lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201106020930.GA18349@xsang-OptiPlex-9020>
Date:   Fri, 6 Nov 2020 10:09:31 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Daniel Xu <dxu@...uu.xyz>
Cc:     bpf@...r.kernel.org, linux-kernel@...r.kernel.org, ast@...nel.org,
        Daniel Xu <dxu@...uu.xyz>, kernel-team@...com,
        0day robot <lkp@...el.com>, lkp@...ts.01.org
Subject: [lib/strncpy_from_user.c]  00a4ef91e8:
 BUG:KASAN:slab-out-of-bounds_in_s

Greeting,

FYI, we noticed the following commit (built with clang-12):

commit: 00a4ef91e8f5af6edceb9bd4bceed2305f038796 ("[PATCH bpf-next] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator")
url: https://github.com/0day-ci/linux/commits/Daniel-Xu/lib-strncpy_from_user-c-Don-t-overcopy-bytes-after-NUL-terminator/20201104-103306
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master

in testcase: trinity
version: trinity-x86_64-af355e9-1_2019-12-03
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+----------------------------------------------------------------------------+------------+------------+
|                                                                            | f4c3881edb | 00a4ef91e8 |
+----------------------------------------------------------------------------+------------+------------+
| boot_successes                                                             | 8          | 4          |
| boot_failures                                                              | 14         | 15         |
| Initramfs_unpacking_failed                                                 | 13         | 7          |
| Kernel_panic-not_syncing:VFS:Unable_to_mount_root_fs_on_unknown-block(#,#) | 13         | 9          |
| BUG:kernel_hang_in_boot_stage                                              | 1          |            |
| BUG:KASAN:slab-out-of-bounds_in_s                                          | 0          | 3          |
| BUG:KASAN:slab-out-of-bounds_in_l                                          | 0          | 3          |
+----------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  324.803835] BUG: KASAN: slab-out-of-bounds in strlen+0x53/0x5d
[  324.808932] Read of size 1 at addr ffff88813be5f380 by task trinity-c0/7148
[  324.809979] 
[  324.810240] CPU: 1 PID: 7148 Comm: trinity-c0 Not tainted 5.9.0-13430-g00a4ef91e8f5 #1
[  324.811397] Call Trace:
[  324.811797]  dump_stack+0x156/0x194
[  324.812387]  ? wake_up_klogd+0x49/0x5e
[  324.813118]  ? vprintk_emit+0x297/0x307
[  324.813680]  print_address_description+0x25/0x4b7
[  324.814354]  ? printk+0x54/0x5d
[  324.814877]  ? kasan_report+0xad/0x187
[  324.815531]  kasan_report+0x140/0x187
[  324.816187]  ? strlen+0x53/0x5d
[  324.820931] [child7:7142] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
[  324.828848]  strlen+0x53/0x5d
[  324.828864]  getname_kernel+0x19/0x257
[  324.828874]  kern_path+0x19/0x32
[  324.828887]  lookup_bdev+0x52/0x182
[  324.828908]  __x64_sys_quotactl+0x1fe/0x4e97
[  324.833228]  ? kvm_sched_clock_read+0x14/0x28
[  324.837181]  ? sched_clock+0x5/0x8
[  324.837748]  ? sched_clock_cpu+0x18/0x151
[  324.838396]  ? up_write+0xd7/0x399
[  324.838944]  ? security_file_mprotect+0x93/0xb0
[  324.839686]  ? __x64_sys_mprotect+0x31a/0x6a9
[  324.840405]  ? fpregs_assert_state_consistent+0xae/0xd3
[  324.841253]  do_syscall_64+0x34/0x6c
[  324.841808]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  324.842540] RIP: 0033:0x7f77ba3311c9
[  324.843079] Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 dc 2c 00 f7 d8 64 89 01 48
[  324.845838] RSP: 002b:00007ffe42abbe58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
[  324.846978] RAX: ffffffffffffffda RBX: 00000000000000b3 RCX: 00007f77ba3311c9
[  324.848039] RDX: 0000000004000000 RSI: 00007f77b8719000 RDI: 0000000012121000
[  324.849923] RBP: 00007f77baa1d000 R08: ffffffffffffffff R09: 0000000000000000
[  324.850961] R10: 00007f77b8719000 R11: 0000000000000246 R12: 00007f77baa1d058
[  324.852032] R13: 00007f77baa246b0 R14: 0000000000000000 R15: 00007f77baa1d000
[  324.853117] 
[  324.853292] 
[  324.853372] Allocated by task 7148:
[  324.854203]  kasan_save_stack+0x27/0x47
[  324.854779]  __kasan_kmalloc+0xed/0x104
[  324.855365]  kmem_cache_alloc+0xcb/0x135
[  324.855971]  getname_flags+0x51/0x3a2
[  324.856536]  __x64_sys_quotactl+0x1c1/0x4e97
[  324.857205]  do_syscall_64+0x34/0x6c
[  324.857749]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  324.858495] 
[  324.858656] [child2:7150] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
[  324.858746] The buggy address belongs to the object at ffff88813be5e380
[  324.858746]  which belongs to the cache names_cache of size 4096
[  324.858764] The buggy address is located 0 bytes to the right of
[  324.858764]  4096-byte region [ffff88813be5e380, ffff88813be5f380)
[  324.860587] 
[  324.862729] The buggy address belongs to the page:
[  324.862755] page:000000009f9037ac refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813be5ffff pfn:0x13be5e
[  324.867328] head:000000009f9037ac order:1 compound_mapcount:0
[  324.868165] flags: 0x8000000000010200(slab|head)
[  324.868875] raw: 8000000000010200 ffffea0005a88688 ffffea000459f288 ffff888100252300
[  324.870009] raw: ffff88813be5ffff ffff88813be5e380 0000000100000001 0000000000000000
[  324.871126] page dumped because: kasan: bad access detected
[  324.871945] 
[  324.872192] Memory state around the buggy address:
[  324.872947]  ffff88813be5f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  324.873980]  ffff88813be5f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  324.875009] >ffff88813be5f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  324.876036]                    ^
[  324.876538]  ffff88813be5f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  324.877588]  ffff88813be5f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  324.878621] ==================================================================
[  324.879657] Disabling lock debugging due to kernel taint
[  324.882776] [child2:7152] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
[  324.882801] 
[  324.933069] [main] kernel became tainted! (32/0) Last seed was 2498072066
[  324.933099] 
[  324.969750] trinity: Detected kernel tainting. Last seed was 2498072066
[  324.969776] 
[  324.976192] [main] exit_reason=7, but 7 children still running.
[  324.976217] 
[  326.978916] [main] Bailing main loop because kernel became tainted..
[  326.978943] 
[  327.015587] [main] Ran 32788 syscalls. Successes: 10983  Failures: 20991
[  327.015610] 

Kboot worker: lkp-worker04
Elapsed time: 360

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu SandyBridge
	-kernel $kernel
	-initrd initrd-vm-snb-72.cgz
	-m 8192
	-smp 2
	-device e1000,netdev=net0
	-netdev user,id=net0,hostfwd=tcp::32032-:22
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-watchdog-action debug
	-rtc base=localtime


To reproduce:

        # build kernel
	cd linux
	cp config-5.9.0-13430-g00a4ef91e8f5 .config
	make HOSTCC=clang-12 CC=clang-12 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.9.0-13430-g00a4ef91e8f5" of type "text/plain" (152432 bytes)

View attachment "job-script" of type "text/plain" (4243 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (30480 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ