lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.21.1906211902060.5503@nanos.tec.linutronix.de>
Date:   Fri, 21 Jun 2019 19:04:24 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Hillf Danton <hdanton@...a.com>
cc:     kernel test robot <rong.a.chen@...el.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        "H. Peter Anvin" <hpa@...or.com>, tipbuild@...or.com, lkp@...org
Subject: Re: [x86/hpet] 286b15db78: BUG:KASAN:wild-memory-access_in_t

On Thu, 20 Jun 2019, Hillf Danton wrote:
> > 
> > +------------------------------------------+------------+------------+
> > |                                          | dfd001e50c | 286b15db78 |
> > +------------------------------------------+------------+------------+
> > | boot_successes                           | 14         | 0          |
> > | boot_failures                            | 0          | 16         |
> > | BUG:KASAN:wild-memory-access_in_t        | 0          | 16         |
> > | general_protection_fault:#[##]           | 0          | 16         |
> > | RIP:try_module_get                       | 0          | 16         |
> > | Kernel_panic-not_syncing:Fatal_exception | 0          | 16         |
> > +------------------------------------------+------------+------------+
> > 
> > 
> > If you fix the issue, kindly add following tag
> > Reported-by: kernel test robot <rong.a.chen@...el.com>
> > 
> > 
> > [    2.801166] BUG: KASAN: wild-memory-access in try_module_get+0x78/0x1bf
> > [    2.803334] Read of size 4 at addr 6b6b6b6b6b6b6b6b by task swapper/0

Yuck.

> > 
> Try to pump up module after checking it is valid only if .owner = THIS_MODULE
> does not help in the case of hpet.

Errrm?

> Hillf
> ---
>  kernel/time/tick-common.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
> index 529143b..1b33215 100644
> --- a/kernel/time/tick-common.c
> +++ b/kernel/time/tick-common.c
> @@ -311,7 +311,7 @@ void tick_check_new_device(struct clock_event_device *newdev)
>  	if (!tick_check_preferred(curdev, newdev))
>  		goto out_bc;
>  
> -	if (!try_module_get(newdev->owner))
> +	if (newdev->owner && !try_module_get(newdev->owner))

How does that prevent the above? That's not about a NULL pointer. Its
simply uninitialized memory.

Aside that the check is pointless as try_module_get() has a NULL pointer
check inside already.

Thanks,

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ