lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+YioGPyPokfHvtjOw4ZVPfj=X4tKVfucN_rUivv41Rs1g@mail.gmail.com>
Date:   Mon, 14 Jan 2019 18:27:10 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+af057431e1ebbdadd4d1@...kaller.appspotmail.com>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: KASAN: stack-out-of-bounds Read in swake_up_one

On Mon, Jan 14, 2019 at 6:23 PM syzbot
<syzbot+af057431e1ebbdadd4d1@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    de6629eb262e Merge tag 'pci-v5.0-fixes-1' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10dd2fab400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=edf1c3031097c304
> dashboard link: https://syzkaller.appspot.com/bug?extid=af057431e1ebbdadd4d1
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10bd0237400000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+af057431e1ebbdadd4d1@...kaller.appspotmail.com

#syz dup: kernel panic: stack is corrupted in udp4_lib_lookup2

> IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
> IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
> IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
> 8021q: adding VLAN 0 to HW filter on device batadv0
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in swake_up_locked kernel/sched/swait.c:30
> [inline]
> BUG: KASAN: stack-out-of-bounds in swake_up_locked kernel/sched/swait.c:22
> [inline]
> BUG: KASAN: stack-out-of-bounds in swake_up_one+0x2bf/0x3c0
> kernel/sched/swait.c:40
> kasan: CONFIG_KASAN_INLINE enabled
> Read of size 8 at addr ffff8880a9487a88 by task syz-executor5/8368
> kasan: GPF could be caused by NULL-ptr deref or user memory access
>
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 8368 Comm: syz-executor5 Not tainted 5.0.0-rc1+ #20
> CPU: 1 PID: 64 Comm: ksoftirq��1 Not tainted 5.0.0-rc1+ #20
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
> RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
> RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
> Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84
> d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00
> 0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
> RSP: 0018:ffff8880ae707b80 EFLAGS: 00010003
> RAX: 1ffffffff16d60bc RBX: 0000000000000004 RCX: ffff8880ae726620
>   print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> RDX: 000000000000019d RSI: 0000000000000004 RDI: 0000000000000ced
> RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899b13e0
> R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000cd5
> R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6b05e8
>   kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000068 CR3: 0000000096ff7000 CR4: 00000000001406e0
>   __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>   swake_up_locked kernel/sched/swait.c:30 [inline]
>   swake_up_locked kernel/sched/swait.c:22 [inline]
>   swake_up_one+0x2bf/0x3c0 kernel/sched/swait.c:40
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <IRQ>
>   rcu_gp_kthread_wake+0xc3/0x100 kernel/rcu/tree.c:1571
>   debug_hrtimer_deactivate kernel/time/hrtimer.c:412 [inline]
>   debug_deactivate kernel/time/hrtimer.c:462 [inline]
>   __run_hrtimer kernel/time/hrtimer.c:1359 [inline]
>   __hrtimer_run_queues+0x225/0x1050 kernel/time/hrtimer.c:1451
>   rcu_report_qs_rsp+0x177/0x220 kernel/rcu/tree.c:2131
>   rcu_report_unblock_qs_rnp kernel/rcu/tree.c:2235 [inline]
>   rcu_preempt_deferred_qs_irqrestore+0xc03/0xfd0 kernel/rcu/tree_plugin.h:574
>   hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
>   local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
>   smp_apic_timer_interrupt+0x18d/0x760 arch/x86/kernel/apic/apic.c:1060
>   rcu_read_unlock_special+0x1cd/0x380 kernel/rcu/tree_plugin.h:665
>   apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
>   __rcu_read_unlock+0x204/0x210 kernel/rcu/tree_plugin.h:437
>   </IRQ>
> Modules linked in:
> ---[ end trace d4ad3f10efc73e81 ]---
> RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
> RIP: 0010:debug_object_deactivate lib/debugobjects.c:542 [inline]
> RIP: 0010:debug_object_deactivate+0x16c/0x4b0 lib/debugobjects.c:529
>   rcu_read_unlock include/linux/rcupdate.h:660 [inline]
>   is_bpf_text_address+0xb6/0x170 kernel/bpf/core.c:668
> Code: c1 ea 03 42 80 3c 2a 00 0f 85 49 02 00 00 4d 8b 24 24 4d 85 e4 0f 84
> d1 00 00 00 49 8d 7c 24 18 83 c3 01 48 89 fa 48 c1 ea 03 <42> 80 3c 2a 00
> 0f 85 fa 01 00 00 49 3b 4c 24 18 75 c0 49 8d 7c 24
>   kernel_text_address+0x73/0xf0 kernel/extable.c:152
> RSP: 0018:ffff8880ae707b80 EFLAGS: 00010003
>   __kernel_text_address+0xd/0x40 kernel/extable.c:107
> RAX: 1ffffffff16d60bc RBX: 0000000000000004 RCX: ffff8880ae726620
>   unwind_get_return_address arch/x86/kernel/unwind_frame.c:18 [inline]
>   unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:13
> RDX: 000000000000019d RSI: 0000000000000004 RDI: 0000000000000ced
>   __save_stack_trace+0x8a/0xf0 arch/x86/kernel/stacktrace.c:45
> RBP: ffff8880ae707c70 R08: 1ffff11015ce0f5c R09: ffffffff899b13e0
>   save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60
> R10: 0000000000000086 R11: 0000000000000003 R12: 0000000000000cd5
> R13: dffffc0000000000 R14: 1ffff11015ce0f74 R15: ffffffff8b6b05e8
>   save_stack+0x45/0xd0 mm/kasan/common.c:73
> FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000068 CR3: 0000000096ff7000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000002a3bfb057f6e4c96%40google.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ