| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Mar 2019 22:50:32 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: Ondrej Mosnacek <omosnace@...hat.com>
Cc: Paul Moore <paul@...l-moore.com>,
Casey Schaufler <casey@...aufler-ca.com>,
LKML <linux-kernel@...r.kernel.org>, selinux@...r.kernel.org,
lkp@...org
Subject: [kernfs] e19dfdc83b: BUG:KASAN:global-out-of-bounds_in_s
FYI, we noticed the following commit (built with gcc-7):
commit: e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security of newly created nodes")
https://git.kernel.org/cgit/linux/kernel/git/pcmoore/selinux.git next
in testcase: locktorture
with following parameters:
runtime: 300s
test: default
test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors.
test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------+------------+------------+
| | ec882da5cd | e19dfdc83b |
+-------------------------------------------------+------------+------------+
| boot_successes | 0 | 0 |
| boot_failures | 8 | 8 |
| BUG:kernel_reboot-without-warning_in_test_stage | 8 | |
| BUG:KASAN:global-out-of-bounds_in_s | 0 | 8 |
+-------------------------------------------------+------------+------------+
[ 27.938038] BUG: KASAN: global-out-of-bounds in strcmp+0x97/0xa0
[ 27.940755] Read of size 1 at addr ffffffff946a83d7 by task systemd/1
[ 27.943554]
[ 27.944603] CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc1-00010-ge19dfdc #1
[ 27.948091] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 27.951946] Call Trace:
[ 27.953353] ? strcmp+0x97/0xa0
[ 27.955026] print_address_description+0x22/0x270
[ 27.957203] ? strcmp+0x97/0xa0
[ 27.958841] kasan_report+0x13b/0x1d0
[ 27.960759] ? strcmp+0x97/0xa0
[ 27.962378] ? strcmp+0x97/0xa0
[ 27.963976] strcmp+0x97/0xa0
[ 27.965846] simple_xattr_get+0x7b/0x120
[ 27.967473] selinux_kernfs_init_security+0x108/0x440
[ 27.969360] ? __radix_tree_replace+0x9a/0x230
[ 27.971200] ? selinux_secctx_to_secid+0x20/0x20
[ 27.973011] ? __fprop_inc_percpu_max+0x190/0x190
[ 27.975563] ? kvm_sched_clock_read+0x12/0x20
[ 27.977907] ? sched_clock+0x5/0x10
[ 27.979867] ? sched_clock_cpu+0x24/0xb0
[ 27.982048] ? idr_alloc_cyclic+0xcb/0x190
[ 27.984229] ? lock_downgrade+0x620/0x620
[ 27.986388] security_kernfs_init_security+0x3c/0x70
[ 27.989012] __kernfs_new_node+0x403/0x5e0
[ 27.991195] ? kernfs_dop_revalidate+0x330/0x330
[ 27.993589] ? css_next_child+0xec/0x260
[ 27.995685] ? css_next_descendant_pre+0x36/0x110
[ 27.998115] ? cgroup_propagate_control+0x2d6/0x460
[ 28.000662] kernfs_new_node+0x72/0x140
[ 28.002818] ? lockdep_hardirqs_on+0x379/0x560
[ 28.005171] ? cgroup_idr_replace+0x35/0x40
[ 28.007417] kernfs_create_dir_ns+0x26/0x130
[ 28.009690] cgroup_mkdir+0x3b9/0xef0
[ 28.011764] ? cgroup_destroy_locked+0x5e0/0x5e0
[ 28.014196] kernfs_iop_mkdir+0x12f/0x1b0
[ 28.016396] vfs_mkdir+0x2e6/0x510
[ 28.018317] do_mkdirat+0x19b/0x1f0
[ 28.020284] ? __x64_sys_mknod+0xb0/0xb0
[ 28.022437] do_syscall_64+0xe5/0x10d0
[ 28.024408] ? syscall_return_slowpath+0x790/0x790
[ 28.026874] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[ 28.029504] ? trace_hardirqs_off_caller+0x58/0x200
[ 28.031993] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 28.034438] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 28.036748] RIP: 0033:0x7f38cab6f447
[ 28.038825] Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 49 da 2b 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 da 2b 00 f7 d8 64 89 01 48
[ 28.047736] RSP: 002b:00007ffeef143d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
[ 28.051776] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f38cab6f447
[ 28.055117] RDX: 00007ffeef143c30 RSI: 00000000000001ed RDI: 000055a7b0458560
[ 28.058533] RBP: 0000000000000040 R08: 0000000000000000 R09: 2f73662f7379732f
[ 28.062031] R10: 732f70756f726763 R11: 0000000000000246 R12: 000055a7b04b30a0
[ 28.065528] R13: 0000000000000000 R14: 000055a7b046bb88 R15: 000055a7b046b540
[ 28.068977]
[ 28.070240] The buggy address belongs to the variable:
[ 28.072491] securityfs_super_operations+0x4917/0x6220
[ 28.075171]
[ 28.076286] Memory state around the buggy address:
[ 28.078861] ffffffff946a8280: fa fa fa fa 00 01 fa fa fa fa fa fa 00 02 fa fa
[ 28.082610] ffffffff946a8300: fa fa fa fa 00 02 fa fa fa fa fa fa 00 01 fa fa
[ 28.086669] >ffffffff946a8380: fa fa fa fa 00 03 fa fa fa fa fa fa 00 fa fa fa
[ 28.090587] ^
[ 28.093576] ffffffff946a8400: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
[ 28.097599] ffffffff946a8480: 00 00 01 fa fa fa fa fa 00 00 00 00 00 00 00 00
[ 28.101453] ==================================================================
[ 28.105478] Disabling lock debugging due to kernel taint
Starting Load Kernel Modules...
Mounting Debug File System...
] Listening on RPCbind Server Activation Socket.
Starting Remount Root and Kernel File Systems...
Starting Journal Service...
Mounting RPC Pipe File System...
[ 28.508319] _warn_unseeded_randomness: 131 callbacks suppressed
[ 28.508335] random: get_random_u64 called from copy_process+0x596/0x6450 with crng_init=1
Starting Create Static Device Nodes in /dev...
[ 28.552988] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1
[ 28.556785] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
Starting Load/Save Random Seed...
Starting udev Coldplug all Devices...
Mounting FUSE Control File System...
Starting Apply Kernel Variables...
Mounting Configuration File System...
Starting Raise network interfaces...
Starting Preprocess NFS configuration...
Starting udev Kernel Device Manager...
Starting Flush Journal to Persistent Storage...
Starting Create Volatile Files and Directories...
[ 29.523554] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
[ 29.527262] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1
Starting RPC bind portmap service...
Starting Network Time Synchronization...
Starting Update UTMP about System Boot/Shutdown...
[ 30.574449] _warn_unseeded_randomness: 154 callbacks suppressed
[ 30.574479] random: get_random_u32 called from bucket_table_alloc+0x149/0x370 with crng_init=1
[ 32.628754] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1
[ 32.632973] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
[ 32.637364] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1
Starting Login Service...
Starting LSB: Start and stop bmc-watchdog...
Starting LSB: Execute the kexec -e command to reboot system...
To reproduce:
# build kernel
cd linux
cp config-5.1.0-rc1-00010-ge19dfdc .config
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
Thanks,
Rong Chen
View attachment "config-5.1.0-rc1-00010-ge19dfdc" of type "text/plain" (134187 bytes)
View attachment "job-script" of type "text/plain" (4595 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (15740 bytes)
Powered by blists - more mailing lists