| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Jul 2022 16:26:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Yury Norov <yury.norov@...il.com>
Cc: Yury Norov <yury.norov@...il.com>, linux-kernel@...r.kernel.org,
lkp@...ts.01.org, lkp@...el.com
Subject: 0871a7edbd: BUG:KASAN:stack-out-of-bounds_in_do_migrate_pages
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 0871a7edbdecc0e6517a1b5da7f3d7c3a301fb01 ("remove bitmap_ord_to_pos")
https://github.com/norov/linux fns3(Deprecated)
in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220518
with following parameters:
runtime: 300s
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 49.354495][ T3812] BUG: KASAN: stack-out-of-bounds in do_migrate_pages (arch/x86/include/asm/bitops.h:214 include/asm-generic/bitops/instrumented-non-atomic.h:135 mm/mempolicy.c:1164)
[ 49.360193][ T3812] Read of size 8 at addr ffffc9000077fcf8 by task trinity-c3/3812
[ 49.365928][ T3812]
[ 49.375020][ T3812] CPU: 1 PID: 3812 Comm: trinity-c3 Not tainted 5.19.0-rc4-00010-g0871a7edbdec #1
[ 49.380782][ T3812] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 49.386551][ T3812] Call Trace:
[ 49.391552][ T3812] <TASK>
[ 49.396437][ T3812] ? do_migrate_pages (arch/x86/include/asm/bitops.h:214 include/asm-generic/bitops/instrumented-non-atomic.h:135 mm/mempolicy.c:1164)
[ 49.401454][ T3812] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 49.406375][ T3812] print_address_description+0x1f/0x200
[ 49.411361][ T3812] ? do_migrate_pages (arch/x86/include/asm/bitops.h:214 include/asm-generic/bitops/instrumented-non-atomic.h:135 mm/mempolicy.c:1164)
[ 49.415198][ T3812] print_report.cold (mm/kasan/report.c:430)
[ 49.418573][ T3812] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 49.421899][ T3812] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 49.425112][ T3812] ? bitmap_print_to_buf (lib/bitmap.c:603)
[ 49.428299][ T3812] ? do_migrate_pages (arch/x86/include/asm/bitops.h:214 include/asm-generic/bitops/instrumented-non-atomic.h:135 mm/mempolicy.c:1164)
[ 49.431417][ T3812] kasan_check_range (mm/kasan/generic.c:190)
[ 49.434469][ T3812] do_migrate_pages (arch/x86/include/asm/bitops.h:214 include/asm-generic/bitops/instrumented-non-atomic.h:135 mm/mempolicy.c:1164)
[ 49.437461][ T3812] ? change_prot_numa (mm/mempolicy.c:1089)
[ 49.440390][ T3812] ? security_capable (security/security.c:807 (discriminator 13))
[ 49.447394][ T3812] kernel_migrate_pages (mm/mempolicy.c:1653)
[ 49.451305][ T3812] ? do_migrate_pages (mm/mempolicy.c:1580)
[ 49.454770][ T3812] ? from_kuid_munged (kernel/user_namespace.c:452)
[ 49.457497][ T3812] ? from_kuid (kernel/user_namespace.c:448)
[ 49.460072][ T3812] __x64_sys_migrate_pages (mm/mempolicy.c:1665)
[ 49.462724][ T3812] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 49.465266][ T3812] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 49.467861][ T3812] RIP: 0033:0x7fc1a195c9b9
[ 49.471804][ T3812] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54e1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54b7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 49.477425][ T3812] RSP: 002b:00007fff08d02458 EFLAGS: 00000246 ORIG_RAX: 0000000000000100
[ 49.480107][ T3812] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fc1a195c9b9
[ 49.482756][ T3812] RDX: 00007fc19f9d0000 RSI: 0000000000000002 RDI: 0000000000000000
[ 49.485361][ T3812] RBP: 00007fc1a02f1000 R08: fffffffffffffffd R09: 0000000000000080
[ 49.487900][ T3812] R10: 00007fc19f9d0000 R11: 0000000000000246 R12: 0000000000000100
[ 49.490458][ T3812] R13: 00007fc1a1a2a580 R14: 00007fc1a02f1058 R15: 00007fc1a02f1000
[ 49.492981][ T3812] </TASK>
[ 49.495082][ T3812]
[ 49.497137][ T3812] The buggy address belongs to stack of task trinity-c3/3812
[ 49.499505][ T3812] and is located at offset 160 in frame:
[ 49.501722][ T3812] do_migrate_pages (mm/mempolicy.c:1089)
[ 49.503809][ T3812]
[ 49.506270][ T3812] This frame has 1 object:
[ 49.508231][ T3812] [32, 160) 'tmp'
[ 49.508236][ T3812]
[ 49.511570][ T3812] The buggy address belongs to the virtual mapping at
[ 49.511570][ T3812] [ffffc90000778000, ffffc90000781000) created by:
[ 49.511570][ T3812] dup_task_struct (kernel/fork.c:978)
[ 49.516512][ T3812]
[ 49.517883][ T3812] The buggy address belongs to the physical page:
[ 49.519514][ T3812] page:000000006cf2accb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12f2e0
[ 49.521413][ T3812] memcg:ffff8881a3c89d02
[ 49.522902][ T3812] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 49.524602][ T3812] raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000
[ 49.526376][ T3812] raw: 0000000000000000 0000000000000000 00000001ffffffff ffff8881a3c89d02
[ 49.528115][ T3812] page dumped because: kasan: bad access detected
[ 49.529742][ T3812] page_owner tracks the page as allocated
[ 49.531312][ T3812] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 3632, tgid 3632 (trinity-main), ts 42696298823, free_ts 42635118470
[ 49.535087][ T3812] get_page_from_freelist (mm/page_alloc.c:2467 mm/page_alloc.c:4198)
[ 49.536758][ T3812] __alloc_pages (mm/page_alloc.c:5426)
[ 49.538357][ T3812] vm_area_alloc_pages (mm/vmalloc.c:2927)
[ 49.539981][ T3812] __vmalloc_area_node (mm/vmalloc.c:2995)
[ 49.545675][ T3812] __vmalloc_node_range (mm/vmalloc.c:3166)
[ 49.547377][ T3812] alloc_thread_stack_node (kernel/fork.c:312 (discriminator 4))
[ 49.549042][ T3812] dup_task_struct (kernel/fork.c:978)
[ 49.550639][ T3812] copy_process (kernel/fork.c:2071)
[ 49.552228][ T3812] kernel_clone (kernel/fork.c:2655)
[ 49.553816][ T3812] __do_sys_clone (kernel/fork.c:2778)
[ 49.555408][ T3812] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 49.556994][ T3812] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 49.558682][ T3812] page last free stack trace:
[ 49.560279][ T3812] free_pcp_prepare (include/linux/page_owner.h:24 mm/page_alloc.c:1371 mm/page_alloc.c:1443)
[ 49.561905][ T3812] free_unref_page (mm/page_alloc.c:3343 mm/page_alloc.c:3438)
[ 49.563503][ T3812] qlist_free_all (mm/kasan/quarantine.c:182)
[ 49.565107][ T3812] kasan_quarantine_reduce (include/linux/srcu.h:189 mm/kasan/quarantine.c:295)
[ 49.566750][ T3812] __kasan_slab_alloc (mm/kasan/common.c:446)
[ 49.568350][ T3812] kmem_cache_alloc (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3251 mm/slub.c:3258 mm/slub.c:3268)
[ 49.569909][ T3812] __anon_vma_prepare (mm/rmap.c:140 mm/rmap.c:194)
[ 49.571406][ T3812] do_cow_fault (mm/memory.c:4527)
[ 49.572911][ T3812] do_fault (mm/memory.c:4642)
[ 49.574306][ T3812] __handle_mm_fault (mm/memory.c:5042)
[ 49.575764][ T3812] handle_mm_fault (mm/memory.c:5140)
[ 49.577215][ T3812] do_user_addr_fault (arch/x86/mm/fault.c:1397)
[ 49.578673][ T3812] exc_page_fault (arch/x86/include/asm/irqflags.h:40 arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1492 arch/x86/mm/fault.c:1540)
[ 49.580097][ T3812] asm_exc_page_fault (arch/x86/include/asm/idtentry.h:570)
[ 49.581532][ T3812]
[ 49.582797][ T3812] Memory state around the buggy address:
[ 49.584273][ T3812] ffffc9000077fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 49.585921][ T3812] ffffc9000077fc00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
[ 49.587552][ T3812] >ffffc9000077fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
[ 49.589191][ T3812] ^
[ 49.590839][ T3812] ffffc9000077fd00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 49.592499][ T3812] ffffc9000077fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 49.594173][ T3812] ==================================================================
[ 49.595953][ T3812] Disabling lock debugging due to kernel taint
[ 49.612999][ T3812] general protection fault, probably for non-canonical address 0xdffffc0000002c3b: 0000 [#1] SMP KASAN PTI
[ 49.616000][ T3812] KASAN: probably user-memory-access in range [0x00000000000161d8-0x00000000000161df]
[ 49.618767][ T3812] CPU: 1 PID: 3812 Comm: trinity-c3 Tainted: G B 5.19.0-rc4-00010-g0871a7edbdec #1
[ 49.621838][ T3812] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 49.624765][ T3812] RIP: prepare_alloc_pages+0x255/0x500
[ 49.627085][ T3812] Code: 0f 85 48 02 00 00 48 8b 2b 48 89 e8 4d 85 e4 0f 85 34 01 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d 7d 08 48 89 f9 48 c1 e9 03 <0f> b6 14 11 84 d2 74 09 80 fa 03 0f 8e 66 01 00 00 3b 75 08 0f 82
All code
========
0: 0f 85 48 02 00 00 jne 0x24e
6: 48 8b 2b mov (%rbx),%rbp
9: 48 89 e8 mov %rbp,%rax
c: 4d 85 e4 test %r12,%r12
f: 0f 85 34 01 00 00 jne 0x149
15: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
1c: fc ff df
1f: 48 8d 7d 08 lea 0x8(%rbp),%rdi
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
2a:* 0f b6 14 11 movzbl (%rcx,%rdx,1),%edx <-- trapping instruction
2e: 84 d2 test %dl,%dl
30: 74 09 je 0x3b
32: 80 fa 03 cmp $0x3,%dl
35: 0f 8e 66 01 00 00 jle 0x1a1
3b: 3b 75 08 cmp 0x8(%rbp),%esi
3e: 0f .byte 0xf
3f: 82 .byte 0x82
To reproduce:
# build kernel
cd linux
cp config-5.19.0-rc4-00010-g0871a7edbdec .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-rc4-00010-g0871a7edbdec" of type "text/plain" (167418 bytes)
View attachment "job-script" of type "text/plain" (4803 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (17060 bytes)
Powered by blists - more mailing lists