lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190325145032.GB21359@shao2-debian>
Date:   Mon, 25 Mar 2019 22:50:32 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Ondrej Mosnacek <omosnace@...hat.com>
Cc:     Paul Moore <paul@...l-moore.com>,
        Casey Schaufler <casey@...aufler-ca.com>,
        LKML <linux-kernel@...r.kernel.org>, selinux@...r.kernel.org,
        lkp@...org
Subject: [kernfs] e19dfdc83b: BUG:KASAN:global-out-of-bounds_in_s

FYI, we noticed the following commit (built with gcc-7):

commit: e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security of newly created nodes")
https://git.kernel.org/cgit/linux/kernel/git/pcmoore/selinux.git next

in testcase: locktorture
with following parameters:

	runtime: 300s
	test: default

test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors.
test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+-------------------------------------------------+------------+------------+
|                                                 | ec882da5cd | e19dfdc83b |
+-------------------------------------------------+------------+------------+
| boot_successes                                  | 0          | 0          |
| boot_failures                                   | 8          | 8          |
| BUG:kernel_reboot-without-warning_in_test_stage | 8          |            |
| BUG:KASAN:global-out-of-bounds_in_s             | 0          | 8          |
+-------------------------------------------------+------------+------------+



[   27.938038] BUG: KASAN: global-out-of-bounds in strcmp+0x97/0xa0
[   27.940755] Read of size 1 at addr ffffffff946a83d7 by task systemd/1
[   27.943554] 
[   27.944603] CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc1-00010-ge19dfdc #1
[   27.948091] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   27.951946] Call Trace:
[   27.953353]  ? strcmp+0x97/0xa0
[   27.955026]  print_address_description+0x22/0x270
[   27.957203]  ? strcmp+0x97/0xa0
[   27.958841]  kasan_report+0x13b/0x1d0
[   27.960759]  ? strcmp+0x97/0xa0
[   27.962378]  ? strcmp+0x97/0xa0
[   27.963976]  strcmp+0x97/0xa0
[   27.965846]  simple_xattr_get+0x7b/0x120
[   27.967473]  selinux_kernfs_init_security+0x108/0x440
[   27.969360]  ? __radix_tree_replace+0x9a/0x230
[   27.971200]  ? selinux_secctx_to_secid+0x20/0x20
[   27.973011]  ? __fprop_inc_percpu_max+0x190/0x190
[   27.975563]  ? kvm_sched_clock_read+0x12/0x20
[   27.977907]  ? sched_clock+0x5/0x10
[   27.979867]  ? sched_clock_cpu+0x24/0xb0
[   27.982048]  ? idr_alloc_cyclic+0xcb/0x190
[   27.984229]  ? lock_downgrade+0x620/0x620
[   27.986388]  security_kernfs_init_security+0x3c/0x70
[   27.989012]  __kernfs_new_node+0x403/0x5e0
[   27.991195]  ? kernfs_dop_revalidate+0x330/0x330
[   27.993589]  ? css_next_child+0xec/0x260
[   27.995685]  ? css_next_descendant_pre+0x36/0x110
[   27.998115]  ? cgroup_propagate_control+0x2d6/0x460
[   28.000662]  kernfs_new_node+0x72/0x140
[   28.002818]  ? lockdep_hardirqs_on+0x379/0x560
[   28.005171]  ? cgroup_idr_replace+0x35/0x40
[   28.007417]  kernfs_create_dir_ns+0x26/0x130
[   28.009690]  cgroup_mkdir+0x3b9/0xef0
[   28.011764]  ? cgroup_destroy_locked+0x5e0/0x5e0
[   28.014196]  kernfs_iop_mkdir+0x12f/0x1b0
[   28.016396]  vfs_mkdir+0x2e6/0x510
[   28.018317]  do_mkdirat+0x19b/0x1f0
[   28.020284]  ? __x64_sys_mknod+0xb0/0xb0
[   28.022437]  do_syscall_64+0xe5/0x10d0
[   28.024408]  ? syscall_return_slowpath+0x790/0x790
[   28.026874]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   28.029504]  ? trace_hardirqs_off_caller+0x58/0x200
[   28.031993]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   28.034438]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   28.036748] RIP: 0033:0x7f38cab6f447
[   28.038825] Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 49 da 2b 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 da 2b 00 f7 d8 64 89 01 48
[   28.047736] RSP: 002b:00007ffeef143d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
[   28.051776] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f38cab6f447
[   28.055117] RDX: 00007ffeef143c30 RSI: 00000000000001ed RDI: 000055a7b0458560
[   28.058533] RBP: 0000000000000040 R08: 0000000000000000 R09: 2f73662f7379732f
[   28.062031] R10: 732f70756f726763 R11: 0000000000000246 R12: 000055a7b04b30a0
[   28.065528] R13: 0000000000000000 R14: 000055a7b046bb88 R15: 000055a7b046b540
[   28.068977] 
[   28.070240] The buggy address belongs to the variable:
[   28.072491]  securityfs_super_operations+0x4917/0x6220
[   28.075171] 
[   28.076286] Memory state around the buggy address:
[   28.078861]  ffffffff946a8280: fa fa fa fa 00 01 fa fa fa fa fa fa 00 02 fa fa
[   28.082610]  ffffffff946a8300: fa fa fa fa 00 02 fa fa fa fa fa fa 00 01 fa fa
[   28.086669] >ffffffff946a8380: fa fa fa fa 00 03 fa fa fa fa fa fa 00 fa fa fa
[   28.090587]                                                  ^
[   28.093576]  ffffffff946a8400: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
[   28.097599]  ffffffff946a8480: 00 00 01 fa fa fa fa fa 00 00 00 00 00 00 00 00
[   28.101453] ==================================================================
[   28.105478] Disabling lock debugging due to kernel taint
         Starting Load Kernel Modules...
         Mounting Debug File System...
] Listening on RPCbind Server Activation Socket.
         Starting Remount Root and Kernel File Systems...
         Starting Journal Service...
         Mounting RPC Pipe File System...
[   28.508319] _warn_unseeded_randomness: 131 callbacks suppressed
[   28.508335] random: get_random_u64 called from copy_process+0x596/0x6450 with crng_init=1
         Starting Create Static Device Nodes in /dev...
[   28.552988] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1
[   28.556785] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
         Starting Load/Save Random Seed...
         Starting udev Coldplug all Devices...
         Mounting FUSE Control File System...
         Starting Apply Kernel Variables...
         Mounting Configuration File System...
         Starting Raise network interfaces...
         Starting Preprocess NFS configuration...
         Starting udev Kernel Device Manager...
         Starting Flush Journal to Persistent Storage...
         Starting Create Volatile Files and Directories...
[   29.523554] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
[   29.527262] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1

         Starting RPC bind portmap service...
         Starting Network Time Synchronization...
         Starting Update UTMP about System Boot/Shutdown...
[   30.574449] _warn_unseeded_randomness: 154 callbacks suppressed
[   30.574479] random: get_random_u32 called from bucket_table_alloc+0x149/0x370 with crng_init=1
[   32.628754] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1
[   32.632973] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1
[   32.637364] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1
         Starting Login Service...
         Starting LSB: Start and stop bmc-watchdog...
         Starting LSB: Execute the kexec -e command to reboot system...


To reproduce:

        # build kernel
	cd linux
	cp config-5.1.0-rc1-00010-ge19dfdc .config
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
	bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email




Thanks,
Rong Chen


View attachment "config-5.1.0-rc1-00010-ge19dfdc" of type "text/plain" (134187 bytes)

View attachment "job-script" of type "text/plain" (4595 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (15740 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ