lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 1 Dec 2018 18:22:04 +0800
From:   kernel test robot <lkp@...el.com>
To:     David Howells <dhowells@...hat.com>
Cc:     Al Viro <viro@...iv.linux.org.uk>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-fsdevel@...r.kernel.org, lkp@...org
Subject: [NFS]  b4e004cd5d: BUG:KASAN:null-ptr-deref_in_s


FYI, we noticed the following commit (built with gcc-6):

commit: b4e004cd5da022650322c64e5c829443e55cb7e2 ("NFS: Add fs_context support.")
https://git.kernel.org/cgit/linux/kernel/git/viro/vfs.git Q19

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu IvyBridge -smp 2 -m 2G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------+------------+------------+
|                                          | b51dcaefdc | b4e004cd5d |
+------------------------------------------+------------+------------+
| boot_successes                           | 10         | 0          |
| boot_failures                            | 0          | 8          |
| BUG:KASAN:null-ptr-deref_in_s            | 0          | 8          |
| BUG:unable_to_handle_kernel              | 0          | 8          |
| Oops:#[##]                               | 0          | 8          |
| RIP:security_sb_set_mnt_opts             | 0          | 8          |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 8          |
+------------------------------------------+------------+------------+



[   44.932165] BUG: KASAN: null-ptr-deref in security_sb_set_mnt_opts+0x30/0x9d
[   44.933385] Read of size 4 at addr 0000000000000010 by task mount.nfs/518
[   44.934545] 
[   44.934941] CPU: 0 PID: 518 Comm: mount.nfs Not tainted 4.20.0-rc1-00059-gb4e004c #2
[   44.936339] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   44.937787] Call Trace:
[   44.938354]  dump_stack+0x1e/0x20
[   44.939014]  kasan_report+0x239/0x26c
[   44.939722]  __asan_load4+0x81/0x83
[   44.940409]  security_sb_set_mnt_opts+0x30/0x9d
[   44.941279]  nfs_set_sb_security+0xbf/0x139
[   44.942073]  ? nfs_umount_begin+0xb6/0xb6
[   44.942834]  ? register_shrinker_prepared+0x89/0x92
[   44.943715]  ? nfs_initialise_sb+0x187/0x193
[   44.944521]  nfs_get_tree_common+0x669/0x6d9
[   44.945320]  nfs_try_get_tree+0x3d9/0x41c
[   44.946101]  ? nfs_request_mount+0x2eb/0x2eb
[   44.947057]  ? quarantine_reduce+0x56/0x1e0
[   44.947847]  ? kasan_poison_shadow+0x2f/0x31
[   44.948644]  ? kasan_unpoison_shadow+0x14/0x35
[   44.949470]  ? find_nfs_version+0x72/0x12e
[   44.950251]  ? kasan_check_read+0x11/0x13
[   44.951007]  ? ftrace_likely_update+0x2bf/0x2ce
[   44.951856]  ? ftrace_likely_update+0x2bf/0x2ce
[   44.952685]  nfs_get_tree+0x1f0/0x223
[   44.953405]  vfs_get_tree+0xfc/0x349
[   44.954102]  ? do_mount+0xdb5/0xf7e
[   44.954774]  do_mount+0xdbd/0xf7e
[   44.955440]  ? copy_mount_string+0x3d/0x3d
[   44.956246]  ? kasan_unpoison_shadow+0x14/0x35
[   44.957060]  ? kasan_kmalloc+0x7f/0x8b
[   44.957773]  ? ftrace_likely_update+0x2bf/0x2ce
[   44.958647]  ? copy_mount_options+0x51/0x2be
[   44.959448]  ? ftrace_likely_update+0x2bf/0x2ce
[   44.960298]  ksys_mount+0xfa/0x130
[   44.960962]  __x64_sys_mount+0x70/0x7c
[   44.961705]  do_syscall_64+0x3b6/0x682
[   44.962434]  ? syscall_return_slowpath+0x16d/0x16d
[   44.963316]  ? trace_hardirqs_off_caller+0xe5/0x128
[   44.964222]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   44.965083]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   44.966012] RIP: 0033:0x7f7faf19924a
[   44.966700] Code: 48 8b 0d 51 fc 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e fc 2a 00 f7 d8 64 89 01 48
[   44.969743] RSP: 002b:00007ffcb2d2fcb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   44.971085] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7faf19924a
[   44.972285] RDX: 00005618ebd44f70 RSI: 00005618ebd44f50 RDI: 00005618ebd43210
[   44.973483] RBP: 00007ffcb2d2feb0 R08: 00005618ebd50320 R09: 0000000000000060
[   44.974685] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f7fafadd410
[   44.975879] R13: 00007ffcb2d2feb0 R14: 00007ffcb2d2fdb0 R15: 00005618ebd50300
[   44.977083] ==================================================================
[   44.978367] Disabling lock debugging due to kernel taint
[   45.100307] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[   45.101798] PGD 0 P4D 0 
[   45.102340] Oops: 0000 [#1] PREEMPT KASAN
[   45.103100] CPU: 0 PID: 518 Comm: mount.nfs Tainted: G    B             4.20.0-rc1-00059-gb4e004c #2
[   45.104671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   45.106142] RIP: 0010:security_sb_set_mnt_opts+0x30/0x9d
[   45.107089] Code: 48 89 e5 41 57 41 56 41 55 41 54 49 89 f4 53 41 50 49 89 d6 49 89 cf 48 89 7d d0 e8 c8 42 b4 ff 49 8d 7c 24 10 e8 1b 10 c7 ff <45> 8b 6c 24 10 ba a1 ff ff ff 45 85 ed 44 0f 45 ea e8 a8 42 b4 ff
[   45.110149] RSP: 0000:ffff88004dee79a8 EFLAGS: 00010256
[   45.111085] RAX: 0000000000000296 RBX: 1ffff10009bdcf3d RCX: ffffffffaac220de
[   45.112295] RDX: 0000000000000000 RSI: ffff880051f63000 RDI: fffffffface090f8
[   45.113501] RBP: ffff88004dee79d8 R08: 0000000000000007 R09: fffffbfff59b72b5
[   45.114714] R10: 0000000000000000 R11: ffffffffacdb95ab R12: 0000000000000000
[   45.115928] R13: ffff88004faa9100 R14: 0000000000000000 R15: ffff88004dee7a08
[   45.117137] FS:  00007f7fafadd480(0000) GS:ffffffffac866000(0000) knlGS:0000000000000000
[   45.118562] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.119569] CR2: 0000000000000010 CR3: 000000005dfa8000 CR4: 00000000001406f0
[   45.120783] Call Trace:
[   45.121315]  nfs_set_sb_security+0xbf/0x139
[   45.122100]  ? nfs_umount_begin+0xb6/0xb6
[   45.122857]  ? register_shrinker_prepared+0x89/0x92
[   45.123738]  ? nfs_initialise_sb+0x187/0x193
[   45.124527]  nfs_get_tree_common+0x669/0x6d9
[   45.125325]  nfs_try_get_tree+0x3d9/0x41c
[   45.136058]  ? nfs_request_mount+0x2eb/0x2eb
[   45.137045]  ? quarantine_reduce+0x56/0x1e0
[   45.137832]  ? kasan_poison_shadow+0x2f/0x31
[   45.138628]  ? kasan_unpoison_shadow+0x14/0x35
[   45.139440]  ? find_nfs_version+0x72/0x12e
[   45.140206]  ? kasan_check_read+0x11/0x13
[   45.140963]  ? ftrace_likely_update+0x2bf/0x2ce
[   45.141795]  ? ftrace_likely_update+0x2bf/0x2ce
[   45.142628]  nfs_get_tree+0x1f0/0x223
[   45.143334]  vfs_get_tree+0xfc/0x349
[   45.144031]  ? do_mount+0xdb5/0xf7e
[   45.144710]  do_mount+0xdbd/0xf7e
[   45.145358]  ? copy_mount_string+0x3d/0x3d
[   45.146128]  ? kasan_unpoison_shadow+0x14/0x35
[   45.146944]  ? kasan_kmalloc+0x7f/0x8b
[   45.147659]  ? ftrace_likely_update+0x2bf/0x2ce
[   45.148490]  ? copy_mount_options+0x51/0x2be
[   45.149285]  ? ftrace_likely_update+0x2bf/0x2ce
[   45.150115]  ksys_mount+0xfa/0x130
[   45.150781]  __x64_sys_mount+0x70/0x7c
[   45.151500]  do_syscall_64+0x3b6/0x682
[   45.152222]  ? syscall_return_slowpath+0x16d/0x16d
[   45.153093]  ? trace_hardirqs_off_caller+0xe5/0x128
[   45.153982]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   45.154851]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   45.155762] RIP: 0033:0x7f7faf19924a
[   45.156452] Code: 48 8b 0d 51 fc 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1e fc 2a 00 f7 d8 64 89 01 48
[   45.159524] RSP: 002b:00007ffcb2d2fcb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[   45.160882] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7faf19924a
[   45.162092] RDX: 00005618ebd44f70 RSI: 00005618ebd44f50 RDI: 00005618ebd43210
[   45.163302] RBP: 00007ffcb2d2feb0 R08: 00005618ebd50320 R09: 0000000000000060
[   45.164513] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f7fafadd410
[   45.165723] R13: 00007ffcb2d2feb0 R14: 00007ffcb2d2fdb0 R15: 00005618ebd50300
[   45.166936] Modules linked in:
[   45.167549] CR2: 0000000000000010
[   45.323267] ---[ end trace 45130933037aaa1c ]---


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
lkp

View attachment "config-4.20.0-rc1-00059-gb4e004c" of type "text/plain" (118121 bytes)

View attachment "job-script" of type "text/plain" (4186 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (12936 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ