| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Mar 2021 11:37:28 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
syzbot <syzbot+0b06ef9b44d00d600183@...kaller.appspotmail.com>,
Russell King - ARM Linux <linux@...linux.org.uk>,
Linus Walleij <linus.walleij@...aro.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: [syzbot] kernel panic: corrupted stack end in openat
On Tue, 16 Mar 2021 at 11:04, Arnd Bergmann <arnd@...db.de> wrote:
>
> On Tue, Mar 16, 2021 at 8:59 AM Dmitry Vyukov <dvyukov@...gle.com> wrote:
> >
> > On Tue, Mar 16, 2021 at 8:18 AM syzbot
> > <syzbot+0b06ef9b44d00d600183@...kaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 1e28eed1 Linux 5.12-rc3
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=167535e6d00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=e0cee1f53de33ca3
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=0b06ef9b44d00d600183
> > > userspace arch: arm
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+0b06ef9b44d00d600183@...kaller.appspotmail.com
> >
> > +arm32 maintainer
> > I think this is a real stack overflow on arm32, the stack is indeed deep.
>
> Nice find. I see there was already a second report, so it seems to be
> reproducible as well.
> If you are able to trigger this reliably, you could try printing the frame
> pointer while unwinding to see what is actually going on:
>
> --- a/arch/arm/kernel/traps.c
> +++ b/arch/arm/kernel/traps.c
> @@ -68,8 +68,8 @@ void dump_backtrace_entry(unsigned long where,
> unsigned long from,
> unsigned long end = frame + 4 + sizeof(struct pt_regs);
>
> #ifdef CONFIG_KALLSYMS
> - printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pS)\n",
> - loglvl, where, (void *)where, from, (void *)from);
> + printk("%s[<%08lx>] (%ps) from [<%08lx>] (%pS), frame %08lx\n",
> + loglvl, where, (void *)where, from, (void *)from, frame);
> #else
> printk("%sFunction entered at [<%08lx>] from [<%08lx>]\n",
> loglvl, where, from);
>
> If that doesn't help, I could have a look at the binary to see which
> functions in the call chain take a lot of stack space, if any.
>
> Which exact compiler version do you use for building these
> kernels? I can try doing a build with the same commit and config.
>
> This one function is one that I have seen before when looking at build
> warnings with KASAN:
>
> > > [<8073772c>] (integrity_kernel_read) from [<8073a904>] (ima_calc_file_hash_tfm+0x178/0x228 security/integrity/ima/ima_crypto.c:484)
> > > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_file_shash security/integrity/ima/ima_crypto.c:515 [inline])
> > > [<8073a78c>] (ima_calc_file_hash_tfm) from [<8073ae2c>] (ima_calc_file_hash+0x124/0x8b8 security/integrity/ima/ima_crypto.c:572)
>
> ima_calc_file_hash_tfm() has a SHASH_DESC_ON_STACK(), which by itself can
> use up 512 bytes, but KASAN sometimes triples this number. However, I see
> you do not actually have KASAN enabled, so there is probably more to it.
>
FYI, as an aside, the SHASH_DESC_ON_STACK() issue was fixed in
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=660d2062190db131d2feaf19914e90f868fe285c
(note that the size of SHASH_DESC_ON_STACK() accounts for two struct
shash_desc instances)
Powered by blists - more mailing lists