lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190603023523.GN22325@shao2-debian>
Date:   Mon, 3 Jun 2019 10:35:23 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Tejun Heo <tj@...nel.org>
Cc:     Topi Miettinen <toiwoton@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>, Tejun Heo <tj@...nel.org>,
        cgroups@...r.kernel.org, lkp@...org
Subject: [cgroup] c03cd7738a: BUG:KASAN:slab-out-of-bounds_in_c

FYI, we noticed the following commit (built with gcc-7):

commit: c03cd7738a83b13739f00546166969342c8ff014 ("cgroup: Include dying leaders with live threads in PROCS iterations")
https://git.kernel.org/cgit/linux/kernel/git/tj/cgroup.git for-next

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+----------------------------------------------------------+------------+------------+
|                                                          | b636fd38dc | c03cd7738a |
+----------------------------------------------------------+------------+------------+
| boot_successes                                           | 18         | 5          |
| boot_failures                                            | 1          | 9          |
| BUG:kernel_hang_in_boot-around-mounting-root_stage       | 1          |            |
| BUG:KASAN:slab-out-of-bounds_in_c                        | 0          | 7          |
| WARNING:at_lib/refcount.c:#refcount_inc_checked          | 0          | 8          |
| RIP:refcount_inc_checked                                 | 0          | 8          |
| WARNING:at_lib/refcount.c:#refcount_sub_and_test_checked | 0          | 8          |
| RIP:refcount_sub_and_test_checked                        | 0          | 8          |
| BUG:KASAN:use-after-free_in_c                            | 0          | 1          |
+----------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>


[   18.337218] BUG: KASAN: slab-out-of-bounds in css_task_iter_advance+0x1bd/0x240
[   18.338974] Read of size 4 at addr ffff888050ff294c by task systemd/1
[   18.340408] 
[   18.340960] CPU: 1 PID: 1 Comm: systemd Not tainted 5.2.0-rc2-00013-gc03cd77 #1
[   18.342728] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   18.344685] Call Trace:
[   18.345424]  dump_stack+0x7d/0xb8
[   18.346304]  ? css_task_iter_advance+0x1bd/0x240
[   18.347420]  print_address_description+0xa1/0x330
[   18.348547]  ? css_task_iter_advance+0x1bd/0x240
[   18.349658]  ? css_task_iter_advance+0x1bd/0x240
[   18.350767]  ? css_task_iter_advance+0x1bd/0x240
[   18.351878]  __kasan_report+0x11d/0x163
[   18.352850]  ? css_task_iter_advance+0x1bd/0x240
[   18.353965]  kasan_report+0x2f/0x40
[   18.354873]  __asan_load4+0x6a/0x90
[   18.355780]  css_task_iter_advance+0x1bd/0x240
[   18.356857]  css_task_iter_start+0xd0/0x120
[   18.357889]  pidlist_array_load+0x107/0x540
[   18.358921]  ? cgroup_pidlist_find+0xa0/0xa0
[   18.359972]  cgroup_pidlist_start+0x24e/0x2b0
[   18.361037]  cgroup_seqfile_start+0x57/0x60
[   18.362065]  ? cgroup_file_release+0x60/0x60
[   18.363111]  kernfs_seq_start+0x86/0xd0
[   18.364080]  seq_read+0x16e/0x750
[   18.364960]  kernfs_fop_read+0x23c/0x2b0
[   18.365949]  ? security_file_permission+0x140/0x1c0
[   18.367106]  ? kernfs_fop_write+0x280/0x280
[   18.368149]  __vfs_read+0x59/0xb0
[   18.369024]  vfs_read+0xeb/0x1d0
[   18.369888]  ksys_read+0x134/0x1b0
[   18.370787]  ? kernel_write+0xa0/0xa0
[   18.371734]  ? __this_cpu_preempt_check+0x2f/0x150
[   18.372922]  __x64_sys_read+0x43/0x50
[   18.373876]  do_syscall_64+0xd3/0x3a0
[   18.374930]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   18.376117] RIP: 0033:0x7f02f62f56d0
[   18.377046] Code: b6 fe ff ff 48 8d 3d 17 be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d 39 30 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
[   18.381026] RSP: 002b:00007ffd6f7342b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   18.382834] RAX: ffffffffffffffda RBX: 000055f99ecc8110 RCX: 00007f02f62f56d0
[   18.384393] RDX: 0000000000001000 RSI: 000055f99ec82710 RDI: 0000000000000023
[   18.385954] RBP: 0000000000000d68 R08: 00007f02f65b41a8 R09: 0000000000001010
[   18.387509] R10: 0000000000000050 R11: 0000000000000246 R12: 00007f02f65b0440
[   18.389058] R13: 00007f02f65af900 R14: 00000000ffffffff R15: 0000000000000000
[   18.390621] 
[   18.391170] Allocated by task 1:
[   18.392034]  __kasan_kmalloc+0xe4/0x150
[   18.393199]  kasan_kmalloc+0x28/0x40
[   18.394119]  find_css_set+0x1ad/0x770
[   18.395058]  cgroup_migrate_prepare_dst+0x10d/0x3a0
[   18.396226]  cgroup_attach_task+0x1ee/0x290
[   18.397258]  __cgroup1_procs_write+0x17a/0x210
[   18.398523]  cgroup1_procs_write+0x2a/0x40
[   18.399539]  cgroup_file_write+0x190/0x330
[   18.400559]  kernfs_fop_write+0x1d9/0x280
[   18.401563]  __vfs_write+0x59/0xb0
[   18.402461]  vfs_write+0x13c/0x2d0
[   18.403354]  ksys_write+0x134/0x1b0
[   18.404262]  __x64_sys_write+0x43/0x50
[   18.405218]  do_syscall_64+0xd3/0x3a0
[   18.406163]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   18.407343] 
[   18.407888] Freed by task 0:
[   18.408678] (stack is not available)
[   18.409591] 
[   18.410139] The buggy address belongs to the object at ffff888050ff2728
[   18.410139]  which belongs to the cache kmalloc-256 of size 256
[   18.412811] The buggy address is located 292 bytes to the right of
[   18.412811]  256-byte region [ffff888050ff2728, ffff888050ff2828)
[   18.415451] The buggy address belongs to the page:
[   18.416597] page:ffff888078a3fc80 refcount:1 mapcount:0 mapping:ffff88800fc0f1c0 index:0x0 compound_mapcount: 0
[   18.418849] flags: 0x1480000010200(slab|head)
[   18.419917] raw: 0001480000010200 ffff888078c9c988 ffff88800fc00a70 ffff88800fc0f1c0
[   18.421754] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[   18.423586] page dumped because: kasan: bad access detected
[   18.424862] 
[   18.425412] Memory state around the buggy address:
[   18.426555]  ffff888050ff2800: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.428293]  ffff888050ff2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.430029] >ffff888050ff2900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   18.431768]                                               ^
[   18.433044]  ffff888050ff2980: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   18.434789]  ffff888050ff2a00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
[   18.436536] ==================================================================
[   18.438281] Disabling lock debugging due to kernel taint
[   18.440566] ------------[ cut here ]------------
[   18.441679] refcount_t: increment on 0; use-after-free.
[   18.442899] WARNING: CPU: 0 PID: 1 at lib/refcount.c:156 refcount_inc_checked+0x47/0x50
[   18.445013] Modules linked in: autofs4
[   18.445932] CPU: 0 PID: 1 Comm: systemd Tainted: G    B             5.2.0-rc2-00013-gc03cd77 #1
[   18.449756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   18.451638] RIP: 0010:refcount_inc_checked+0x47/0x50
[   18.452764] Code: ff 5b 5d c3 e8 8a 8e c4 ff 80 3d c0 3d 5f 01 00 75 ea e8 7c 8e c4 ff 48 c7 c7 20 d5 33 82 c6 05 ab 3d 5f 01 01 e8 79 37 b4 ff <0f> 0b eb ce 0f 1f 44 00 00 55 48 b8 00 00 00 00 00 fc ff df 48 89
[   18.456562] RSP: 0018:ffff88800fcd7ac0 EFLAGS: 00010086
[   18.457731] RAX: dffffc0000000008 RBX: ffff888050ff2948 RCX: ffffffff81146086
[   18.459227] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff82dfffa0
[   18.460731] RBP: ffff88800fcd7ac8 R08: ffffed100cd03e55 R09: ffffed100cd03e55
[   18.462236] R10: ffffed100a1fe52a R11: ffff88800fc00e50 R12: ffff888050ff2928
[   18.463732] R13: ffff88800fcd7ba8 R14: 0000000000000000 R15: ffff888056baeb01
[   18.465239] FS:  00007f02f7d25940(0000) GS:ffff888066800000(0000) knlGS:0000000000000000
[   18.467063] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   18.468325] CR2: 00007f70b9e8dab4 CR3: 00000000530be000 CR4: 00000000000406b0
[   18.469818] Call Trace:
[   18.470521]  css_task_iter_next+0x97/0xe0
[   18.471493]  pidlist_array_load+0x154/0x540
[   18.472486]  ? cgroup_pidlist_find+0xa0/0xa0
[   18.473496]  cgroup_pidlist_start+0x24e/0x2b0
[   18.474519]  cgroup_seqfile_start+0x57/0x60
[   18.475509]  ? cgroup_file_release+0x60/0x60
[   18.476519]  kernfs_seq_start+0x86/0xd0
[   18.477455]  seq_read+0x16e/0x750
[   18.478301]  kernfs_fop_read+0x23c/0x2b0
[   18.479250]  ? security_file_permission+0x140/0x1c0
[   18.480365]  ? kernfs_fop_write+0x280/0x280
[   18.481360]  __vfs_read+0x59/0xb0
[   18.482204]  vfs_read+0xeb/0x1d0
[   18.483029]  ksys_read+0x134/0x1b0
[   18.483889]  ? kernel_write+0xa0/0xa0
[   18.484792]  ? __this_cpu_preempt_check+0x2f/0x150
[   18.485963]  __x64_sys_read+0x43/0x50
[   18.486869]  do_syscall_64+0xd3/0x3a0
[   18.487779]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   18.488919] RIP: 0033:0x7f02f62f56d0
[   18.489811] Code: b6 fe ff ff 48 8d 3d 17 be 08 00 48 83 ec 08 e8 06 db 01 00 66 0f 1f 44 00 00 83 3d 39 30 2c 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 de 9b 01 00 48 89 04 24
[   18.493634] RSP: 002b:00007ffd6f7342b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   18.495371] RAX: ffffffffffffffda RBX: 000055f99ecc8110 RCX: 00007f02f62f56d0
[   18.496868] RDX: 0000000000001000 RSI: 000055f99ec82710 RDI: 0000000000000023
[   18.498371] RBP: 0000000000000d68 R08: 00007f02f65b41a8 R09: 0000000000001010
[   18.499864] R10: 0000000000000050 R11: 0000000000000246 R12: 00007f02f65b0440
[   18.501361] R13: 00007f02f65af900 R14: 00000000ffffffff R15: 0000000000000000
[   18.502853] ---[ end trace eb5d97e9d3945435 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.2.0-rc2-00013-gc03cd77 .config
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen


View attachment "config-5.2.0-rc2-00013-gc03cd77" of type "text/plain" (115012 bytes)

View attachment "job-script" of type "text/plain" (4627 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (13284 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ