lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 9 Mar 2023 17:08:55 -0500 (EST)
From:   Vince Weaver <vincent.weaver@...ne.edu>
To:     linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org
cc:     Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>
Subject: [perf] perf_fuzzer triggers KASAN BUG in x86_pmu_del

Hello

I hit this KASAN BUG running the perf_fuzzer on a haswell machine running
6.3.0-rc1

It is reproducible.

It looks like it's from the __set_bit line here in x86_pmu_del().  Let me 
know if there's more I can do to debug this.

Vince

	/*
         * If we're called during a txn, we only need to undo x86_pmu.add.
         * The events never got scheduled and ->cancel_txn will truncate
         * the event_list.
         *
         * XXX assumes any ->del() called during a TXN will only be on
         * an event added during that same TXN.
         */
        if (cpuc->txn_flags & PERF_PMU_TXN_ADD)
                goto do_del;

        __set_bit(event->hw.idx, cpuc->dirty);


[ 5867.174432] ==================================================================
[ 5867.181684] BUG: KASAN: wild-memory-access in x86_pmu_del+0x92/0x2e0
[ 5867.188058] Write of size 8 at addr 1fff8880d09a1fa0 by task perf_fuzzer/3025
[ 5867.196720] CPU: 7 PID: 3025 Comm: perf_fuzzer Not tainted 6.3.0-rc1 #179
[ 5867.203521] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[ 5867.210931] Call Trace:
[ 5867.213398]  <TASK>
[ 5867.215518]  dump_stack_lvl+0x57/0x90
[ 5867.219204]  kasan_report+0xbb/0xf0
[ 5867.222713]  ? perf_event_update_userpage+0x2a1/0x450
[ 5867.227788]  ? x86_pmu_del+0x92/0x2e0
[ 5867.231477]  kasan_check_range+0x13f/0x1a0
[ 5867.235594]  x86_pmu_del+0x92/0x2e0
[ 5867.239105]  ? lock_is_held_type+0xe3/0x140
[ 5867.243309]  event_sched_out+0x1c6/0x480
[ 5867.247261]  merge_sched_in+0x728/0x7b0
[ 5867.251128]  visit_groups_merge.constprop.0.isra.0+0x30e/0x970
[ 5867.256985]  ? __pfx_visit_groups_merge.constprop.0.isra.0+0x10/0x10
[ 5867.263366]  ? visit_groups_merge.constprop.0.isra.0+0x374/0x970
[ 5867.269399]  ctx_flexible_sched_in+0x11c/0x140
[ 5867.273865]  ? __pfx_ctx_flexible_sched_in+0x10/0x10
[ 5867.278849]  ? lock_is_held_type+0xe3/0x140
[ 5867.283053]  ctx_sched_in+0x1a5/0x3b0
[ 5867.286736]  ? __pfx_ctx_sched_in+0x10/0x10
[ 5867.290938]  ? ctx_sched_out+0x191/0x340
[ 5867.294885]  __perf_event_task_sched_in+0x258/0x400
[ 5867.299789]  ? __pfx___perf_event_task_sched_in+0x10/0x10
[ 5867.305208]  finish_task_switch.isra.0+0x3d4/0x570
[ 5867.310025]  schedule_tail+0xe/0x90
[ 5867.313535]  ret_from_fork+0x12/0x50
[ 5867.317135]  </TASK>
[ 5867.319347] ==================================================================
[ 5867.326586] Disabling lock debugging due to kernel taint

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ