| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Oct 2021 22:50:23 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Andy Lavr <andy.lavr@...il.com>,
Nathan Chancellor <nathan@...nel.org>,
Alexey Dobriyan <adobriyan@...il.com>,
Stephen Rothwell <sfr@...b.auug.org.au>,
Bartosz Golaszewski <bgolaszewski@...libre.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [lib/string] cfecea6ead: kernel_BUG_at_lib/string_helpers.c
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: cfecea6ead5f15880fc1fb31fc655f8be5cf7424 ("lib/string: Move helper functions out of string.c")
https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/overflow
in testcase: kernel-selftests
version: kernel-selftests-x86_64-c8c9111a-1_20210929
with following parameters:
group: lkdtm
ucode: 0xe2
test-description: The kernel contains a set of "self tests" under the tools/testing/selftests/ directory. These are intended to be small unit tests to exercise individual code paths in the kernel.
test-url: https://www.kernel.org/doc/Documentation/kselftest.txt
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 80.893015][ T3786] lkdtm: Performing direct entry FORTIFIED_STRSCPY
[ 80.893390][ T351]
[ 80.895616][ T3786] detected buffer overflow in strnlen
[ 80.902400][ T351] #
[ 60.145858] lkdtm: Value in memory before free: 12345678
[ 80.909089][ T3786] ------------[ cut here ]------------
[ 80.910897][ T351]
[ 80.912446][ T351] #
[ 60.145859] lkdtm: Attempting bad read from freed memory
[ 80.913271][ T3786] kernel BUG at lib/string_helpers.c:889!
[ 80.921047][ T351]
[ 80.922246][ T351] #
[ 60.145860] lkdtm: FAIL: Memory was not poisoned!
[ 80.928858][ T3786] invalid opcode: 0000 [#26] PREEMPT SMP PTI
[ 80.936639][ T351]
[ 80.940366][ T3786] CPU: 3 PID: 3786 Comm: cat Tainted: G D W 5.15.0-rc2-00014-gcfecea6ead5f #1
[ 80.940368][ T3786] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 80.940369][ T3786] RIP: 0010:fortify_panic+0xf/0x11
[ 80.947481][ T351] #
[ 60.145866] lkdtm: This is probably expected, since this kernel (5.15.0-rc2-00014-gcfecea6ead5f x86_64) was built *without* CONFIG_INIT_ON_FREE_DEFAULT_ON=y (and booted without 'init_on_free' specified)
[ 80.959673][ T3786] Code: 00 00 48 c7 c7 40 86 80 83 e8 4e 42 7f ff 4c 8b 0c 24 8b 44 24 08 e9 d7 5a 7b ff 48 89 fe 48 c7 c7 b0 ee a4 82 e8 9a d1 fd ff <0f> 0b 48 8b 54 24 10 48 8b 74 24 08 4c 8d 44 24 25 4c 89 e1 48 c7
[ 80.959675][ T3786] RSP: 0018:ffffc900089bfd30 EFLAGS: 00010246
[ 80.959677][ T3786] RAX: 0000000000000023 RBX: 000000000000004e RCX: 0000000000000000
[ 80.959678][ T3786] RDX: 0000000000000000 RSI: ffffffff81258957 RDI: ffffffff81258957
[ 80.966612][ T351]
[ 80.968798][ T3786] RBP: ffff88880a0155a0 R08: 0000000000000000 R09: 0000000000000000
[ 80.968799][ T3786] R10: 0000000000000731 R11: 6637303030302052 R12: ffffc900089bfd45
[ 80.968800][ T3786] R13: 0000000000000012 R14: ffffc900089bfe28 R15: 00000000000004e0
[ 80.968801][ T3786] FS: 00007fa390793540(0000) GS:ffff8887c7580000(0000) knlGS:0000000000000000
[ 80.968816][ T3786] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 80.968817][ T3786] CR2: 00007fa39040a000 CR3: 0000000104870006 CR4: 00000000003706e0
[ 80.972774][ T351] # READ_AFTER_FREE: missing 'call trace:|Memory correctly poisoned': [FAIL]
[ 80.979993][ T3786] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 80.979994][ T3786] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 80.979995][ T3786] Call Trace:
[ 80.979997][ T3786] lkdtm_FORTIFIED_STRSCPY.cold+0x42/0x73
[ 80.988832][ T351]
[ 80.995763][ T3786] direct_entry.cold+0x2f/0x4b
[ 80.995766][ T3786] full_proxy_write+0x56/0x80
[ 80.999308][ T351] not ok 22 selftests: lkdtm: READ_AFTER_FREE.sh # exit=1
[ 81.009216][ T3786] vfs_write+0xcc/0x3c0
[ 81.014522][ T351]
[ 81.020410][ T3786] ksys_write+0x68/0x100
[ 81.020412][ T3786] do_syscall_64+0x5c/0x80
[ 81.023571][ T351] # selftests: lkdtm: WRITE_BUDDY_AFTER_FREE.sh
[ 81.024936][ T3786] ? trace_hardirqs_on_prepare+0x24/0x100
[ 81.024939][ T3786] ? do_syscall_64+0x69/0x80
[ 81.032477][ T351]
[ 81.034646][ T3786] ? up_read+0x17/0x240
[ 81.034649][ T3786] ? do_user_addr_fault+0x204/0x6c0
[ 81.054219][ T351] # Skipping WRITE_BUDDY_AFTER_FREE: Corrupts memory on failure
[ 81.060114][ T3786] ? asm_exc_page_fault+0x8/0x30
[ 81.062308][ T351]
[ 81.071829][ T3786] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 81.071832][ T3786] RIP: 0033:0x7fa3906bb504
[ 81.071847][ T3786] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f 80 00 00 00 00 48 8d 05 f9 61 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53
[ 81.078445][ T351] ok 23 selftests: lkdtm: WRITE_BUDDY_AFTER_FREE.sh # SKIP
[ 81.079305][ T3786] RSP: 002b:00007fff0bff1838 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 81.079307][ T3786] RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 00007fa3906bb504
[ 81.079308][ T3786] RDX: 0000000000000012 RSI: 00007fa39040a000 RDI: 0000000000000001
[ 81.081658][ T351]
[ 81.087112][ T3786] RBP: 00007fa39040a000 R08: 00000000ffffffff R09: 0000000000000000
[ 81.087113][ T3786] R10: fffffffffffffb9c R11: 0000000000000246 R12: 00007fa39040a000
[ 81.087114][ T3786] R13: 0000000000000001 R14: 0000000000000012 R15: 0000000000020000
[ 81.087118][ T3786] Modules linked in: btrfs ipmi_devintf
[ 81.097162][ T351] # selftests: lkdtm: READ_BUDDY_AFTER_FREE.sh
[ 81.098409][ T3786] ipmi_msghandler blake2b_generic xor zstd_compress intel_rapl_msr raid6_pq
[ 81.115747][ T351]
[ 81.120001][ T3786] libcrc32c intel_rapl_common sd_mod t10_pi sg x86_pkg_temp_thermal intel_powerclamp i915 coretemp mei_wdt crct10dif_pclmul crc32_pclmul
[ 81.123868][ T351] #
[ 60.149314] #
[ 53.953191] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 81.128954][ T3786] crc32c_intel wmi_bmof ghash_clmulni_intel rapl intel_cstate intel_gtt mei_me
[ 81.135028][ T351]
[ 81.137201][ T3786] ahci libahci i2c_i801 i2c_smbus ttm mei intel_uncore libata intel_pch_thermal wmi video intel_pmc_core
[ 81.141097][ T351] #
[ 60.242886] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[ 81.149007][ T3786] acpi_pad ip_tables
[ 81.149021][ T3786] ---[ end trace bd77837396b7dc2f ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.15.0-rc2-00014-gcfecea6ead5f" of type "text/plain" (176443 bytes)
View attachment "job-script" of type "text/plain" (5995 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (89056 bytes)
View attachment "kernel-selftests" of type "text/plain" (379089 bytes)
View attachment "job.yaml" of type "text/plain" (5019 bytes)
View attachment "reproduce" of type "text/plain" (150 bytes)
Powered by blists - more mailing lists