lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 27 Jan 2022 16:35:50 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     ycaibb <ycaibb@...il.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, davem@...emloft.net, yoshfuji@...ux-ipv6.org,
        dsahern@...nel.org, kuba@...nel.org, netdev@...r.kernel.org,
        ycaibb@...il.com
Subject: [net]  33b03feaca: BUG:KASAN:slab-out-of-bounds_in_ip6_string



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 33b03feacaf2155323b031274d2d67dab0cf561c ("[PATCH] net: missing lock releases in ipmr_base.c")
url: https://github.com/0day-ci/linux/commits/ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
patch link: https://lore.kernel.org/netdev/20220121032210.5829-1-ycaibb@gmail.com

in testcase: trinity
version: trinity-x86_64-608712d8-1_20220125
with following parameters:

	runtime: 300s
	group: group-02

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------+------------+------------+
|                                                   | 8aaaf2f3af | 33b03feaca |
+---------------------------------------------------+------------+------------+
| boot_successes                                    | 59         | 12         |
| boot_failures                                     | 0          | 48         |
| BUG:KASAN:slab-out-of-bounds_in_ipmr_mfc_seq_show | 0          | 23         |
| BUG:KASAN:slab-out-of-bounds_in_ip6_string        | 0          | 25         |
+---------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 96.154425][ T3831] BUG: KASAN: slab-out-of-bounds in ip6_string (lib/vsprintf.c:1459) 
[   96.154447][ T3831] Read of size 1 at addr ffff888161f06e20 by task trinity-c7/3831
[   96.154453][ T3831]
[   96.154458][ T3831] CPU: 1 PID: 3831 Comm: trinity-c7 Not tainted 5.16.0-rc8-02291-g33b03feacaf2 #1
[   96.154467][ T3831] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   96.154472][ T3831] Call Trace:
[   96.154477][ T3831]  <TASK>
[ 96.154498][ T3831] dump_stack_lvl (lib/dump_stack.c:107) 
[ 96.154516][ T3831] print_address_description+0x21/0x140 
[ 96.154532][ T3831] ? ip6_string (lib/vsprintf.c:1459) 
[ 96.154541][ T3831] kasan_report.cold (mm/kasan/report.c:434 mm/kasan/report.c:450) 
[ 96.154552][ T3831] ? stack_access_ok (arch/x86/include/asm/stacktrace.h:56 arch/x86/kernel/unwind_orc.c:342) 
[ 96.154561][ T3831] ? ip6_string (lib/vsprintf.c:1459) 
[ 96.154567][ T3831] ip6_string (lib/vsprintf.c:1459) 
[ 96.154573][ T3831] ip6_addr_string (lib/vsprintf.c:1480) 
[ 96.154580][ T3831] ? ip6_compressed_string (lib/vsprintf.c:1472) 
[ 96.154586][ T3831] ? orc_find+0x300/0x300 
[ 96.154594][ T3831] ? string_nocheck (lib/vsprintf.c:701) 
[ 96.154600][ T3831] ? is_bpf_text_address (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:720 kernel/bpf/core.c:717) 
[ 96.154609][ T3831] ? kernel_text_address (kernel/extable.c:96 kernel/extable.c:93) 
[ 96.154616][ T3831] ip_addr_string (lib/vsprintf.c:1602) 
[ 96.154623][ T3831] ? ip6_addr_string_sa (lib/vsprintf.c:1594) 
[ 96.154632][ T3831] pointer (lib/vsprintf.c:2429) 
[ 96.154641][ T3831] ? time_and_date (lib/vsprintf.c:2395) 
[ 96.154647][ T3831] ? chacha_permute (lib/crypto/chacha.c:77) 
[ 96.154659][ T3831] vsnprintf (lib/vsprintf.c:2811) 
[ 96.154667][ T3831] ? pointer (lib/vsprintf.c:2736) 
[ 96.154672][ T3831] ? _extract_crng (drivers/char/random.c:1001) 
[ 96.154682][ T3831] ? get_random_u32 (drivers/char/random.c:2208) 
[ 96.154691][ T3831] seq_vprintf (fs/seq_file.c:392) 
[ 96.154702][ T3831] seq_printf (fs/seq_file.c:402) 
[ 96.154710][ T3831] ? seq_vprintf (fs/seq_file.c:402) 
[ 96.154715][ T3831] ? __mod_memcg_lruvec_state (mm/memcontrol.c:635 mm/memcontrol.c:708) 
[ 96.154725][ T3831] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1)) 
[ 96.154733][ T3831] ? seq_puts (fs/seq_file.c:681) 
[ 96.154742][ T3831] ipmr_mfc_seq_show (net/ipv4/ipmr.c:2968) 
[ 96.154758][ T3831] seq_read_iter (fs/seq_file.c:272) 
[ 96.154769][ T3831] seq_read (fs/seq_file.c:163) 
[ 96.154778][ T3831] ? seq_read_iter (fs/seq_file.c:152) 
[ 96.154785][ T3831] ? hrtimer_start_range_ns (kernel/time/hrtimer.c:1282) 
[ 96.154795][ T3831] ? hrtimer_run_softirq (kernel/time/hrtimer.c:1282) 
[ 96.154799][ T3831] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:513 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170) 
[ 96.154810][ T3831] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323) 
[ 96.154820][ T3831] vfs_read (fs/read_write.c:479) 
[ 96.154830][ T3831] ksys_read (fs/read_write.c:619) 
[ 96.154838][ T3831] ? vfs_write (fs/read_write.c:609) 
[ 96.154847][ T3831] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 96.154861][ T3831] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   96.154869][ T3831] RIP: 0033:0x7f1fca7a6f59
[ 96.154878][ T3831] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
All code
========
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 07 6f 0c 00 	mov    0xc6f07(%rip),%rcx        # 0xc6f41
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 07 6f 0c 00 	mov    0xc6f07(%rip),%rcx        # 0xc6f17
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[   96.154885][ T3831] RSP: 002b:00007ffce82fd318 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[   96.154896][ T3831] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1fca7a6f59
[   96.154902][ T3831] RDX: 0000000000000303 RSI: 00007f1fc87c1000 RDI: 0000000000000066
[   96.154907][ T3831] RBP: 0000000000000000 R08: 0000004a090d1a84 R09: 00000000bbbbbbbb
[   96.154912][ T3831] R10: 000000000000005c R11: 0000000000000246 R12: 0000000000000002
[   96.154917][ T3831] R13: 00007f1fc9102058 R14: 00007f1fca68f6c0 R15: 00007f1fc9102000
[   96.154926][ T3831]  </TASK>
[   96.154929][ T3831]
[   96.154933][ T3831] Allocated by task 1:
[ 96.154938][ T3831] kasan_save_stack (mm/kasan/common.c:38) 
[ 96.154946][ T3831] __kasan_kmalloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:513 mm/kasan/common.c:522) 
[ 96.154954][ T3831] mr_table_alloc (include/linux/slab.h:590 include/linux/slab.h:724 net/ipv4/ipmr_base.c:41) 
[ 96.154965][ T3831] ip6mr_net_init (net/ipv6/ip6mr.c:232 net/ipv6/ip6mr.c:1306) 
[ 96.154973][ T3831] ops_init (net/core/net_namespace.c:140) 
[ 96.154981][ T3831] register_pernet_operations (net/core/net_namespace.c:1148 net/core/net_namespace.c:1217) 
[ 96.154988][ T3831] register_pernet_subsys (net/core/net_namespace.c:1259) 
[ 96.154993][ T3831] ip6_mr_init (net/ipv6/ip6mr.c:1359) 
[ 96.155006][ T3831] inet6_init (net/ipv6/af_inet6.c:1109) 
[ 96.155011][ T3831] do_one_initcall (init/main.c:1297) 
[ 96.155018][ T3831] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610) 
[ 96.155027][ T3831] kernel_init (init/main.c:1501) 
[ 96.155033][ T3831] ret_from_fork (arch/x86/entry/entry_64.S:301) 
[   96.155038][ T3831]
[   96.155040][ T3831] The buggy address belongs to the object at ffff888161f06000
[   96.155040][ T3831]  which belongs to the cache kmalloc-4k of size 4096
[   96.155046][ T3831] The buggy address is located 3616 bytes inside of
[   96.155046][ T3831]  4096-byte region [ffff888161f06000, ffff888161f07000)
[   96.155051][ T3831] The buggy address belongs to the page:
[   96.155056][ T3831] page:0000000074fbc6e9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x161f00
[   96.155064][ T3831] head:0000000074fbc6e9 order:3 compound_mapcount:0 compound_pincount:0
[   96.155068][ T3831] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[   96.155083][ T3831] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100043040
[   96.155090][ T3831] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[   96.155093][ T3831] page dumped because: kasan: bad access detected
[   96.155097][ T3831] page_owner tracks the page as allocated
[   96.155100][ T3831] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 29137094592, free_ts 0
[ 96.155112][ T3831] prep_new_page (include/linux/page_owner.h:31 mm/page_alloc.c:2412 mm/page_alloc.c:2418) 
[ 96.155120][ T3831] get_page_from_freelist (mm/page_alloc.c:4155) 
[ 96.155127][ T3831] __alloc_pages (mm/page_alloc.c:5370) 
[ 96.155133][ T3831] alloc_page_interleave (arch/x86/include/asm/jump_label.h:27 mm/mempolicy.c:2038) 
[ 96.155142][ T3831] allocate_slab (mm/slub.c:1793 mm/slub.c:1930) 
[ 96.155149][ T3831] ___slab_alloc (mm/slub.c:3022) 
[ 96.155155][ T3831] __slab_alloc+0x1c/0x40 
[ 96.155161][ T3831] __kmalloc (mm/slub.c:3200 mm/slub.c:3242 mm/slub.c:4419) 
[ 96.155167][ T3831] __register_sysctl_table (include/linux/slab.h:595 include/linux/slab.h:724 fs/proc/proc_sysctl.c:1318) 
[ 96.155174][ T3831] ipv4_sysctl_init_net (net/ipv4/sysctl_net_ipv4.c:1418) 
[ 96.155181][ T3831] ops_init (net/core/net_namespace.c:140) 
[ 96.155185][ T3831] register_pernet_operations (net/core/net_namespace.c:1148 net/core/net_namespace.c:1217) 
[ 96.155190][ T3831] register_pernet_subsys (net/core/net_namespace.c:1259) 
[ 96.155196][ T3831] sysctl_ipv4_init (net/ipv4/sysctl_net_ipv4.c:1460) 
[ 96.155202][ T3831] do_one_initcall (init/main.c:1297) 
[ 96.155208][ T3831] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610) 
[   96.155214][ T3831] page_owner free stack trace missing
[   96.155218][ T3831]
[   96.155220][ T3831] Memory state around the buggy address:
[   96.155225][ T3831]  ffff888161f06d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.155229][ T3831]  ffff888161f06d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.155233][ T3831] >ffff888161f06e00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.155236][ T3831]                                ^
[   96.155240][ T3831]  ffff888161f06e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.155244][ T3831]  ffff888161f06f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   96.155247][ T3831] ==================================================================
[   96.155250][ T3831] Disabling lock debugging due to kernel taint
[   96.838551][  T292]
[   96.847715][  T292] [main] vhangup is marked as AVOID. Skipping
[   96.847746][  T292]
[   96.910102][  T292] [main] Marking syscall vhangup (64bit:153 32bit:111) as to be enabled.
[   96.910137][  T292]
[   96.951132][  T292] [main] Marking syscall write (64bit:1 32bit:4) as to be enabled.
[   96.951159][  T292]


To reproduce:

        # build kernel
	cd linux
	cp config-5.16.0-rc8-02291-g33b03feacaf2 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.16.0-rc8-02291-g33b03feacaf2" of type "text/plain" (177841 bytes)

View attachment "job-script" of type "text/plain" (4775 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (18920 bytes)

View attachment "trinity" of type "text/plain" (6745 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ