lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180930031145.GE15893@shao2-debian>
Date:   Sun, 30 Sep 2018 11:11:45 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Dmitry Safonov <dima@...sta.com>
Cc:     linux-kernel@...r.kernel.org,
        Dmitry Safonov <0x7f454c46@...il.com>,
        Andrei Vagin <avagin@...il.com>,
        Dmitry Safonov <dima@...sta.com>,
        Adrian Reber <adrian@...as.de>,
        Andrei Vagin <avagin@...nvz.org>,
        Andy Lutomirski <luto@...nel.org>,
        Christian Brauner <christian.brauner@...ntu.com>,
        Cyrill Gorcunov <gorcunov@...nvz.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        "H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
        Jeff Dike <jdike@...toit.com>, Oleg Nesterov <oleg@...hat.com>,
        Pavel Emelyanov <xemul@...tuozzo.com>,
        Shuah Khan <shuah@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        containers@...ts.linux-foundation.org, criu@...nvz.org,
        linux-api@...r.kernel.org, x86@...nel.org, lkp@...org
Subject: [LKP] [posix] 25217c6e39: BUG:KASAN:null-ptr-deref_in_c

FYI, we noticed the following commit (built with gcc-4.9):

commit: 25217c6e39560eeadb338e0140ee215410200b67 ("[RFC 13/20] posix-timers/timens: Take into account clock offsets")
url: https://github.com/0day-ci/linux/commits/Dmitry-Safonov/ns-Introduce-Time-Namespace/20180920-194322


in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu qemu64,+ssse3 -smp 4 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------------+------------+------------+
|                                                         | fb1111e1a5 | 25217c6e39 |
+---------------------------------------------------------+------------+------------+
| boot_successes                                          | 0          | 0          |
| boot_failures                                           | 27         | 16         |
| BUG:KASAN:null-ptr-deref_in_p                           | 21         |            |
| BUG:unable_to_handle_kernel                             | 21         | 8          |
| Oops:#[##]                                              | 21         | 8          |
| RIP:posix_get_boottime                                  | 21         |            |
| Kernel_panic-not_syncing:Fatal_exception                | 21         | 8          |
| invoked_oom-killer:gfp_mask=0x                          | 6          | 6          |
| Mem-Info                                                | 6          | 6          |
| Out_of_memory_and_no_killable_processes                 | 6          | 6          |
| Kernel_panic-not_syncing:System_is_deadlocked_on_memory | 6          | 6          |
| BUG:KASAN:null-ptr-deref_in_c                           | 0          | 8          |
| RIP:common_timens_adjust                                | 0          | 8          |
| BUG:kernel_hang_in_boot_stage                           | 0          | 2          |
+---------------------------------------------------------+------------+------------+



[  546.918732] BUG: KASAN: null-ptr-deref in common_timens_adjust+0x4e/0x270
[  546.919884] Read of size 8 at addr 0000000000000030 by task systemd/1
[  546.920963] 
[  546.921249] CPU: 1 PID: 1 Comm: systemd Not tainted 4.19.0-rc4-00108-g25217c6 #1
[  546.922492] Call Trace:
[  546.922944]  dump_stack+0x138/0x1d8
[  546.923554]  ? common_timens_adjust+0x4e/0x270
[  546.924310]  kasan_report+0x26e/0x390
[  546.924959]  __asan_load8+0x54/0x90
[  546.925569]  common_timens_adjust+0x4e/0x270
[  546.926311]  __x64_sys_clock_gettime+0x10b/0x140
[  546.927114]  do_syscall_64+0x1c3/0x280
[  546.927779]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  546.928648] RIP: 0033:0x7ffc593a1a28
[  546.929269] Code: 2d 00 ca 9a 3b 83 c2 01 48 3d ff c9 9a 3b 77 ef 48 01 16 45 85 c0 48 89 46 08 0f 85 4b ff ff ff 48 63 ff b8 e4 00 00 00 0f 05 <5b> 5d c3 85 ff 75 ef 44 8b 0d 4a c6 ff ff 41 f6 c1 01 0f 85 e6 01
[  546.932344] RSP: 002b:00007ffc5935d878 EFLAGS: 00000202 ORIG_RAX: 00000000000000e4
[  546.933619] RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007ffc593a1a28
[  546.934818] RDX: ffffffffffffffff RSI: 00007ffc5935d8b0 RDI: 0000000000000007
[  546.936012] RBP: 00007ffc5935d880 R08: 0000000000000002 R09: 000000000003b1e6
[  546.937205] R10: 0014e3686b800000 R11: 0000000000000202 R12: 00007ffc5935d8f0
[  546.938401] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
[  546.939622] ==================================================================
[  546.940817] Disabling lock debugging due to kernel taint
[  546.942018] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[  546.943328] PGD 0 P4D 0 
[  546.943791] Oops: 0000 [#1] SMP KASAN PTI
[  546.944486] CPU: 1 PID: 1 Comm: systemd Tainted: G    B             4.19.0-rc4-00108-g25217c6 #1
[  546.945962] RIP: 0010:common_timens_adjust+0x4e/0x270
[  546.946819] Code: 00 06 00 00 48 83 ec 18 e8 ef 48 20 00 48 8b 9b 00 06 00 00 48 8d 7b 30 e8 df 48 20 00 48 8b 5b 30 48 8d 7b 30 e8 d2 48 20 00 <4c> 8b 6b 30 be 08 00 00 00 4d 85 ed 41 0f 94 c6 4c 89 f3 83 e3 01
[  546.949841] RSP: 0018:ffff8801f5987e90 EFLAGS: 00010286
[  546.950722] RAX: ffff8801f597e100 RBX: 0000000000000000 RCX: ffffffff812f2e5a
[  546.951906] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000246
[  546.953094] RBP: ffff8801f5987ed0 R08: fffffbfff066a22a R09: fffffbfff066a22a
[  546.954275] R10: 0000000000000001 R11: fffffbfff066a229 R12: ffff8801f5987ee0
[  546.955460] R13: 0000000000000007 R14: 00007ffc5935d8b0 R15: 0000000000000007
[  546.956653] FS:  00007f1603e4d940(0000) GS:ffff8801f7000000(0000) knlGS:0000000000000000
[  546.957994] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  546.958955] CR2: 0000000000000030 CR3: 00000001ddcfa000 CR4: 00000000000006a0
[  546.960133] Call Trace:
[  546.960577]  __x64_sys_clock_gettime+0x10b/0x140
[  546.961363]  do_syscall_64+0x1c3/0x280
[  546.962015]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  546.962862] RIP: 0033:0x7ffc593a1a28
[  546.963472] Code: 2d 00 ca 9a 3b 83 c2 01 48 3d ff c9 9a 3b 77 ef 48 01 16 45 85 c0 48 89 46 08 0f 85 4b ff ff ff 48 63 ff b8 e4 00 00 00 0f 05 <5b> 5d c3 85 ff 75 ef 44 8b 0d 4a c6 ff ff 41 f6 c1 01 0f 85 e6 01
[  546.966532] RSP: 002b:00007ffc5935d878 EFLAGS: 00000202 ORIG_RAX: 00000000000000e4
[  546.967796] RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 00007ffc593a1a28
[  546.968990] RDX: ffffffffffffffff RSI: 00007ffc5935d8b0 RDI: 0000000000000007
[  546.970168] RBP: 00007ffc5935d880 R08: 0000000000000002 R09: 000000000003b1e6
[  546.971337] R10: 0014e3686b800000 R11: 0000000000000202 R12: 00007ffc5935d8f0
[  546.972516] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
[  546.973708] Modules linked in: autofs4
[  546.974354] CR2: 0000000000000030
[  546.974960] ---[ end trace f820e59e021274ff ]---


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen

View attachment "config-4.19.0-rc4-00108-g25217c6" of type "text/plain" (102881 bytes)

View attachment "job-script" of type "text/plain" (4493 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (12764 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ