| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220417093314.GB9433@xsang-OptiPlex-9020>
Date: Sun, 17 Apr 2022 17:33:14 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: 0day robot <lkp@...el.com>, Kees Cook <keescook@...omium.org>,
John Johansen <john.johansen@...onical.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Paul Moore <paul@...l-moore.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
casey.schaufler@...el.com, jmorris@...ei.org,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
casey@...aufler-ca.com, linux-audit@...hat.com,
penguin-kernel@...ove.sakura.ne.jp,
linux-integrity@...r.kernel.org, netdev@...r.kernel.org
Subject: [LSM] 0d4df6ae86:
BUG:KASAN:stack-out-of-bounds_in_netlbl_unlabel_defconf
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4 ("[PATCH v34 11/29] LSM: Use lsmblob in security_current_getsecid")
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20220408-062243
base: https://git.kernel.org/cgit/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/linux-security-module/20220407212230.12893-12-casey@schaufler-ca.com
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 2.199476][ T1] BUG: KASAN: stack-out-of-bounds in netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] Read of size 4 at addr ffffc9000001fca0 by task swapper/0/1
[ 2.199476][ T1]
[ 2.199476][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.18.0-rc1-00014-g0d4df6ae86e1 #1
[ 2.199476][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 2.199476][ T1] Call Trace:
[ 2.199476][ T1] <TASK>
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 2.199476][ T1] print_address_description+0x1f/0x200
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] print_report.cold (mm/kasan/report.c:430)
[ 2.199476][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 2.199476][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] ? netlbl_unlabel_init (net/netlabel/netlabel_unlabeled.c:1561)
[ 2.199476][ T1] ? register_netdevice_notifier (net/core/dev.c:1743)
[ 2.199476][ T1] ? netlbl_netlink_init (net/netlabel/netlabel_kapi.c:1494)
[ 2.199476][ T1] netlbl_init (net/netlabel/netlabel_kapi.c:1514)
[ 2.199476][ T1] do_one_initcall (init/main.c:1298)
[ 2.199476][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1289)
[ 2.199476][ T1] ? parse_one (kernel/params.c:170)
[ 2.199476][ T1] ? sysvec_call_function_single (arch/x86/kernel/smp.c:243 (discriminator 14))
[ 2.199476][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142)
[ 2.199476][ T1] do_initcalls (init/main.c:1370 init/main.c:1387)
[ 2.199476][ T1] kernel_init_freeable (init/main.c:1617)
[ 2.199476][ T1] ? console_on_rootfs (init/main.c:1584)
[ 2.199476][ T1] ? usleep_range_state (kernel/time/timer.c:1843)
[ 2.199476][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169)
[ 2.199476][ T1] ? rest_init (init/main.c:1494)
[ 2.199476][ T1] kernel_init (init/main.c:1504)
[ 2.199476][ T1] ret_from_fork (arch/x86/entry/entry_64.S:304)
[ 2.199476][ T1] </TASK>
[ 2.199476][ T1]
[ 2.199476][ T1] The buggy address belongs to stack of task swapper/0/1
[ 2.199476][ T1] and is located at offset 64 in frame:
[ 2.199476][ T1] netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1561)
[ 2.199476][ T1]
[ 2.199476][ T1] This frame has 2 objects:
[ 2.199476][ T1] [32, 44) 'audit_info'
[ 2.199476][ T1] [64, 65) 'blob'
[ 2.199476][ T1]
[ 2.199476][ T1] The buggy address belongs to the virtual mapping at
[ 2.199476][ T1] [ffffc90000018000, ffffc90000021000) created by:
[ 2.199476][ T1] dup_task_struct (kernel/fork.c:979)
[ 2.199476][ T1]
[ 2.199476][ T1] Memory state around the buggy address:
[ 2.199476][ T1] ffffc9000001fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.199476][ T1] ffffc9000001fc00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 2.199476][ T1] >ffffc9000001fc80: 00 04 f2 f2 01 f3 f3 f3 00 00 00 00 00 00 00 00
[ 2.199476][ T1] ^
[ 2.199476][ T1] ffffc9000001fd00: 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3
[ 2.199476][ T1] ffffc9000001fd80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.199476][ T1] ==================================================================
[ 2.199494][ T1] Disabling lock debugging due to kernel taint
[ 2.200283][ T1] NetLabel: unlabeled traffic allowed by default
[ 2.200485][ T1] PCI: Using ACPI for IRQ routing
[ 2.201121][ T1] PCI: pci_cache_line_size set to 64 bytes
[ 2.201558][ T1] e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]
[ 2.202409][ T1] e820: reserve RAM buffer [mem 0xbffe0000-0xbfffffff]
[ 2.202667][ T1] pci 0000:00:02.0: vgaarb: setting as boot VGA device
[ 2.203405][ T1] pci 0000:00:02.0: vgaarb: bridge control possible
[ 2.203476][ T1] pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 2.203493][ T1] vgaarb: loaded
[ 2.204802][ T1] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 2.205484][ T1] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 2.209625][ T1] clocksource: Switched to clocksource kvm-clock
[ 2.434510][ T1] VFS: Disk quotas dquot_6.6.0
[ 2.435843][ T1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 2.438323][ T1] pnp: PnP ACPI init
[ 2.440593][ T1] pnp 00:03: [dma 2]
[ 2.446897][ T1] pnp: PnP ACPI: found 7 devices
[ 2.470334][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 2.471970][ T1] NET: Registered PF_INET protocol family
[ 2.473702][ T1] IP idents hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[ 2.479786][ T1] tcp_listen_portaddr_hash hash table entries: 8192 (order: 5, 131072 bytes, linear)
[ 2.481650][ T1] TCP established hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 2.483134][ T1] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes, linear)
[ 2.484812][ T1] TCP: Hash tables configured (established 131072 bind 65536)
[ 2.485964][ T1] UDP hash table entries: 8192 (order: 6, 262144 bytes, linear)
[ 2.487066][ T1] UDP-Lite hash table entries: 8192 (order: 6, 262144 bytes, linear)
[ 2.488433][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 2.490263][ T1] RPC: Registered named UNIX socket transport module.
[ 2.491166][ T1] RPC: Registered udp transport module.
[ 2.492286][ T1] RPC: Registered tcp transport module.
[ 2.493335][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 2.494370][ T1] NET: Registered PF_XDP protocol family
[ 2.495404][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 2.496291][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 2.497200][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 2.498213][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfffff window]
[ 2.499296][ T1] pci_bus 0000:00: resource 8 [mem 0x440000000-0x4bfffffff window]
[ 2.500830][ T1] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 2.501688][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 2.502577][ T1] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[ 2.503535][ T1] PCI: CLS 0 bytes, default 64
[ 2.504618][ T8] Trying to unpack rootfs image as initramfs...
[ 10.282566][ T8] Freeing initrd memory: 122800K
[ 10.283858][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 10.285337][ T1] software IO TLB: mapped [mem 0x00000000bbfe0000-0x00000000bffe0000] (64MB)
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc1-00014-g0d4df6ae86e1 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc1-00014-g0d4df6ae86e1" of type "text/plain" (166155 bytes)
View attachment "job-script" of type "text/plain" (4609 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (12524 bytes)
Powered by blists - more mailing lists