lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210706151039.GA13363@xsang-OptiPlex-9020>
Date:   Tue, 6 Jul 2021 23:10:39 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Valentin Schneider <valentin.schneider@....com>
Cc:     Ingo Molnar <mingo@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com, aubrey.li@...ux.intel.com, yu.c.chen@...el.com
Subject: [sched/core]  f1a0a376ca: BUG:KASAN:stack-out-of-bounds_in_vsnprintf



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 ("sched/core: Initialize the idle task with preemption disabled")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master


in testcase: locktorture
version: 
with following parameters:

	runtime: 300s
	test: cpuhotplug

test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors.
test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  227.905035] BUG: KASAN: stack-out-of-bounds in vsnprintf+0x1823/0x1a80
[  227.905062] Read of size 8 at addr ffffc9000010ff00 by task swapper/1/0
[  227.905084] 
[  227.905102] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.13.0-rc1-00108-gf1a0a376ca0c #1
[  227.905133] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  227.905157] Call Trace:
[  227.905171]  dump_stack+0x198/0x247
[  227.905190]  print_address_description.cold+0x5/0x32d
[  227.905212]  ? vsnprintf+0x1823/0x1a80
[  227.905229]  kasan_report.cold+0x7c/0xd8
[  227.905246]  ? vsnprintf+0x1823/0x1a80
[  227.905263]  vsnprintf+0x1823/0x1a80
[  227.905279]  ? pointer+0x780/0x780
[  227.905295]  ? sched_clock_cpu+0x38/0x220
[  227.905312]  vprintk_store+0x14d/0xa80
[  227.905330]  ? __ia32_sys_syslog+0xc0/0xc0
[  227.905348]  ? ftrace_likely_update+0xa4/0x180
[  227.905367]  ? pvclock_clocksource_read+0x2dd/0x5a0
[  227.905386]  ? write_comp_data+0x2a/0x80
[  227.905404]  ? __sanitizer_cov_trace_pc+0x1d/0x60
[  227.905423]  vprintk_emit+0x144/0x600
[  227.905439]  vprintk+0xac/0x1e0
[  227.905453]  printk+0xa3/0xc1
[  227.905470]  ? stress_reorder_work.cold+0x2a/0x2a
[  227.905489]  ? slow_virt_to_phys+0x15b/0x340
[  227.905507]  ? ftrace_likely_update+0xa4/0x180
[  227.905526]  start_secondary+0x4a/0x280
[  227.905544]  secondary_startup_64_no_verify+0xb0/0xbb
[  227.905561] 
[  227.905572] 
[  227.905592] addr ffffc9000010ff00 is located in stack of task swapper/1/0 at offset 120 in frame:
[  227.905619]  printk+0x0/0xc1
[  227.905633] 
[  227.905646] this frame has 1 object:
[  227.905664]  [32, 56) 'args'
[  227.905678] 
[  227.905694] Memory state around the buggy address:
[  227.905718]  ffffc9000010fe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  227.905746]  ffffc9000010fe80: 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00
[  227.905775] >ffffc9000010ff00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  227.905799]                    ^
[  227.905820]  ffffc9000010ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  227.905848]  ffffc90000110000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
[  227.905876] ==================================================================
[  227.905902] Disabling lock debugging due to kernel taint
[  227.974158] smpboot: CPU 1 is now offline
[  231.067528] x86: Booting SMP configuration:
[  231.068838] smpboot: Booting Node 0 Processor 1 APIC 0x1
[  231.090360] kvm-clock: cpu 1, msr 8a01041, secondary cpu clock
[  231.090509] masked ExtINT on CPU#1
[  231.117328] kvm-guest: stealtime: cpu 1, msr 3aebf8080
[  237.501337] smpboot: CPU 1 is now offline
[  240.667721] x86: Booting SMP configuration:
[  240.669915] smpboot: Booting Node 0 Processor 1 APIC 0x1
[  240.672831] kvm-clock: cpu 1, msr 8a01041, secondary cpu clock
[  240.672991] masked ExtINT on CPU#1
[  240.713721] kvm-guest: stealtime: cpu 1, msr 3aebf8080

Kboot worker: lkp-worker51
Elapsed time: 240

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu SandyBridge
	-kernel $kernel
	-initrd initrd-vm-snb-228.cgz
	-m 16384
	-smp 2
	-device e1000,netdev=net0
	-netdev user,id=net0,hostfwd=tcp::32032-:22
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-watchdog-action debug
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null
)

append=(
	ip=::::vm-snb-228::dhcp
	root=/dev/ram0
	user=lkp
	job=/job-script
	ARCH=x86_64
	kconfig=x86_64-randconfig-a014-20210513
	branch=tip/sched/core
	commit=f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674
	BOOT_IMAGE=/pkg/linux/x86_64-randconfig-a014-20210513/gcc-9/f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674/vmlinuz-5.13.0-rc1-00108-gf1a0a376ca0c
	vmalloc=512M
	max_uptime=2100
	RESULT_ROOT=/result/locktorture/300s-cpuhotplug/vm-snb/debian-10.4-x86_64-20200603.cgz/x86_64-randconfig-a014-20210513/gcc-9/f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674/21
	result_service=tmpfs
	selinux=0
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	net.ifnames=0


To reproduce:

        

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "job-script" of type "text/plain" (4567 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14912 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ