| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Dec 2018 13:15:59 +0800
From: kernel test robot <lkp@...el.com>
To: Alexander Popov <alex.popov@...ux.com>
Cc: LKP <lkp@...org>, kernel-hardening@...ts.openwall.com,
linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org,
Kees Cook <keescook@...omium.org>
Subject: 10e9ae9fab ("gcc-plugins: Add STACKLEAK plugin for tracking .."): WARNING: can't dereference registers at (null) for ip entry_SYSCALL_64_after_hwframe
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit 10e9ae9fabaf96c8e5227c1cd4827d58b3aa406d
Author: Alexander Popov <alex.popov@...ux.com>
AuthorDate: Fri Aug 17 01:16:59 2018 +0300
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Tue Sep 4 10:35:47 2018 -0700
gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
The STACKLEAK feature erases the kernel stack before returning from
syscalls. That reduces the information which kernel stack leak bugs can
reveal and blocks some uninitialized stack variable attacks.
This commit introduces the STACKLEAK gcc plugin. It is needed for
tracking the lowest border of the kernel stack, which is important
for the code erasing the used part of the kernel stack at the end
of syscalls (comes in a separate commit).
The STACKLEAK feature is ported from grsecurity/PaX. More information at:
https://grsecurity.net/
https://pax.grsecurity.net/
This code is modified from Brad Spengler/PaX Team's code in the last
public patch of grsecurity/PaX based on our understanding of the code.
Changes or omissions from the original code are ours and don't reflect
the original grsecurity/PaX code.
Signed-off-by: Alexander Popov <alex.popov@...ux.com>
Tested-by: Laura Abbott <labbott@...hat.com>
Signed-off-by: Kees Cook <keescook@...omium.org>
afaef01c00 x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
10e9ae9fab gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
1a9430db28 ima: cleanup the match_token policy code
6648e120dd Add linux-next specific files for 20181217
+---------------------------------------------------------------+------------+------------+------------+---------------+
| | afaef01c00 | 10e9ae9fab | 1a9430db28 | next-20181217 |
+---------------------------------------------------------------+------------+------------+------------+---------------+
| boot_successes | 386 | 141 | 134 | 135 |
| boot_failures | 68 | 9 | 16 | 8 |
| RIP:trace | 37 | | | |
| WARNING:stack_recursion | 36 | | | |
| WARNING:at(____ptrval____)for_ip_syscall_return_via_sysret/0x | 37 | | | |
| Kernel_panic-not_syncing:Machine_halted | 37 | | | |
| PANIC:double_fault | 27 | | | |
| Mem-Info | 2 | 0 | 1 | |
| invoked_oom-killer:gfp_mask=0x | 1 | 0 | 1 | |
| RIP:__put_user_4 | 1 | | | |
| BUG:KASAN:stack-out-of-bounds_in_u | 25 | 8 | 12 | 7 |
| RIP:__x86_indirect_thunk_rdx | 26 | 9 | 12 | 7 |
| INFO:rcu_preempt_detected_stalls_on_CPUs/tasks | 3 | 0 | 3 | |
| RIP:arch_local_irq_enable | 1 | | | |
| RIP:mntput_no_expire | 1 | | | |
| RIP:arch_local_irq_restore | 1 | | | |
| RIP:compound_head | 1 | | | |
| RIP:rcu_read_lock | 1 | | | |
| RIP:check_kill_permission | 1 | | | |
| RIP:radix_tree_load_root | 1 | | | |
| WARNING:at(null)for_ip_entry_SYSCALL_64_after_hwframe/0x | 0 | 7 | 11 | 7 |
| WARNING:at(null)for_ip_async_page_fault/0x | 0 | 1 | 1 | |
| WARNING:at_kernel/locking/lockdep.c:#lock_downgrade | 0 | 0 | 2 | |
| RIP:lock_downgrade | 0 | 0 | 2 | |
| RIP:xa_is_node | 0 | 0 | 1 | |
| BUG:kernel_reboot-without-warning_in_test_stage | 0 | 0 | 0 | 1 |
+---------------------------------------------------------------+------------+------------+------------+---------------+
[ 90.421639] process 196 (init) attempted a POSIX timer syscall while CONFIG_POSIX_TIMERS is not set
/etc/rcS.d/S00fbsetup: line 3: /sbin/modprobe: not found
Please wait: booting...
Starting udev
[ 96.410769] WARNING: can't dereference registers at (null) for ip entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 96.410801] ==================================================================
[ 96.447940] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0xa47/0x10df
[ 96.462780] Read of size 8 at addr ffff88001518f748 by task udevadm/217
[ 96.476720]
[ 96.480186] CPU: 1 PID: 217 Comm: udevadm Not tainted 4.19.0-rc2-00002-g10e9ae9 #1
[ 96.495352] Call Trace:
[ 96.500542] <IRQ>
[ 96.505206] dump_stack+0x96/0xdd
[ 96.512787] print_address_description+0x6e/0x241
[ 96.522060] ? unwind_next_frame+0xa47/0x10df
[ 96.531230] kasan_report+0x237/0x25d
[ 96.539225] unwind_next_frame+0xa47/0x10df
[ 96.547786] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 96.558545] ? unwind_get_return_address_ptr+0x9a/0x9a
[ 96.569466] ? check_chain_key+0x192/0x25a
[ 96.579245] ? kernel_text_address+0x15/0x35
[ 96.588120] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 96.599178] __save_stack_trace+0x8c/0xc9
[ 96.607498] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 96.617973] save_stack+0x37/0xa8
[ 96.625100] ? __kasan_slab_free+0x102/0x124
[ 96.634236] ? slab_free_freelist_hook+0x95/0xe6
[ 96.643315] ? kmem_cache_free+0x6a/0x1a0
[ 96.651931] ? __rcu_reclaim+0x302/0x32b
[ 96.660325] ? rcu_process_callbacks+0xd51/0x1402
[ 96.668878] ? __do_softirq+0x339/0x6a4
[ 96.675722] ? irq_exit+0xac/0x1a0
[ 96.682067] ? smp_apic_timer_interrupt+0x2eb/0x2fa
[ 96.691109] ? apic_timer_interrupt+0xf/0x20
[ 96.698752] ? __x86_indirect_thunk_rcx+0x20/0x20
[ 96.707314] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 96.717095] ? lock_downgrade+0x48e/0x48e
[ 96.725170] ? check_chain_key+0x192/0x25a
[ 96.734536] ? __accumulate_pelt_segments+0x29/0x3a
[ 96.742929] ? __lock_is_held+0x55/0xcd
[ 96.749445] ? check_chain_key+0x192/0x25a
[ 96.757026] ? lock_release+0x577/0x5a1
[ 96.763961] ? __lock_is_held+0x55/0xcd
[ 96.770864] ? check_chain_key+0x192/0x25a
[ 96.778698] ? arch_local_irq_save+0x5/0x13
[ 96.786382] ? debug_check_no_locks_freed+0x60/0x21d
[ 96.795527] __kasan_slab_free+0x102/0x124
[ 96.804366] slab_free_freelist_hook+0x95/0xe6
[ 96.814157] ? atomic_long_dec_and_test+0x1a/0x1a
[ 96.824134] kmem_cache_free+0x6a/0x1a0
[ 96.831755] ? __rcu_reclaim+0x302/0x32b
[ 96.840394] ? atomic_long_dec_and_test+0x1a/0x1a
[ 96.850362] __rcu_reclaim+0x302/0x32b
[ 96.857776] rcu_process_callbacks+0xd51/0x1402
[ 96.867516] ? rcu_nocb_kthread+0x1001/0x1001
[ 96.876974] ? sched_clock_cpu+0x1c/0x162
[ 96.885599] __do_softirq+0x339/0x6a4
[ 96.893531] irq_exit+0xac/0x1a0
[ 96.900501] smp_apic_timer_interrupt+0x2eb/0x2fa
[ 96.909774] apic_timer_interrupt+0xf/0x20
[ 96.917711] </IRQ>
[ 96.922152] RIP: 0010:__x86_indirect_thunk_rdx+0x0/0x20
[ 96.934528] Code: 66 2e 0f 1f 84 00 00 00 00 00 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 0c 24 c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 <e8> 07 00 00 00 f3 90 0f ae e8 eb f9 48 89 14 24 c3 0f 1f 44 00 00
[ 96.971567] RSP: 0018:ffff88001518f6c0 EFLAGS: 00000297 ORIG_RAX: ffffffffffffff13
[ 96.986580] RAX: dffffc0000000000 RBX: ffff88001518f788 RCX: ffffffff82c00001
[ 97.001912] RDX: ffffffff8108269e RSI: 0000000000000005 RDI: 0000000000000002
[ 97.016167] RBP: ffffffff8467c338 R08: 0000000000074727 R09: ffff88001518f788
[ 97.030553] R10: 0000000000000001 R11: ffff88001518f7df R12: ffff88001518f7bd
[ 97.044840] R13: ffff88001518f7d8 R14: ffffffff8467c33c R15: 000000000001c000
[ 97.059105] ? native_usergs_sysret64+0x1/0x10
[ 97.067495] ? unwind_next_frame+0x455/0x10df
[ 97.076633] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 97.085929] RIP: 1518f818:entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 97.096817] Code: 53 31 db 55 31 ed 41 54 45 31 e4 41 55 45 31 ed 41 56 45 31 f6 41 57 45 31 ff e8 1a 24 40 fe 48 89 c7 48 89 e6 e8 b8 3a 40 fe <0f> ba a4 24 90 00 00 00 09 73 05 e8 e3 23 40 fe 48 8b 4c 24 58 4c
[ 97.130460] RSP: 6000c0:0000000000000000 EFLAGS: ffff88001518f808 ORIG_RAX: ffffffff8117ca53
[ 97.146211] RAX: ffffffff8123052c RBX: 0000000041b58ab3 RCX: ffffffff8117ca5e
[ 97.159529] RDX: 00007f16086539a0 RSI: ffffffff8117c99a RDI: 0000000000000001
[ 97.171743] RBP: ffff88001a722a03 R08: ffff88001518ff58 R09: 0000000000000000
[ 97.183904] R10: ffffffff81082249 R11: ffffffff83770b1f R12: ffff88001518ff58
[ 97.197515] R13: ffff88001518ff58 R14: 1ffff10002a31ede R15: 0000000102a31ef8
[ 97.211866] ? unwind_get_return_address_ptr+0x9a/0x9a
[ 97.221358] ? rcu_is_watching+0xc/0x1e
[ 97.228071] ? kernel_text_address+0x20/0x35
[ 97.235584] ? init_kernel_text+0x5/0x20
[ 97.242325] ? kernel_text_address+0x15/0x35
[ 97.249850] ? __save_stack_trace+0x8c/0xc9
[ 97.257886] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 97.267925] ? save_stack+0x37/0xa8
[ 97.274836] ? kasan_kmalloc+0x8a/0x98
[ 97.282153] ? slab_post_alloc_hook+0x2e/0x3c
[ 97.290809] ? kmem_cache_alloc_trace+0xec/0x12f
[ 97.299944] ? kernfs_fop_open+0x769/0x8c7
[ 97.308920] ? do_dentry_open+0x40c/0x7c1
[ 97.316473] ? path_openat+0xc93/0xfe6
[ 97.323663] ? do_filp_open+0xdb/0x148
[ 97.330989] ? do_sys_open+0xc2/0x1c5
[ 97.338314] ? do_syscall_64+0xad/0xe0
[ 97.345866] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 97.355395] ? __lock_acquire+0xb3e/0xc45
[ 97.363947] ? kernfs_fop_open+0x5de/0x8c7
[ 97.371371] ? lock_acquire+0x1ec/0x250
[ 97.379954] ? __mutex_trylock_or_owner+0x10f/0x133
[ 97.391399] ? tracer_preempt_on+0x20/0x56
[ 97.398791] ? trace_preempt_on+0x1aa/0x1bc
[ 97.408930] ? check_chain_key+0x192/0x25a
[ 97.420307] ? check_chain_key+0x192/0x25a
[ 97.431132] ? check_chain_key+0x192/0x25a
[ 97.442080] ? lock_release+0x577/0x5a1
[ 97.451865] ? __fs_reclaim_release+0x5/0x1d
[ 97.462856] ? kasan_kmalloc+0x8a/0x98
[ 97.472868] ? slab_post_alloc_hook+0x2e/0x3c
[ 97.484256] ? kernfs_fop_open+0x769/0x8c7
[ 97.495109] ? kmem_cache_alloc_trace+0xec/0x12f
[ 97.506548] ? kernfs_fop_open+0x769/0x8c7
[ 97.514224] ? kernfs_put_open_node+0x17f/0x17f
[ 97.524565] ? do_dentry_open+0x40c/0x7c1
[ 97.532699] ? path_openat+0xc93/0xfe6
[ 97.540674] ? vfs_tmpfile+0x1d6/0x1d6
[ 97.548349] ? check_chain_key+0x192/0x25a
[ 97.556616] ? find_held_lock+0x2d/0xf9
[ 97.564331] ? lock_release+0x577/0x5a1
[ 97.572141] ? ___slab_alloc+0x228/0x324
[ 97.582378] ? tracer_preempt_on+0x20/0x56
[ 97.590675] ? trace_preempt_on+0x1aa/0x1bc
[ 97.599132] ? do_filp_open+0xdb/0x148
[ 97.606661] ? path_openat+0xfe6/0xfe6
[ 97.614311] ? tracer_preempt_on+0x20/0x56
[ 97.622638] ? trace_preempt_on+0x1aa/0x1bc
[ 97.631100] ? preempt_count_sub+0x12e/0x138
[ 97.639778] ? do_sys_open+0xc2/0x1c5
[ 97.646490] ? do_sys_open+0xc2/0x1c5
[ 97.654293] ? file_open_root+0xc8/0xc8
[ 97.661953] ? do_syscall_64+0xad/0xe0
[ 97.669925] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 97.680032]
[ 97.683436] The buggy address belongs to the page:
[ 97.692794] page:ffffea00005463c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 97.708487] flags: 0x4000000000000000()
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 40e020c129cfc991e8ab4736d2665351ffd1468d v4.19 --
git bisect bad e9ebc2151f88600e726e51e5f7ca9c33ad53b35f # 07:40 B 10 1 1 1 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 71f4d95b23654ec2b347bd15b1260d68ca9ea5ea # 08:05 G 80 0 6 6 Merge tag 'for-4.20/dm-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
git bisect good 343a9f35409b68b6de66ecd0db90a277aee90ec2 # 08:30 G 83 0 11 11 Merge tag 'trace-v4.20' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
git bisect bad b5b1de3537e2cd8f52971224a1be24bb3ce34a65 # 08:55 B 21 2 0 0 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
git bisect good adb6b2b2b59f7872322f255206583b4c3ce661a3 # 09:25 G 78 0 5 5 Merge tag 'for-linus' of git://linux-c6x.org/git/projects/linux-c6x-upstreaming
git bisect good ffb845db50012eb3704a270efdf9b98be4e3454a # 09:49 G 79 0 12 12 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc
git bisect good 7c6c54b505b8aea1782ce6a6e8f3b8297d179937 # 10:16 G 83 0 10 10 Merge branch 'i2c/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
git bisect bad 2d6bb6adb714b133db92ccd4bfc9c20f75f71f3f # 10:35 B 25 5 0 0 Merge tag 'stackleak-v4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect bad c8d126275a5fa59394fe17109bdb9812fed296b8 # 11:00 B 23 1 0 0 fs/proc: Show STACKLEAK metrics in the /proc file system
git bisect bad 10e9ae9fabaf96c8e5227c1cd4827d58b3aa406d # 11:27 B 29 3 0 0 gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
git bisect good afaef01c001537fa97a25092d7f54d764dc7d8c1 # 11:54 G 140 0 20 20 x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
# first bad commit: [10e9ae9fabaf96c8e5227c1cd4827d58b3aa406d] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
git bisect good afaef01c001537fa97a25092d7f54d764dc7d8c1 # 12:04 G 422 0 46 66 x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls
# extra tests with debug options
git bisect bad 10e9ae9fabaf96c8e5227c1cd4827d58b3aa406d # 12:27 B 33 4 1 1 gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack
# extra tests on HEAD of linux-devel/devel-hourly-2018121517
git bisect bad 5552a5433cdc6dce76cdbb2e3d8891d741176177 # 12:27 B 323 27 0 4 0day head guard for 'devel-hourly-2018121517'
# extra tests on tree/branch linus/master
git bisect bad 1a9430db2835c0c00acc87d915b573496998c1bf # 12:47 B 0 1 15 0 ima: cleanup the match_token policy code
# extra tests on tree/branch linux-next/master
git bisect bad 6648e120dd1a7a1d6eedea1b7dbe21108a189947 # 13:09 B 36 1 1 1 Add linux-next specific files for 20181217
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-yocto-vm-yocto-415:20181218112749:x86_64-randconfig-ws0-12151914:4.19.0-rc2-00002-g10e9ae9:1.gz" of type "application/gzip" (17777 bytes)
Download attachment "dmesg-yocto-vm-yocto-101:20181218115318:x86_64-randconfig-ws0-12151914:4.19.0-rc2-00001-gafaef01:1.gz" of type "application/gzip" (16105 bytes)
View attachment "reproduce-yocto-vm-yocto-415:20181218112749:x86_64-randconfig-ws0-12151914:4.19.0-rc2-00002-g10e9ae9:1" of type "text/plain" (922 bytes)
View attachment "config-4.19.0-rc2-00002-g10e9ae9" of type "text/plain" (101333 bytes)
Powered by blists - more mailing lists