| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YvPCbnKqDiL2XEKp@xsang-OptiPlex-9020>
Date: Wed, 10 Aug 2022 22:36:30 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
CC: Lee Jones <lee@...nel.org>,
Henning Schild <henning.schild@...mens.com>,
Hans de Goede <hdegoede@...hat.com>,
Linus Walleij <linus.walleij@...aro.org>,
Jean Delvare <jdelvare@...e.de>, Wolfram Sang <wsa@...nel.org>,
LKML <linux-kernel@...r.kernel.org>, <linux-i2c@...r.kernel.org>,
<platform-driver-x86@...r.kernel.org>, <lkp@...ts.01.org>,
<lkp@...el.com>
Subject: [i2c] 5c7b9167dd: BUG:KASAN:use-after-free_in_string
(please be noted we reported
"[i2c] 5c7b9167dd: BUG:KASAN:use-after-free_in_string"
on
https://lore.kernel.org/all/YtjAswDKfiuDfWYs@xsang-OptiPlex-9020/
when this commit is on linux-next/master.
now we noticed the issue still exists on mainline.
report again FYI.)
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 5c7b9167ddf89d2d845e09bfcdc9f677340b6a5c ("i2c: i801: convert to use common P2SB accessor")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: xfstests
version: xfstests-x86_64-c1144bf-1_20220804
with following parameters:
disk: 4HDD
fs: ext4
test: ext4-group-00
ucode: 0xf0
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 6.016434][ T1] BUG: KASAN: use-after-free in string (lib/vsprintf.c:643 lib/vsprintf.c:725)
[ 6.016440][ T1] Read of size 1 at addr ffff888139403800 by task swapper/0/1
[ 6.016443][ T1]
[ 6.016444][ T1] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G I 5.19.0-rc1-00006-g5c7b9167ddf8 #1
[ 6.016448][ T1] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[ 6.016450][ T1] Call Trace:
[ 6.016451][ T1] <TASK>
[ 6.016453][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725)
[ 6.016456][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 6.016461][ T1] print_address_description+0x1f/0x200
[ 6.016465][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725)
[ 6.016468][ T1] print_report.cold (mm/kasan/report.c:430)
[ 6.016472][ T1] ? kernfs_create_link (fs/kernfs/symlink.c:39)
[ 6.016476][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 6.016479][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 6.016482][ T1] ? string (lib/vsprintf.c:643 lib/vsprintf.c:725)
[ 6.016485][ T1] string (lib/vsprintf.c:643 lib/vsprintf.c:725)
[ 6.016488][ T1] ? ip6_addr_string_sa (lib/vsprintf.c:721)
[ 6.016491][ T1] ? pinctrl_bind_pins (drivers/base/pinctrl.c:94)
[ 6.016495][ T1] ? __fprop_add_percpu_max (lib/idr.c:35)
[ 6.016498][ T1] vsnprintf (lib/vsprintf.c:2733)
[ 6.016502][ T1] ? pointer (lib/vsprintf.c:2714)
[ 6.016505][ T1] ? idr_alloc_cyclic (lib/idr.c:126)
[ 6.016508][ T1] ? idr_alloc (lib/idr.c:118)
[ 6.016510][ T1] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 6.016513][ T1] devm_kvasprintf (drivers/base/devres.c:1004)
[ 6.016516][ T1] ? devm_kmemdup (drivers/base/devres.c:995)
[ 6.016520][ T1] ? __cond_resched (kernel/sched/core.c:8217)
[ 6.016524][ T1] devm_kasprintf (drivers/base/devres.c:1026)
[ 6.016526][ T1] ? devm_kvasprintf (drivers/base/devres.c:1026)
[ 6.016529][ T1] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161)
[ 6.016532][ T1] ? __kmalloc_node_track_caller (mm/slub.c:3216 mm/slub.c:4950)
[ 6.016535][ T1] ? iTCO_wdt_probe (include/linux/device.h:209 drivers/watchdog/iTCO_wdt.c:472)
[ 6.016539][ T1] ? add_dr (include/linux/list.h:69 (discriminator 2) include/linux/list.h:102 (discriminator 2) drivers/base/devres.c:131 (discriminator 2))
[ 6.016542][ T1] __devm_ioremap_resource (lib/devres.c:156)
[ 6.016546][ T1] iTCO_wdt_probe (drivers/watchdog/iTCO_wdt.c:509)
[ 6.016550][ T1] platform_probe (drivers/base/platform.c:1400)
[ 6.016552][ T1] really_probe (drivers/base/dd.c:555 drivers/base/dd.c:634)
[ 6.016557][ T1] __driver_probe_device (drivers/base/dd.c:764)
[ 6.016560][ T1] driver_probe_device (drivers/base/dd.c:794)
[ 6.016564][ T1] __driver_attach (drivers/base/dd.c:1164)
[ 6.016567][ T1] ? __device_attach_driver (drivers/base/dd.c:1116)
[ 6.016571][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 6.016574][ T1] ? subsys_dev_iter_exit (drivers/base/bus.c:290)
[ 6.016577][ T1] ? klist_add_tail (include/linux/list.h:69 include/linux/list.h:102 lib/klist.c:104 lib/klist.c:137)
[ 6.016581][ T1] bus_add_driver (drivers/base/bus.c:618)
[ 6.016584][ T1] driver_register (drivers/base/driver.c:240)
[ 6.016587][ T1] ? esb_driver_init (drivers/watchdog/iTCO_wdt.c:651)
[ 6.016591][ T1] do_one_initcall (init/main.c:1295)
[ 6.016595][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1286)
[ 6.016597][ T1] ? parse_one (kernel/params.c:170)
[ 6.016602][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142)
[ 6.016606][ T1] do_initcalls (init/main.c:1367 init/main.c:1384)
[ 6.016611][ T1] kernel_init_freeable (init/main.c:1614)
[ 6.016614][ T1] ? console_on_rootfs (init/main.c:1581)
[ 6.016617][ T1] ? usleep_range_state (kernel/time/timer.c:1897)
[ 6.016622][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169)
[ 6.016624][ T1] ? rest_init (init/main.c:1491)
[ 6.016628][ T1] ? rest_init (init/main.c:1491)
[ 6.016631][ T1] kernel_init (init/main.c:1501)
[ 6.016635][ T1] ret_from_fork (arch/x86/entry/entry_64.S:308)
[ 6.016639][ T1] </TASK>
[ 6.016640][ T1]
[ 6.016641][ T1] Allocated by task 0:
[ 6.016642][ T1] (stack is not available)
[ 6.016643][ T1]
[ 6.016643][ T1] Freed by task 1:
[ 6.016645][ T1] kasan_save_stack (mm/kasan/common.c:39)
[ 6.016648][ T1] kasan_set_track (mm/kasan/common.c:45)
[ 6.016650][ T1] kasan_set_free_info (mm/kasan/generic.c:372)
[ 6.016653][ T1] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 6.016656][ T1] kfree (mm/slub.c:1753 mm/slub.c:3507 mm/slub.c:4555)
[ 6.016658][ T1] kobject_cleanup (lib/kobject.c:683)
[ 6.016661][ T1] p2sb_bar (drivers/platform/x86/intel/p2sb.c:120)
[ 6.016663][ T1] i801_add_tco (drivers/i2c/busses/i2c-i801.c:1495 drivers/i2c/busses/i2c-i801.c:1552)
[ 6.016666][ T1] i801_probe.cold (drivers/i2c/busses/i2c-i801.c:1749 (discriminator 4))
[ 6.016668][ T1] local_pci_probe (drivers/pci/pci-driver.c:324)
[ 6.016670][ T1] pci_call_probe (drivers/pci/pci-driver.c:392)
[ 6.016672][ T1] pci_device_probe (drivers/pci/pci-driver.c:461)
[ 6.016674][ T1] really_probe (drivers/base/dd.c:555 drivers/base/dd.c:634)
[ 6.016676][ T1] __driver_probe_device (drivers/base/dd.c:764)
[ 6.016679][ T1] driver_probe_device (drivers/base/dd.c:794)
[ 6.016682][ T1] __driver_attach (drivers/base/dd.c:1164)
[ 6.016685][ T1] bus_for_each_dev (drivers/base/bus.c:301)
[ 6.016688][ T1] bus_add_driver (drivers/base/bus.c:618)
[ 6.016690][ T1] driver_register (drivers/base/driver.c:240)
[ 6.016692][ T1] i2c_i801_init (drivers/i2c/busses/i2c-i801.c:1842)
[ 6.016695][ T1] do_one_initcall (init/main.c:1295)
[ 6.016697][ T1] do_initcalls (init/main.c:1367 init/main.c:1384)
[ 6.016700][ T1] kernel_init_freeable (init/main.c:1614)
[ 6.016703][ T1] kernel_init (init/main.c:1501)
[ 6.016706][ T1] ret_from_fork (arch/x86/entry/entry_64.S:308)
[ 6.016708][ T1]
[ 6.016709][ T1] The buggy address belongs to the object at ffff888139403800
[ 6.016709][ T1] which belongs to the cache kmalloc-16 of size 16
[ 6.016711][ T1] The buggy address is located 0 bytes inside of
[ 6.016711][ T1] 16-byte region [ffff888139403800, ffff888139403810)
[ 6.016713][ T1]
[ 6.016714][ T1] The buggy address belongs to the physical page:
[ 6.016715][ T1] page:0000000054d70477 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x139403
[ 6.016736][ T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-rc1-00006-g5c7b9167ddf8" of type "text/plain" (167555 bytes)
View attachment "job-script" of type "text/plain" (5691 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (27072 bytes)
View attachment "xfstests" of type "text/plain" (1252 bytes)
View attachment "job.yaml" of type "text/plain" (4671 bytes)
View attachment "reproduce" of type "text/plain" (839 bytes)
Powered by blists - more mailing lists