| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Oct 2021 10:30:07 -0700
From: Josh Poimboeuf <jpoimboe@...hat.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Lee Jones <lee.jones@...aro.org>, Andi Kleen <ak@...ux.intel.com>,
Peter Zijlstra <peterz@...radead.org>,
syzbot <syzbot+84fe685c02cd112a2ac3@...kaller.appspotmail.com>,
bp@...en8.de, hpa@...or.com, inglorion@...gle.com,
linux-kernel@...r.kernel.org, mingo@...hat.com,
syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
x86@...nel.org, Andy Lutomirski <luto@...nel.org>, tkjos@...gle.com
Subject: Re: [syzbot] KASAN: stack-out-of-bounds Read in profile_pc
On Mon, Oct 11, 2021 at 10:43:19AM -0400, Steven Rostedt wrote:
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> Read of size 8 at addr ffffc90001c0f7a0 by task systemd-udevd/12323
>
> CPU: 1 PID: 12323 Comm: systemd-udevd Not tainted 5.13.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
> <IRQ>
> __dump_stack lib/dump_stack.c:79 [inline]
> dump_stack+0x202/0x31e lib/dump_stack.c:120
> print_address_description+0x5f/0x3b0 mm/kasan/report.c:233
> __kasan_report mm/kasan/report.c:419 [inline]
> kasan_report+0x15c/0x200 mm/kasan/report.c:436
> profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> profile_tick+0xcd/0x120 kernel/profile.c:408
> tick_sched_handle kernel/time/tick-sched.c:227 [inline]
> tick_sched_timer+0x287/0x420 kernel/time/tick-sched.c:1373
> __run_hrtimer kernel/time/hrtimer.c:1537 [inline]
> __hrtimer_run_queues+0x4cb/0xa60 kernel/time/hrtimer.c:1601
> hrtimer_interrupt+0x3b3/0x1040 kernel/time/hrtimer.c:1663
> local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1089 [inline]
> __sysvec_apic_timer_interrupt+0xf9/0x270 arch/x86/kernel/apic/apic.c:1106
> sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1100
>
> And the code has:
>
> profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
>
> unsigned long profile_pc(struct pt_regs *regs)
> {
> unsigned long pc = instruction_pointer(regs);
>
> if (!user_mode(regs) && in_lock_functions(pc)) {
> #ifdef CONFIG_FRAME_POINTER
> return *(unsigned long *)(regs->bp + sizeof(long));
> #else
> unsigned long *sp = (unsigned long *)regs->sp;
> /*
> * Return address is either directly at stack pointer
> * or above a saved flags. Eflags has bits 22-31 zero,
> * kernel addresses don't.
> */
> if (sp[0] >> 22)
> return sp[0]; <== line 42
> if (sp[1] >> 22)
> return sp[1];
> #endif
> }
> return pc;
> }
> EXPORT_SYMBOL(profile_pc);
>
>
> It looks to me that the profiler is doing a trick to read the contents of
> the stack when the interrupt went off, but this triggers the KASAN
> instrumentation to think it's a mistake when it's not. aka "false positive".
>
> How does one tell KASAN that it wants to go outside the stack, because it
> knows what its doing?
*If* the code knew what it were doing, it could use READ_ONCE_NOCHECK()
to skip KASAN checking. But this code is horribly broken and dangerous.
--
Josh
Powered by blists - more mailing lists