lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211011173007.ejj2zamtdsjljnds@treble>
Date:   Mon, 11 Oct 2021 10:30:07 -0700
From:   Josh Poimboeuf <jpoimboe@...hat.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     Lee Jones <lee.jones@...aro.org>, Andi Kleen <ak@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>,
        syzbot <syzbot+84fe685c02cd112a2ac3@...kaller.appspotmail.com>,
        bp@...en8.de, hpa@...or.com, inglorion@...gle.com,
        linux-kernel@...r.kernel.org, mingo@...hat.com,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
        x86@...nel.org, Andy Lutomirski <luto@...nel.org>, tkjos@...gle.com
Subject: Re: [syzbot] KASAN: stack-out-of-bounds Read in profile_pc

On Mon, Oct 11, 2021 at 10:43:19AM -0400, Steven Rostedt wrote:
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> Read of size 8 at addr ffffc90001c0f7a0 by task systemd-udevd/12323
> 
> CPU: 1 PID: 12323 Comm: systemd-udevd Not tainted 5.13.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x202/0x31e lib/dump_stack.c:120
>  print_address_description+0x5f/0x3b0 mm/kasan/report.c:233
>  __kasan_report mm/kasan/report.c:419 [inline]
>  kasan_report+0x15c/0x200 mm/kasan/report.c:436
>  profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
>  profile_tick+0xcd/0x120 kernel/profile.c:408
>  tick_sched_handle kernel/time/tick-sched.c:227 [inline]
>  tick_sched_timer+0x287/0x420 kernel/time/tick-sched.c:1373
>  __run_hrtimer kernel/time/hrtimer.c:1537 [inline]
>  __hrtimer_run_queues+0x4cb/0xa60 kernel/time/hrtimer.c:1601
>  hrtimer_interrupt+0x3b3/0x1040 kernel/time/hrtimer.c:1663
>  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1089 [inline]
>  __sysvec_apic_timer_interrupt+0xf9/0x270 arch/x86/kernel/apic/apic.c:1106
>  sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1100
> 
> And the code has:
> 
>  profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> 
> unsigned long profile_pc(struct pt_regs *regs)
> {
> 	unsigned long pc = instruction_pointer(regs);
> 
> 	if (!user_mode(regs) && in_lock_functions(pc)) {
> #ifdef CONFIG_FRAME_POINTER
> 		return *(unsigned long *)(regs->bp + sizeof(long));
> #else
> 		unsigned long *sp = (unsigned long *)regs->sp;
> 		/*
> 		 * Return address is either directly at stack pointer
> 		 * or above a saved flags. Eflags has bits 22-31 zero,
> 		 * kernel addresses don't.
> 		 */
> 		if (sp[0] >> 22)
> 			return sp[0];  <== line 42
> 		if (sp[1] >> 22)
> 			return sp[1];
> #endif
> 	}
> 	return pc;
> }
> EXPORT_SYMBOL(profile_pc);
> 
> 
> It looks to me that the profiler is doing a trick to read the contents of
> the stack when the interrupt went off, but this triggers the KASAN
> instrumentation to think it's a mistake when it's not. aka "false positive".
> 
> How does one tell KASAN that it wants to go outside the stack, because it
> knows what its doing?

*If* the code knew what it were doing, it could use READ_ONCE_NOCHECK()
to skip KASAN checking.  But this code is horribly broken and dangerous.

-- 
Josh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ