oops: 0000 [#1] SMP KASAN
> CPU: 1 PID: 4325 Comm: rs:main Q:Reg Tainted: G    B             4.19.0-rc1+
> #211
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:find_stack lib/stackdepot.c:188 [inline]
> RIP: 0010:depot_save_stack+0x120/0x470 lib/stackdepot.c:238
> Code: 0f 00 4e 8b 24 f5 e0 db ae 89 4d 85 e4 0f 84 d4 00 00 00 44 8d 47 ff
> 49 c1 e0 03 eb 0d 4d 8b 24 24 4d 85 e4 0f 84 bd 00 00 00 <41> 39 5c 24 08 75
> ec 41 3b 7c 24 0c 75 e5 48 8b 01 49 39 44 24 18
> RSP: 0018:ffff8801b2636f40 EFLAGS: 00010006
> RAX: 0000000084727a0d RBX: 00000000222ca320 RCX: ffff8801b2636fa0
> RDX: 000000004e510a9d RSI: 0000000000400000 RDI: 0000000000000012
> RBP: ffff8801b2636f78 R08: 0000000000000088 R09: 00000000dcf06c78
> R10: 00000000ecfd654a R11: ffff8801db1236f3 R12: 00000000ffffffff
> R13: ffff8801b2636f88 R14: 00000000000ca320 R15: ffff8801b2a72680
> FS:  00007ff2eb061700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000100000007 CR3: 00000001b4fdd000 CR4: 00000000001406e0
> Call Trace:
>  save_stack+0xa9/0xd0 mm/kasan/kasan.c:454
>  set_track mm/kasan/kasan.c:460 [inline]
>  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>  __cache_free mm/slab.c:3498 [inline]
>  kmem_cache_free+0x86/0x280 mm/slab.c:3756
>  jbd2_free_handle include/linux/jbd2.h:1426 [inline]
>  jbd2_journal_stop+0x443/0x1600 fs/jbd2/transaction.c:1787
>  __ext4_journal_stop+0xde/0x1f0 fs/ext4/ext4_jbd2.c:103
>  ext4_dirty_inode+0xab/0xc0 fs/ext4/inode.c:6027
>  __mark_inode_dirty+0x760/0x1300 fs/fs-writeback.c:2129
>  generic_update_time+0x26a/0x450 fs/inode.c:1651
>  update_time fs/inode.c:1667 [inline]
>  file_update_time+0x390/0x640 fs/inode.c:1877
>  __generic_file_write_iter+0x1dc/0x630 mm/filemap.c:3214
>  ext4_file_write_iter+0x390/0x1450 fs/ext4/file.c:266
>  call_write_iter include/linux/fs.h:1807 [inline]
>  new_sync_write fs/read_write.c:474 [inline]
>  __vfs_write+0x6af/0x9d0 fs/read_write.c:487
>  vfs_write+0x1fc/0x560 fs/read_write.c:549
>  ksys_write+0x101/0x260 fs/read_write.c:598
>  __do_sys_write fs/read_write.c:610 [inline]
>  __se_sys_write fs/read_write.c:607 [inline]
>  __x64_sys_write+0x73/0xb0 fs/read_write.c:607
>  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x7ff2ecabf19d
> Code: d1 20 00 00 75 10 b8 01 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48
> 83 ec 08 e8 be fa ff ff 48 89 04 24 b8 01 00 00 00 0f 05 <48> 8b 3c 24 48 89
> c2 e8 07 fb ff ff 48 89 d0 48 83 c4 08 48 3d 01
> RSP: 002b:00007ff2eb05ff90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 0000000000000400 RCX: 00007ff2ecabf19d
> RDX: 0000000000000400 RSI: 0000000002089a90 RDI: 0000000000000005
> RBP: 0000000002089a90 R08: 00000000020d9e00 R09: 656c6c616b7a7973
> R10: 6c656e72656b2072 R11: 0000000000000293 R12: 0000000000000000
> R13: 00007ff2eb060410 R14: 00000000020d9e00 R15: 0000000002089890
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> CR2: 0000000100000007
> ---[ end trace fbf1ba842de6c894 ]---
> RIP: 0010:find_stack lib/stackdepot.c:188 [inline]
> RIP: 0010:depot_save_stack+0x120/0x470 lib/stackdepot.c:238
> Code: 0f 00 4e 8b 24 f5 e0 db ae 89 4d 85 e4 0f 84 d4 00 00 00 44 8d 47 ff
> 49 c1 e0 03 eb 0d 4d 8b 24 24 4d 85 e4 0f 84 bd 00 00 00 <41> 39 5c 24 08 75
> ec 41 3b 7c 24 0c 75 e5 48 8b 01 49 39 44 24 18
> RSP: 0018:ffff8801b2636f40 EFLAGS: 00010006
> RAX: 0000000084727a0d RBX: 00000000222ca320 RCX: ffff8801b2636fa0
> RDX: 000000004e510a9d RSI: 0000000000400000 RDI: 0000000000000012
> RBP: ffff8801b2636f78 R08: 0000000000000088 R09: 00000000dcf06c78
> R10: 00000000ecfd654a R11: ffff8801db1236f3 R12: 00000000ffffffff
> R13: ffff8801b2636f88 R14: 00000000000ca320 R15: ffff8801b2a72680
> FS:  00007ff2eb061700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000100000007 CR3: 00000001b4fdd000 CR4: 00000000001406e0
> Shutting down cpus with NMI
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ