| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210205020538.GA29458@xsang-OptiPlex-9020>
Date: Fri, 5 Feb 2021 10:55:18 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, io-uring@...r.kernel.org,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
Kees Cook <keescook@...omium.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>
Subject: c632dadc10: BUG:KASAN:null-ptr-deref_in_is_ucounts_overlimit
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: c632dadc104622423c7fa2ad6f0b2135ebe5610c ("Reimplement RLIMIT_NPROC on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210201-222426
in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------------------+------------+------------+
| | 841f02dc98 | c632dadc10 |
+------------------------------------------------------+------------+------------+
| boot_successes | 3 | 0 |
| boot_failures | 1 | 4 |
| BUG:KASAN:slab-out-of-bounds_in_fq_pie_qdisc_enqueue | 1 | |
| BUG:KASAN:null-ptr-deref_in_is_ucounts_overlimit | 0 | 4 |
| canonical_address#:#[##] | 0 | 4 |
| RIP:is_ucounts_overlimit | 0 | 4 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 4 |
+------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 29.404316] BUG: KASAN: null-ptr-deref in is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295)
[ 29.405519] Read of size 8 at addr 0000000000000070 by task trinity-main/327
[ 29.406769]
[ 29.407070] CPU: 0 PID: 327 Comm: trinity-main Not tainted 5.11.0-rc2-00005-gc632dadc1046 #1
[ 29.408563] Call Trace:
[ 29.409043] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131)
[ 29.409673] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:400 kbuild/src/consumer/mm/kasan/report.c:413)
[ 29.410443] ? is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295)
[ 29.411245] check_memory_region (kbuild/src/consumer/mm/kasan/generic.c:179 kbuild/src/consumer/mm/kasan/generic.c:185)
[ 29.411980] __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31)
[ 29.412702] is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295)
[ 29.413481] copy_process (kbuild/src/consumer/kernel/fork.c:1969)
[ 29.414164] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4))
[ 29.414882] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138)
[ 29.415744] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853)
[ 29.416514] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465)
[ 29.417177] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101)
[ 29.417990] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425)
[ 29.418683] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24))
[ 29.419379] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31)
[ 29.420107] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606)
[ 29.420858] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31)
[ 29.421605] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571)
[ 29.422280] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571)
[ 29.422990] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290)
[ 29.423940] ? syscall_trace_enter+0x78/0x2a0
[ 29.424819] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210)
[ 29.425704] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566)
[ 29.426415] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 29.427064] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127)
[ 29.427930] RIP: 0033:0x44f39b
[ 29.428471] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00
All code
========
0: db 45 85 fildl -0x7b(%rbp)
3: f6 (bad)
4: 0f 85 95 01 00 00 jne 0x19f
a: 64 4c 8b 04 25 10 00 mov %fs:0x10,%r8
11: 00 00
13: 31 d2 xor %edx,%edx
15: 4d 8d 90 d0 02 00 00 lea 0x2d0(%r8),%r10
1c: 31 f6 xor %esi,%esi
1e: bf 11 00 20 01 mov $0x1200011,%edi
23: b8 38 00 00 00 mov $0x38,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 0f 87 d6 00 00 00 ja 0x10c
36: 85 c0 test %eax,%eax
38: 41 89 c5 mov %eax,%r13d
3b: 0f .byte 0xf
3c: 85 dd test %ebx,%ebp
...
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 0f 87 d6 00 00 00 ja 0xe2
c: 85 c0 test %eax,%eax
e: 41 89 c5 mov %eax,%r13d
11: 0f .byte 0xf
12: 85 dd test %ebx,%ebp
...
[ 29.431684] RSP: 002b:00007ffd7e3b30e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[ 29.433032] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044f39b
[ 29.434290] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[ 29.435563] RBP: 00007ffd7e3b3110 R08: 0000000001e9c880 R09: 0000000001e9c880
[ 29.436780] R10: 0000000001e9cb50 R11: 0000000000000246 R12: 0000000000000000
[ 29.438033] R13: 0000000000000002 R14: 0000000000000000 R15: 00007ffd7e3b33a0
[ 29.439287] ==================================================================
[ 29.440532] Disabling lock debugging due to kernel taint
[ 29.441442] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] KASAN
[ 29.443064] KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
[ 29.444393] CPU: 0 PID: 327 Comm: trinity-main Tainted: G B 5.11.0-rc2-00005-gc632dadc1046 #1
[ 29.446018] RIP: 0010:is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295)
[ 29.446909] Code: 20 00 00 00 48 89 45 c0 4c 8d 34 07 be 08 00 00 00 4c 89 f7 e8 29 40 4d 00 4c 89 f2 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 0f 85 38 01 00 00 49 8b 06 49 39 c5 0f 8c ca 00 00 00
All code
========
0: 20 00 and %al,(%rax)
2: 00 00 add %al,(%rax)
4: 48 89 45 c0 mov %rax,-0x40(%rbp)
8: 4c 8d 34 07 lea (%rdi,%rax,1),%r14
c: be 08 00 00 00 mov $0x8,%esi
11: 4c 89 f7 mov %r14,%rdi
14: e8 29 40 4d 00 callq 0x4d4042
19: 4c 89 f2 mov %r14,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 38 01 00 00 jne 0x16c
34: 49 8b 06 mov (%r14),%rax
37: 49 39 c5 cmp %rax,%r13
3a: 0f 8c ca 00 00 00 jl 0x10a
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 38 01 00 00 jne 0x142
a: 49 8b 06 mov (%r14),%rax
d: 49 39 c5 cmp %rax,%r13
10: 0f 8c ca 00 00 00 jl 0xe0
[ 29.450051] RSP: 0018:ffff888106a7fb08 EFLAGS: 00010202
[ 29.450984] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 29.452146] RDX: 000000000000000e RSI: 0000000000000000 RDI: ffffffffa33e2ab0
[ 29.453271] RBP: ffff888106a7fb48 R08: 1ffffffff4670049 R09: fffffbfff467004a
[ 29.454456] R10: ffffffffa338024b R11: fffffbfff4670049 R12: 000000000000000a
[ 29.455700] R13: 0000000000003499 R14: 0000000000000070 R15: 1ffff11020d4ff81
[ 29.456979] FS: 0000000001e9c880(0000) GS:ffffffffa22ba000(0000) knlGS:0000000000000000
[ 29.458325] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 29.459327] CR2: 0000000001e9c830 CR3: 0000000106783000 CR4: 00000000000406f0
[ 29.460467] Call Trace:
[ 29.460863] copy_process (kbuild/src/consumer/kernel/fork.c:1969)
[ 29.461431] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4))
[ 29.462023] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138)
[ 29.462800] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853)
[ 29.463450] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465)
[ 29.464120] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101)
[ 29.464897] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425)
[ 29.465572] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24))
[ 29.466205] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31)
[ 29.466957] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606)
[ 29.467704] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31)
[ 29.468366] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571)
[ 29.468976] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571)
[ 29.469629] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290)
[ 29.470506] ? syscall_trace_enter+0x78/0x2a0
[ 29.471353] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210)
[ 29.472187] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566)
[ 29.472840] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 29.473454] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127)
[ 29.474313] RIP: 0033:0x44f39b
[ 29.474845] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00
All code
========
0: db 45 85 fildl -0x7b(%rbp)
3: f6 (bad)
4: 0f 85 95 01 00 00 jne 0x19f
a: 64 4c 8b 04 25 10 00 mov %fs:0x10,%r8
11: 00 00
13: 31 d2 xor %edx,%edx
15: 4d 8d 90 d0 02 00 00 lea 0x2d0(%r8),%r10
1c: 31 f6 xor %esi,%esi
1e: bf 11 00 20 01 mov $0x1200011,%edi
23: b8 38 00 00 00 mov $0x38,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 0f 87 d6 00 00 00 ja 0x10c
36: 85 c0 test %eax,%eax
38: 41 89 c5 mov %eax,%r13d
3b: 0f .byte 0xf
3c: 85 dd test %ebx,%ebp
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc2-00005-gc632dadc1046 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc2-00005-gc632dadc1046" of type "text/plain" (144502 bytes)
View attachment "job-script" of type "text/plain" (4319 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (16456 bytes)
Powered by blists - more mailing lists