lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 28 Nov 2018 17:58:07 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     David Howells <dhowells@...hat.com>
Cc:     Al Viro <viro@...iv.linux.org.uk>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, lkp@...org
Subject: [LKP] [NFS] 0b3e250a00: BUG:KASAN:null-ptr-deref_in_s

FYI, we noticed the following commit (built with gcc-6):

commit: 0b3e250a006eaf3665f7e14066db29c0af46b117 ("NFS: Add fs_context support.")
https://git.kernel.org/cgit/linux/kernel/git/viro/vfs.git Q12

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------------------------+------------+------------+
|                                                                     | 99521bd3b5 | 0b3e250a00 |
+---------------------------------------------------------------------+------------+------------+
| boot_successes                                                      | 0          | 0          |
| boot_failures                                                       | 32         | 32         |
| WARNING:suspicious_RCU_usage                                        | 32         | 32         |
| include/linux/xarray.h:#suspicious_rcu_dereference_check()usage     | 32         | 32         |
| include/linux/xarray.h:#suspicious_rcu_dereference_protected()usage | 32         | 32         |
| BUG:kernel_hang_in_boot_stage                                       | 5          |            |
| BUG:KASAN:null-ptr-deref_in_s                                       | 0          | 30         |
| BUG:unable_to_handle_kernel                                         | 0          | 30         |
| Oops:#[##]                                                          | 0          | 30         |
| RIP:security_sb_set_mnt_opts                                        | 0          | 30         |
| Kernel_panic-not_syncing:Fatal_exception                            | 0          | 30         |
| BUG:soft_lockup-CPU##stuck_for#s                                    | 0          | 2          |
| RIP:depot_save_stack                                                | 0          | 1          |
| Kernel_panic-not_syncing:softlockup:hung_tasks                      | 0          | 2          |
| RIP:lock_acquire                                                    | 0          | 1          |
+---------------------------------------------------------------------+------------+------------+



[  153.365696] BUG: KASAN: null-ptr-deref in security_sb_set_mnt_opts+0x1f/0x80
[  153.367082] Read of size 4 at addr 0000000000000010 by task mount.nfs/422
[  153.368348] 
[  153.368701] CPU: 0 PID: 422 Comm: mount.nfs Tainted: G                T 4.20.0-rc1-00052-g0b3e250 #1
[  153.370571] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  153.372276] Call Trace:
[  153.372824]  kasan_report+0x132/0x370
[  153.373620]  security_sb_set_mnt_opts+0x1f/0x80
[  153.374598]  nfs_set_sb_security+0xad/0x120
[  153.375508]  ? nfs_reconfigure+0x420/0x420
[  153.376420]  nfs_get_tree_common+0x186/0x5b0
[  153.377352]  nfs_try_get_tree+0x245/0x380
[  153.378225]  ? nfs_request_mount+0x2d0/0x2d0
[  153.379348]  ? lock_downgrade+0x2a0/0x2a0
[  153.380222]  ? do_raw_spin_unlock+0x86/0x120
[  153.381138]  ? _raw_spin_unlock+0x1f/0x30
[  153.381998]  ? find_nfs_version+0xa0/0xb0
[  153.382859]  ? get_nfs_version+0x1c/0x90
[  153.383701]  ? nfs_fs_context_validate+0x38d/0x5d0
[  153.384543]  vfs_get_tree+0xc1/0x290
[  153.385292]  do_mount+0x3e2/0xe40
[  153.386018]  ? mark_held_locks+0x1b/0xb0
[  153.386858]  ? copy_mount_string+0x20/0x20
[  153.387747]  ? kasan_unpoison_shadow+0x30/0x40
[  153.388706]  ? kasan_kmalloc+0xa3/0xc0
[  153.389513]  ? copy_mount_options+0x3c/0x1c0
[  153.390412]  ? kmem_cache_alloc_trace+0x177/0x2e0
[  153.391420]  ? copy_mount_options+0x12c/0x1c0
[  153.392352]  ksys_mount+0x81/0xc0
[  153.393072]  __x64_sys_mount+0x5d/0x70
[  153.393877]  do_syscall_64+0x66/0x210
[  153.394661]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  153.395721] RIP: 0033:0x7f106171e24a
[  153.396488] Code: 48 8b 0d 51 fc 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e fc 2a 00 f7 d8 64 89 01 48
[  153.400258] RSP: 002b:00007ffcb59bfe78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  153.401604] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f106171e24a
[  153.402826] RDX: 00005612d28dcf70 RSI: 00005612d28dcf50 RDI: 00005612d28db210
[  153.404292] RBP: 00007ffcb59c0070 R08: 00005612d28e8320 R09: 0000000000000060
[  153.405768] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f1062062410
[  153.407238] R13: 00007ffcb59c0070 R14: 00007ffcb59bff70 R15: 00005612d28e8300
[  153.408770] ==================================================================
[  153.410270] Disabling lock debugging due to kernel taint
[  153.411755] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[  153.413372] PGD 0 P4D 0 
[  153.413927] Oops: 0000 [#1] KASAN PTI
[  153.414709] CPU: 0 PID: 422 Comm: mount.nfs Tainted: G    B           T 4.20.0-rc1-00052-g0b3e250 #1
[  153.416552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  153.418263] RIP: 0010:security_sb_set_mnt_opts+0x1f/0x80
[  153.419364] Code: c0 5b 5d 41 5c c3 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 41 54 49 89 fc 55 48 8d 7e 10 53 48 89 f5 49 89 d5 e8 91 b7 e5 ff <44> 8b 7d 10 48 8b 1d 0e 21 42 01 b8 a1 ff ff ff 45 85 ff 44 0f 45
[  153.423165] RSP: 0018:ffff880031d67ad0 EFLAGS: 00010286
[  153.424244] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffa42e79c1
[  153.425691] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffa62ba2a0
[  153.427160] RBP: 0000000000000000 R08: fffffbfff4c55e6e R09: dffffc0000000001
[  153.428627] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88005acbe848
[  153.430089] R13: 0000000000000000 R14: ffff880031d67b30 R15: ffffffffa54e11e0
[  153.431571] FS:  00007f1062062480(0000) GS:ffffffffa5c4a000(0000) knlGS:0000000000000000
[  153.433215] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  153.434410] CR2: 0000000000000010 CR3: 00000000465f2004 CR4: 00000000000606b0
[  153.435849] Call Trace:
[  153.436283]  nfs_set_sb_security+0xad/0x120
[  153.436998]  ? nfs_reconfigure+0x420/0x420
[  153.437712]  nfs_get_tree_common+0x186/0x5b0
[  153.438612]  nfs_try_get_tree+0x245/0x380
[  153.439462]  ? nfs_request_mount+0x2d0/0x2d0
[  153.440562]  ? lock_downgrade+0x2a0/0x2a0
[  153.441410]  ? do_raw_spin_unlock+0x86/0x120
[  153.442309]  ? _raw_spin_unlock+0x1f/0x30
[  153.443164]  ? find_nfs_version+0xa0/0xb0
[  153.444014]  ? get_nfs_version+0x1c/0x90
[  153.444859]  ? nfs_fs_context_validate+0x38d/0x5d0
[  153.445878]  vfs_get_tree+0xc1/0x290
[  153.446642]  do_mount+0x3e2/0xe40
[  153.447345]  ? mark_held_locks+0x1b/0xb0
[  153.448170]  ? copy_mount_string+0x20/0x20
[  153.449035]  ? kasan_unpoison_shadow+0x30/0x40
[  153.449968]  ? kasan_kmalloc+0xa3/0xc0
[  153.450765]  ? copy_mount_options+0x3c/0x1c0
[  153.451658]  ? kmem_cache_alloc_trace+0x177/0x2e0
[  153.452643]  ? copy_mount_options+0x12c/0x1c0
[  153.453559]  ksys_mount+0x81/0xc0
[  153.454263]  __x64_sys_mount+0x5d/0x70
[  153.455061]  do_syscall_64+0x66/0x210
[  153.455847]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  153.456904] RIP: 0033:0x7f106171e24a
[  153.457661] Code: 48 8b 0d 51 fc 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e fc 2a 00 f7 d8 64 89 01 48
[  153.461458] RSP: 002b:00007ffcb59bfe78 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  153.463007] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f106171e24a
[  153.464497] RDX: 00005612d28dcf70 RSI: 00005612d28dcf50 RDI: 00005612d28db210
[  153.465965] RBP: 00007ffcb59c0070 R08: 00005612d28e8320 R09: 0000000000000060
[  153.467422] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f1062062410
[  153.468856] R13: 00007ffcb59c0070 R14: 00007ffcb59bff70 R15: 00005612d28e8300
[  153.470050] Modules linked in: crct10dif_pclmul crct10dif_common input_leds crc32_pclmul parport_pc parport evbug sch_sfq
[  153.472176] CR2: 0000000000000010
[  153.472921] ---[ end trace 346e1028a377855a ]---


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen

View attachment "config-4.20.0-rc1-00052-g0b3e250" of type "text/plain" (129062 bytes)

View attachment "job-script" of type "text/plain" (4164 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (15668 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ