lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20201207024315.GA27740@xsang-OptiPlex-9020>
Date:   Mon, 7 Dec 2020 10:43:15 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Björn Töpel <bjorn.topel@...el.com>
Cc:     Daniel Borkmann <daniel@...earbox.net>,
        Magnus Karlsson <magnus.karlsson@...el.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        lkp@...ts.01.org, lkp@...el.com
Subject: [xsk]  45a8668184: BUG:KASAN:null-ptr-deref_in_xsk_recvmsg


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 45a86681844e375bef6f6add272ccc309bb6a08d ("xsk: Add support for recvmsg()")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master


in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------+------------+------------+
|                                             | 7c951cafc0 | 45a8668184 |
+---------------------------------------------+------------+------------+
| boot_failures                               | 0          | 3          |
| BUG:KASAN:null-ptr-deref_in_xsk_recvmsg     | 0          | 3          |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 3          |
| Oops:#[##]                                  | 0          | 3          |
| RIP:xsk_recvmsg                             | 0          | 3          |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 3          |
+---------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  145.239948] BUG: KASAN: null-ptr-deref in xsk_recvmsg+0x36/0x11c
[  145.240502] Read of size 4 at addr 0000000000000208 by task trinity-c4/1071
[  145.241071] 
[  145.241265] CPU: 0 PID: 1071 Comm: trinity-c4 Not tainted 5.10.0-rc3-00857-g45a86681844e #1
[  145.241946] Call Trace:
[  145.242196]  ? dump_stack+0x116/0x179
[  145.242563]  ? xsk_recvmsg+0x36/0x11c
[  145.242916]  ? kasan_report+0x1e5/0x21d
[  145.243305]  ? xsk_recvmsg+0x36/0x11c
[  145.243651]  ? __asan_load4+0x4e/0x102
[  145.243981]  ? xsk_recvmsg+0x36/0x11c
[  145.244336]  ? xsk_wakeup+0x10a/0x10a
[  145.244685]  ? sock_recvmsg_nosec+0x50/0x5e
[  145.245098]  ? sock_recvmsg+0x4f/0x5c
[  145.245469]  ? ____sys_recvmsg+0x16d/0x2bb
[  145.245892]  ? sock_recvmsg+0x5c/0x5c
[  145.246267]  ? copy_msghdr_from_user+0xb5/0x108
[  145.246806]  ? __copy_msghdr_from_user+0x256/0x256
[  145.247269]  ? timekeeping_get_ns+0x25/0x137
[  145.247672]  ? rcu_read_lock_sched_held+0x85/0xf3
[  145.248102]  ? rcu_read_lock_held+0xb8/0xb8
[  145.248508]  ? find_held_lock+0xbc/0xcb
[  145.248907]  ? ___sys_recvmsg+0xe7/0x14b
[  145.249282]  ? recvmsg_copy_msghdr+0x45/0x45
[  145.249695]  ? reacquire_held_locks+0x251/0x251
[  145.250123]  ? timespec64_add_safe+0xd5/0x161
[  145.250523]  ? nsec_to_clock_t+0x15/0x15
[  145.250933]  ? kvm_clock_read+0x29/0x3f
[  145.251290]  ? kvm_clock_get_cycles+0xc/0x14
[  145.251676]  ? timekeeping_get_ns+0xc7/0x137
[  145.252060]  ? __fcheck_files+0x64/0x6c
[  145.252410]  ? __fget_light+0x79/0xcf
[  145.252786]  ? __fdget+0x11/0x19
[  145.253173]  ? do_recvmmsg+0x27b/0x4ae
[  145.253552]  ? reacquire_held_locks+0x251/0x251
[  145.253971]  ? ___sys_recvmsg+0x14b/0x14b
[  145.254406]  ? should_fail+0x7b/0x395
[  145.254864]  ? get_old_timespec32+0x8a/0x8a
[  145.255252]  ? find_held_lock+0xbc/0xcb
[  145.255635]  ? rcu_read_unlock+0x6b/0xbc
[  145.256016]  ? __sys_recvmmsg+0xfb/0x1e3
[  145.256395]  ? __x64_sys_recvmsg+0x5f/0x5f
[  145.256774]  ? lock_is_held+0xf/0x17
[  145.257115]  ? rcu_read_lock_held+0xb8/0xb8
[  145.257579]  ? __x64_sys_recvmmsg+0x85/0x9d
[  145.257995]  ? do_syscall_64+0x42/0xb5
[  145.258339]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  145.259035] ==================================================================
[  145.259976] Disabling lock debugging due to kernel taint
[  145.269001] BUG: kernel NULL pointer dereference, address: 0000000000000208
[  145.270370] #PF: supervisor read access in kernel mode
[  145.271597] #PF: error_code(0x0000) - not-present page
[  145.272620] PGD 8000000107201067 P4D 8000000107201067 PUD 10625e067 PMD 0 
[  145.273958] Oops: 0000 [#1] SMP KASAN PTI
[  145.274778] CPU: 0 PID: 1071 Comm: trinity-c4 Tainted: G    B             5.10.0-rc3-00857-g45a86681844e #1
[  145.276624] RIP: 0010:xsk_recvmsg+0x36/0x11c
[  145.277492] Code: cb e8 54 90 f6 fe 48 8b 6d 18 48 8d bd c8 04 00 00 e8 44 90 f6 fe 4c 8b a5 c8 04 00 00 49 8d bc 24 08 02 00 00 e8 3c 92 f6 fe <41> f6 84 24 08 02 00 00 01 75 11 48 ff 05 de 8a 90 06 b8 9c ff ff
[  145.280142] RSP: 0018:ffff8881230079b8 EFLAGS: 00010202
[  145.280574] RAX: ffff8881069d3001 RBX: 0000000000000004 RCX: ffffffff8116b7fb
[  145.281147] RDX: dffffc0000000000 RSI: 0000000000000003 RDI: ffffffff8249daff
[  145.281706] RBP: ffff888101c8f000 R08: fffffbfff08f85d5 R09: fffffbfff08f85d5
[  145.282264] R10: ffffffff847c2ea3 R11: 0000000000000000 R12: 0000000000000000
[  145.282867] R13: 0000000000000004 R14: ffff88812ae8cfc0 R15: 00007f0299223008
[  145.283430] FS:  000000000109a880(0000) GS:ffff8881e8200000(0000) knlGS:0000000000000000
[  145.284068] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  145.284533] CR2: 0000000000000208 CR3: 0000000106c10000 CR4: 00000000000406b0
[  145.285140] DR0: 00007f0298a23000 DR1: 0000000000000000 DR2: 0000000000000000
[  145.285871] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000030602
[  145.286775] Call Trace:
[  145.287129]  ? xsk_wakeup+0x10a/0x10a
[  145.287621]  sock_recvmsg_nosec+0x50/0x5e
[  145.288147]  sock_recvmsg+0x4f/0x5c
[  145.288610]  ____sys_recvmsg+0x16d/0x2bb
[  145.288965]  ? sock_recvmsg+0x5c/0x5c
[  145.289275]  ? copy_msghdr_from_user+0xb5/0x108
[  145.289649]  ? __copy_msghdr_from_user+0x256/0x256
[  145.290046]  ? timekeeping_get_ns+0x25/0x137
[  145.290405]  ? rcu_read_lock_sched_held+0x85/0xf3
[  145.290803]  ? rcu_read_lock_held+0xb8/0xb8
[  145.291161]  ? find_held_lock+0xbc/0xcb
[  145.291494]  ___sys_recvmsg+0xe7/0x14b
[  145.291814]  ? recvmsg_copy_msghdr+0x45/0x45
[  145.292173]  ? reacquire_held_locks+0x251/0x251
[  145.292549]  ? timespec64_add_safe+0xd5/0x161
[  145.292910]  ? nsec_to_clock_t+0x15/0x15
[  145.293242]  ? kvm_clock_read+0x29/0x3f
[  145.293568]  ? kvm_clock_get_cycles+0xc/0x14
[  145.293930]  ? timekeeping_get_ns+0xc7/0x137
[  145.294285]  ? __fcheck_files+0x64/0x6c
[  145.294626]  ? __fget_light+0x79/0xcf
[  145.294949]  ? __fdget+0x11/0x19
[  145.295235]  do_recvmmsg+0x27b/0x4ae
[  145.295542]  ? reacquire_held_locks+0x251/0x251
[  145.295912]  ? ___sys_recvmsg+0x14b/0x14b
[  145.296243]  ? should_fail+0x7b/0x395
[  145.296569]  ? get_old_timespec32+0x8a/0x8a
[  145.296917]  ? find_held_lock+0xbc/0xcb
[  145.297250]  ? rcu_read_unlock+0x6b/0xbc
[  145.297583]  __sys_recvmmsg+0xfb/0x1e3
[  145.297898]  ? __x64_sys_recvmsg+0x5f/0x5f
[  145.298236]  ? lock_is_held+0xf/0x17
[  145.298602]  ? rcu_read_lock_held+0xb8/0xb8
[  145.299052]  __x64_sys_recvmmsg+0x85/0x9d
[  145.299385]  do_syscall_64+0x42/0xb5
[  145.299685]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  145.300090] RIP: 0033:0x463519
[  145.300342] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 00 00 00
[  145.301758] RSP: 002b:00007ffc73400c98 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[  145.302368] RAX: ffffffffffffffda RBX: 000000000000012b RCX: 0000000000463519
[  145.302941] RDX: 0000000031372000 RSI: 00007f0299223000 RDI: 0000000000000187
[  145.303511] RBP: 00007f029933b000 R08: 00007f0299223008 R09: 000000000000a000
[  145.304070] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000002
[  145.304625] R13: 00007f029933b058 R14: 000000000109a850 R15: 00007f029933b000
[  145.305215] Modules linked in:
[  145.305483] CR2: 0000000000000208
[  145.306012] ---[ end trace 0293a8e653ed46bd ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.10.0-rc3-00857-g45a86681844e .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.10.0-rc3-00857-g45a86681844e" of type "text/plain" (137222 bytes)

View attachment "job-script" of type "text/plain" (4384 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (15088 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ