lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Wed, 10 Aug 2022 22:36:30 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
CC:     Lee Jones <lee@...nel.org>,
        Henning Schild <henning.schild@...mens.com>,
        Hans de Goede <hdegoede@...hat.com>,
        Linus Walleij <linus.walleij@...aro.org>,
        Jean Delvare <jdelvare@...e.de>, Wolfram Sang <wsa@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>, <linux-i2c@...r.kernel.org>,
        <platform-driver-x86@...r.kernel.org>, <lkp@...ts.01.org>,
        <lkp@...el.com>
Subject: [i2c]  5c7b9167dd: BUG:KASAN:use-after-free_in_string


(please be noted we reported
"[i2c]  5c7b9167dd: BUG:KASAN:use-after-free_in_string"
on
https://lore.kernel.org/all/YtjAswDKfiuDfWYs@xsang-OptiPlex-9020/
when this commit is on linux-next/master.
now we noticed the issue still exists on mainline.
report again FYI.)


Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 5c7b9167ddf89d2d845e09bfcdc9f677340b6a5c ("i2c: i801: convert to use common P2SB accessor")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

in testcase: xfstests
version: xfstests-x86_64-c1144bf-1_20220804
with following parameters:

	disk: 4HDD
	fs: ext4
	test: ext4-group-00
	ucode: 0xf0

test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git


on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 6.016434][ T1] BUG: KASAN: use-after-free in string (lib/vsprintf.c:643 lib/vsprintf.c:725) 
[    6.016440][    T1] Read of size 1 at addr ffff888139403800 by task swapper/0/1
[    6.016443][    T1]
[    6.016444][    T1] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G          I       5.19.0-rc1-00006-g5c7b9167ddf8 #1
[    6.016448][    T1] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[    6.016450][    T1] Call Trace:
[    6.016451][    T1]  <TASK>
[ 6.016453][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725) 
[ 6.016456][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 6.016461][ T1] print_address_description+0x1f/0x200 
[ 6.016465][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725) 
[ 6.016468][ T1] print_report.cold (mm/kasan/report.c:430) 
[ 6.016472][ T1] ? kernfs_create_link (fs/kernfs/symlink.c:39) 
[ 6.016476][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 6.016479][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) 
[ 6.016482][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725) 
[ 6.016485][ T1] string (lib/vsprintf.c:643 lib/vsprintf.c:725) 
[ 6.016488][ T1] ? ip6_addr_string_sa (lib/vsprintf.c:721) 
[ 6.016491][ T1] ? pinctrl_bind_pins (drivers/base/pinctrl.c:94) 
[ 6.016495][ T1] ? __fprop_add_percpu_max (lib/idr.c:35) 
[ 6.016498][ T1] vsnprintf (lib/vsprintf.c:2733) 
[ 6.016502][ T1] ? pointer (lib/vsprintf.c:2714) 
[ 6.016505][ T1] ? idr_alloc_cyclic (lib/idr.c:126) 
[ 6.016508][ T1] ? idr_alloc (lib/idr.c:118) 
[ 6.016510][ T1] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 6.016513][ T1] devm_kvasprintf (drivers/base/devres.c:1004) 
[ 6.016516][ T1] ? devm_kmemdup (drivers/base/devres.c:995) 
[ 6.016520][ T1] ? __cond_resched (kernel/sched/core.c:8217) 
[ 6.016524][ T1] devm_kasprintf (drivers/base/devres.c:1026) 
[ 6.016526][ T1] ? devm_kvasprintf (drivers/base/devres.c:1026) 
[ 6.016529][ T1] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161) 
[ 6.016532][ T1] ? __kmalloc_node_track_caller (mm/slub.c:3216 mm/slub.c:4950) 
[ 6.016535][ T1] ? iTCO_wdt_probe (include/linux/device.h:209 drivers/watchdog/iTCO_wdt.c:472) 
[ 6.016539][ T1] ? add_dr (include/linux/list.h:69 (discriminator 2) include/linux/list.h:102 (discriminator 2) drivers/base/devres.c:131 (discriminator 2)) 
[ 6.016542][ T1] __devm_ioremap_resource (lib/devres.c:156) 
[ 6.016546][ T1] iTCO_wdt_probe (drivers/watchdog/iTCO_wdt.c:509) 
[ 6.016550][ T1] platform_probe (drivers/base/platform.c:1400) 
[ 6.016552][ T1] really_probe (drivers/base/dd.c:555 drivers/base/dd.c:634) 
[ 6.016557][ T1] __driver_probe_device (drivers/base/dd.c:764) 
[ 6.016560][ T1] driver_probe_device (drivers/base/dd.c:794) 
[ 6.016564][ T1] __driver_attach (drivers/base/dd.c:1164) 
[ 6.016567][ T1] ? __device_attach_driver (drivers/base/dd.c:1116) 
[ 6.016571][ T1] bus_for_each_dev (drivers/base/bus.c:301) 
[ 6.016574][ T1] ? subsys_dev_iter_exit (drivers/base/bus.c:290) 
[ 6.016577][ T1] ? klist_add_tail (include/linux/list.h:69 include/linux/list.h:102 lib/klist.c:104 lib/klist.c:137) 
[ 6.016581][ T1] bus_add_driver (drivers/base/bus.c:618) 
[ 6.016584][ T1] driver_register (drivers/base/driver.c:240) 
[ 6.016587][ T1] ? esb_driver_init (drivers/watchdog/iTCO_wdt.c:651) 
[ 6.016591][ T1] do_one_initcall (init/main.c:1295) 
[ 6.016595][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1286) 
[ 6.016597][ T1] ? parse_one (kernel/params.c:170) 
[ 6.016602][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142) 
[ 6.016606][ T1] do_initcalls (init/main.c:1367 init/main.c:1384) 
[ 6.016611][ T1] kernel_init_freeable (init/main.c:1614) 
[ 6.016614][ T1] ? console_on_rootfs (init/main.c:1581) 
[ 6.016617][ T1] ? usleep_range_state (kernel/time/timer.c:1897) 
[ 6.016622][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169) 
[ 6.016624][ T1] ? rest_init (init/main.c:1491) 
[ 6.016628][ T1] ? rest_init (init/main.c:1491) 
[ 6.016631][ T1] kernel_init (init/main.c:1501) 
[ 6.016635][ T1] ret_from_fork (arch/x86/entry/entry_64.S:308) 
[    6.016639][    T1]  </TASK>
[    6.016640][    T1]
[    6.016641][    T1] Allocated by task 0:
[    6.016642][    T1] (stack is not available)
[    6.016643][    T1]
[    6.016643][    T1] Freed by task 1:
[ 6.016645][ T1] kasan_save_stack (mm/kasan/common.c:39) 
[ 6.016648][ T1] kasan_set_track (mm/kasan/common.c:45) 
[ 6.016650][ T1] kasan_set_free_info (mm/kasan/generic.c:372) 
[ 6.016653][ T1] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) 
[ 6.016656][ T1] kfree (mm/slub.c:1753 mm/slub.c:3507 mm/slub.c:4555) 
[ 6.016658][ T1] kobject_cleanup (lib/kobject.c:683) 
[ 6.016661][ T1] p2sb_bar (drivers/platform/x86/intel/p2sb.c:120) 
[ 6.016663][ T1] i801_add_tco (drivers/i2c/busses/i2c-i801.c:1495 drivers/i2c/busses/i2c-i801.c:1552) 
[ 6.016666][ T1] i801_probe.cold (drivers/i2c/busses/i2c-i801.c:1749 (discriminator 4)) 
[ 6.016668][ T1] local_pci_probe (drivers/pci/pci-driver.c:324) 
[ 6.016670][ T1] pci_call_probe (drivers/pci/pci-driver.c:392) 
[ 6.016672][ T1] pci_device_probe (drivers/pci/pci-driver.c:461) 
[ 6.016674][ T1] really_probe (drivers/base/dd.c:555 drivers/base/dd.c:634) 
[ 6.016676][ T1] __driver_probe_device (drivers/base/dd.c:764) 
[ 6.016679][ T1] driver_probe_device (drivers/base/dd.c:794) 
[ 6.016682][ T1] __driver_attach (drivers/base/dd.c:1164) 
[ 6.016685][ T1] bus_for_each_dev (drivers/base/bus.c:301) 
[ 6.016688][ T1] bus_add_driver (drivers/base/bus.c:618) 
[ 6.016690][ T1] driver_register (drivers/base/driver.c:240) 
[ 6.016692][ T1] i2c_i801_init (drivers/i2c/busses/i2c-i801.c:1842) 
[ 6.016695][ T1] do_one_initcall (init/main.c:1295) 
[ 6.016697][ T1] do_initcalls (init/main.c:1367 init/main.c:1384) 
[ 6.016700][ T1] kernel_init_freeable (init/main.c:1614) 
[ 6.016703][ T1] kernel_init (init/main.c:1501) 
[ 6.016706][ T1] ret_from_fork (arch/x86/entry/entry_64.S:308) 
[    6.016708][    T1]
[    6.016709][    T1] The buggy address belongs to the object at ffff888139403800
[    6.016709][    T1]  which belongs to the cache kmalloc-16 of size 16
[    6.016711][    T1] The buggy address is located 0 bytes inside of
[    6.016711][    T1]  16-byte region [ffff888139403800, ffff888139403810)
[    6.016713][    T1]
[    6.016714][    T1] The buggy address belongs to the physical page:
[    6.016715][    T1] page:0000000054d70477 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x139403
[    6.016736][    T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.19.0-rc1-00006-g5c7b9167ddf8" of type "text/plain" (167555 bytes)

View attachment "job-script" of type "text/plain" (5691 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (27072 bytes)

View attachment "xfstests" of type "text/plain" (1252 bytes)

View attachment "job.yaml" of type "text/plain" (4671 bytes)

View attachment "reproduce" of type "text/plain" (839 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ