lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+bgouQquwTa23WdorASC9K2HWzsSrnZBMjY3p+cP3i5Hw@mail.gmail.com>
Date:   Fri, 4 Jan 2019 17:37:12 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+d959075ee873314ffb9c@...kaller.appspotmail.com>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Stefano Brivio <sbrivio@...hat.com>
Subject: Re: KASAN: stack-out-of-bounds in update_curr

On Fri, Jan 4, 2019 at 4:51 PM syzbot
<syzbot+d959075ee873314ffb9c@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    645ff1e8e704 Merge branch 'for-linus' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b8c59b400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=20271e14bc1c87f0
> dashboard link: https://syzkaller.appspot.com/bug?extid=d959075ee873314ffb9c
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15b32430c00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+d959075ee873314ffb9c@...kaller.appspotmail.com


Presumably a random manifestation of the stack overflow/corruption:

#syz dup: kernel panic: stack is corrupted in udp4_lib_lookup2

See https://groups.google.com/forum/#!msg/syzkaller-bugs/vr87kmG5qRI/31nOcuVsFgAJ




> IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
> 8021q: adding VLAN 0 to HW filter on device batadv0
> ==================================================================
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> BUG: KASAN: stack-out-of-bounds in calc_delta_fair kernel/sched/fair.c:629
> [inline]
> BUG: KASAN: stack-out-of-bounds in update_curr+0x99d/0xbc0
> kernel/sched/fair.c:823
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> Read of size 8 at addr ffff8880a94be4c0 by task syz-executor2/8264
> CPU: 1 PID: -2015332728 Comm: e  Not tainted 4.20.0+ #7
>
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> CPU: 0 PID: 8264 Comm: syz-executor2 Not tainted 4.20.0+ #7
> RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
> RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
> RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84
> d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00
> 0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
> Call Trace:
> RSP: 0018:ffff8880ae707b80 EFLAGS: 00010002
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
> RAX: 1ffffffff16d5674 RBX: 0000000000000003 RCX: ffff8880ae726620
> RDX: 000000000000000b RSI: 0000000000000004 RDI: 0000000000000058
> RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899ad160
> R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000040
> R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6ab3a8
> FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000068 CR3: 000000007f479000 CR4: 00000000001406e0
>   print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <IRQ>
>   kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
>   __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
>   calc_delta_fair kernel/sched/fair.c:629 [inline]
>   update_curr+0x99d/0xbc0 kernel/sched/fair.c:823
>   debug_hrtimer_deactivate kernel/time/hrtimer.c:412 [inline]
>   debug_deactivate kernel/time/hrtimer.c:462 [inline]
>   __run_hrtimer kernel/time/hrtimer.c:1359 [inline]
>   __hrtimer_run_queues+0x225/0x1050 kernel/time/hrtimer.c:1451
>   enqueue_entity+0x3e5/0x20b0 kernel/sched/fair.c:3880
>   hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
>   local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
>   smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
>   enqueue_task_fair+0x237/0x10c0 kernel/sched/fair.c:5133
>   apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
>   enqueue_task kernel/sched/core.c:730 [inline]
>   activate_task+0x11d/0x470 kernel/sched/core.c:751
>   </IRQ>
>   ttwu_activate kernel/sched/core.c:1643 [inline]
>   ttwu_do_activate+0xd4/0x1f0 kernel/sched/core.c:1702
> Modules linked in:
>   ttwu_queue kernel/sched/core.c:1847 [inline]
>   try_to_wake_up+0x997/0x1480 kernel/sched/core.c:2057
> ---[ end trace 5a5c098e51171999 ]---
> RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
> RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
> RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
> Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84
> d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00
> 0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
> RSP: 0018:ffff8880ae707b80 EFLAGS: 00010002
> RAX: 1ffffffff16d5674 RBX: 0000000000000003 RCX: ffff8880ae726620
> RDX: 000000000000000b RSI: 0000000000000004 RDI: 0000000000000058
>   default_wake_function+0x30/0x50 kernel/sched/core.c:3710
> RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899ad160
> R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000040
>   __wake_up_common+0x1d3/0x7d0 kernel/sched/wait.c:92
> R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6ab3a8
> FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000068 CR3: 000000007f479000 CR4: 00000000001406e0
>   __wake_up_locked+0x11/0x20 kernel/sched/wait.c:154
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   ep_poll_callback+0x3c5/0x10a0 fs/eventpoll.c:1200
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000af6ec7057ea3d8df%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ