| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Jun 2024 14:24:24 -0400 From: Shuangpeng Bai <shuangpengbai@...il.com> To: agruenba@...hat.com Cc: gfs2@...ts.linux.dev, linux-kernel@...r.kernel.org Subject: Follow-Up on Reported Kernel Bug KASAN: slab-out-of-bounds in gfs2_check_blk_type Dear Kernel Maintainers, I hope this message finds you well. I am writing to follow up on the recent bug report KASAN: slab-out-of-bounds in gfs2_check_blk_type. I was wondering if there have been any updates or progress on this issue. Additionally, please let me know if there is any assistance I can provide. Thank you for your time and attention to this matter. Best regards, Shuangpeng > On Jun 11, 2024, at 00:19, Shuangpeng Bai <shuangpengbai@...il.com> wrote: > > Hi Kernel Maintainers, > > Our tool found a new kernel bug KASAN: slab-out-of-bounds in gfs2_check_blk_type. Please see the details below. > > Kernel commit: v6.9 (Commits on May 12, 2024) > Kernel config: attachment > C/Syz reproducer: attachment > > Please let me know for anything I can help. > > Best, > Shuangpeng > > > [ 71.590873][ T8079] ================================================================== > [ 71.593005][ T8079] BUG: KASAN: slab-out-of-bounds in gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.595063][ T8079] Read of size 8 at addr ffff888021a377d0 by task a.out/8079 > [ 71.596905][ T8079] > [ 71.597832][ T8079] CPU: 0 PID: 8079 Comm: a.out Not tainted 6.9.0 #8 > [ 71.600123][ T8079] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 71.603460][ T8079] Call Trace: > [ 71.604602][ T8079] <TASK> > [ 71.605683][ T8079] dump_stack_lvl (lib/dump_stack.c:117) > [ 71.607296][ T8079] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) > [ 71.608909][ T8079] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) > [ 71.610551][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.612454][ T8079] kasan_report (mm/kasan/report.c:603) > [ 71.613973][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.615832][ T8079] gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.617677][ T8079] ? __pfx_gfs2_check_blk_type (fs/gfs2/rgrp.c:2614) > [ 71.619723][ T8079] ? gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) > [ 71.621526][ T8079] ? __gfs2_holder_init (fs/gfs2/glock.c:1272) > [ 71.623447][ T8079] gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) > [ 71.626079][ T8079] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) > [ 71.628057][ T8079] ? pick_eevdf (kernel/sched/fair.c:909) > [ 71.629661][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) > [ 71.631511][ T8079] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) > [ 71.633165][ T8079] ? finish_task_switch.isra.0 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/sched/sched.h:1399 kernel/sched/core.c:5163 kernel/sched/core.c:5281) > [ 71.635270][ T8079] ? __inode_wait_for_writeback (fs/fs-writeback.c:1512) > [ 71.637336][ T8079] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1512) > [ 71.639501][ T8079] ? evict (fs/inode.c:672) > [ 71.640957][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) > [ 71.642637][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) > [ 71.644575][ T8079] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) > [ 71.646161][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) > [ 71.648103][ T8079] evict (fs/inode.c:672) > [ 71.649493][ T8079] iput.part.0 (fs/inode.c:1741 fs/inode.c:1767) > [ 71.650985][ T8079] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) > [ 71.652903][ T8079] iput (fs/inode.c:1769) > [ 71.654195][ T8079] dentry_unlink_inode (fs/dcache.c:401) > [ 71.655902][ T8079] __dentry_kill (fs/dcache.c:606) > [ 71.657456][ T8079] dput (fs/dcache.c:846 fs/dcache.c:833) > [ 71.658782][ T8079] shrink_dcache_for_umount (./include/linux/list_bl.h:74 fs/dcache.c:1557) > [ 71.660731][ T8079] generic_shutdown_super (fs/super.c:620) > [ 71.662500][ T8079] kill_block_super (fs/super.c:1676) > [ 71.664147][ T8079] gfs2_kill_sb (fs/gfs2/ops_fstype.c:1805) > [ 71.665748][ T8079] deactivate_locked_super (fs/super.c:433 fs/super.c:474) > [ 71.667612][ T8079] deactivate_super (fs/super.c:507) > [ 71.669282][ T8079] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) > [ 71.670805][ T8079] task_work_run (kernel/task_work.c:181 (discriminator 1)) > [ 71.672412][ T8079] ? __pfx_task_work_run (kernel/task_work.c:148) > [ 71.674201][ T8079] ? __put_net (net/core/net_namespace.c:689) > [ 71.675709][ T8079] do_exit (kernel/exit.c:879) > [ 71.677175][ T8079] ? __count_memcg_events (mm/memcontrol.c:723 mm/memcontrol.c:962) > [ 71.679117][ T8079] ? __pfx_do_exit (kernel/exit.c:819) > [ 71.680723][ T8079] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) > [ 71.682564][ T8079] ? zap_other_threads (kernel/signal.c:1390) > [ 71.684339][ T8079] do_group_exit (kernel/exit.c:1008) > [ 71.685853][ T8079] __x64_sys_exit_group (kernel/exit.c:1036) > [ 71.687482][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) > [ 71.689990][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 71.691214][ T8079] RIP: 0033:0x7f5ca99d3146 > [ 71.692267][ T8079] Code: Unable to access opcode bytes at 0x7f5ca99d311c. > > Code starting with the faulting instruction > =========================================== > [ 71.693702][ T8079] RSP: 002b:00007ffe66c629e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > [ 71.695408][ T8079] RAX: ffffffffffffffda RBX: 00007f5ca9ad88a0 RCX: 00007f5ca99d3146 > [ 71.697059][ T8079] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 > [ 71.698635][ T8079] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80 > [ 71.700276][ T8079] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f5ca9ad88a0 > [ 71.702040][ T8079] R13: 0000000000000001 R14: 00007f5ca9ae12e8 R15: 0000000000000000 > [ 71.703663][ T8079] </TASK> > [ 71.704290][ T8079] > [ 71.704752][ T8079] Allocated by task 8079: > [ 71.705650][ T8079] kasan_save_stack (mm/kasan/common.c:48) > [ 71.706631][ T8079] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) > [ 71.707574][ T8079] __kasan_kmalloc (mm/kasan/common.c:391) > [ 71.708505][ T8079] __kmalloc (./include/linux/kasan.h:211 mm/slub.c:3972 mm/slub.c:3985) > [ 71.709364][ T8079] read_rindex_entry (./include/linux/slab.h:665 ./include/linux/slab.h:696 fs/gfs2/rgrp.c:766 fs/gfs2/rgrp.c:931) > [ 71.710394][ T8079] gfs2_ri_update (fs/gfs2/rgrp.c:1002 (discriminator 1)) > [ 71.711339][ T8079] gfs2_rindex_update (fs/gfs2/rgrp.c:1051) > [ 71.712483][ T8079] init_inodes (fs/gfs2/ops_fstype.c:913) > [ 71.713427][ T8079] gfs2_fill_super (fs/gfs2/ops_fstype.c:1264) > [ 71.714433][ T8079] get_tree_bdev (fs/super.c:1615) > [ 71.715380][ T8079] gfs2_get_tree (fs/gfs2/ops_fstype.c:1342) > [ 71.716319][ T8079] vfs_get_tree (fs/super.c:1780) > [ 71.717229][ T8079] path_mount (fs/namespace.c:3353 fs/namespace.c:3679) > [ 71.718124][ T8079] __x64_sys_mount (fs/namespace.c:3693 fs/namespace.c:3898 fs/namespace.c:3875 fs/namespace.c:3875) > [ 71.719108][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) > [ 71.720025][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 71.721224][ T8079] > [ 71.721838][ T8079] The buggy address belongs to the object at ffff888021a37780 > [ 71.721838][ T8079] which belongs to the cache kmalloc-96 of size 96 > [ 71.724602][ T8079] The buggy address is located 0 bytes to the right of > [ 71.724602][ T8079] allocated 80-byte region [ffff888021a37780, ffff888021a377d0) > [ 71.727454][ T8079] > [ 71.727931][ T8079] The buggy address belongs to the physical page: > [ 71.729233][ T8079] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21a37 > [ 71.730941][ T8079] ksm flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) > [ 71.732522][ T8079] page_type: 0xffffffff() > [ 71.733415][ T8079] raw: 00fff00000000800 ffff888011c41780 ffffea0000860340 dead000000000003 > [ 71.735106][ T8079] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 > [ 71.736792][ T8079] page dumped because: kasan: bad access detected > [ 71.738102][ T8079] page_owner tracks the page as allocated > [ 71.739229][ T8079] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 18270934128, free_ts 182673967 > [ 71.742812][ T8079] post_alloc_hook (./include/linux/page_owner.h:32 mm/page_alloc.c:1534) > [ 71.743828][ T8079] get_page_from_freelist (mm/page_alloc.c:1543 mm/page_alloc.c:3317) > [ 71.744948][ T8079] __alloc_pages (mm/page_alloc.c:4576) > [ 71.745863][ T8079] allocate_slab (mm/slub.c:2181 mm/slub.c:2343) > [ 71.746796][ T8079] ___slab_alloc (mm/slub.c:3531) > [ 71.747698][ T8079] __slab_alloc.constprop.0 (mm/slub.c:3615) > [ 71.748821][ T8079] kmalloc_trace (mm/slub.c:3668 mm/slub.c:3841 mm/slub.c:3998) > [ 71.749739][ T8079] call_usermodehelper_setup (kernel/umh.c:364) > [ 71.750918][ T8079] kobject_uevent_env (lib/kobject_uevent.c:613) > [ 71.752105][ T8079] param_sysfs_builtin_init (kernel/params.c:822 kernel/params.c:856 kernel/params.c:990) > [ 71.753257][ T8079] do_one_initcall (init/main.c:1245) > [ 71.754155][ T8079] kernel_init_freeable (init/main.c:1306 init/main.c:1323 init/main.c:1342 init/main.c:1555) > [ 71.755340][ T8079] kernel_init (init/main.c:1446) > [ 71.756346][ T8079] ret_from_fork (arch/x86/kernel/process.c:153) > [ 71.757242][ T8079] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) > [ 71.758204][ T8079] page last free pid 8 tgid 8 stack trace: > [ 71.759381][ T8079] free_unref_page_prepare (./include/linux/page_owner.h:25 mm/page_alloc.c:1141 mm/page_alloc.c:2347) > [ 71.760517][ T8079] free_unref_page (mm/page_alloc.c:2487) > [ 71.761655][ T8079] vfree.part.0 (./include/linux/sched.h:1988 mm/vmalloc.c:3341) > [ 71.762567][ T8079] delayed_vfree_work (mm/vmalloc.c:3260 (discriminator 1)) > [ 71.763552][ T8079] process_one_work (kernel/workqueue.c:3272) > [ 71.764550][ T8079] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) > [ 71.765490][ T8079] kthread (kernel/kthread.c:388) > [ 71.766344][ T8079] ret_from_fork (arch/x86/kernel/process.c:153) > [ 71.767258][ T8079] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) > [ 71.768206][ T8079] > [ 71.768674][ T8079] Memory state around the buggy address: > [ 71.769194][ T8079] ffff888021a37680: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc > [ 71.769942][ T8079] ffff888021a37700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc > [ 71.770679][ T8079] >ffff888021a37780: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc > [ 71.771410][ T8079] ^ > [ 71.772016][ T8079] ffff888021a37800: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc > [ 71.772768][ T8079] ffff888021a37880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc > [ 71.773516][ T8079] ================================================================== > [ 71.778624][ T8079] Kernel panic - not syncing: KASAN: panic_on_warn set ... > [ 71.780113][ T8079] CPU: 0 PID: 8079 Comm: a.out Not tainted 6.9.0 #8 > [ 71.781462][ T8079] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 > [ 71.783278][ T8079] Call Trace: > [ 71.783932][ T8079] <TASK> > [ 71.784536][ T8079] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) > [ 71.785477][ T8079] panic (kernel/panic.c:348) > [ 71.786276][ T8079] ? __pfx_panic (kernel/panic.c:282) > .787159][ T8079] > 1? preeMmessapge ft_schedule_romth suynk+sl0ogdx@...zkallaer/ 0x3at0 Jun > 1 04:06:[ 71.789194][ T8079] ? preempt_schedule_common (./arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6927) > [ 71.790322][ T8079] ? check_panic_on_warn (kernel/panic.c:240) > [ 71.791312][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.792378][ T8079] check_panic_on_warn (kernel/panic.c:241) > [ 71.793372][ T8079] end_report (mm/kasan/report.c:226) > [ 71.794210][ T8079] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) > [ 71.795072][ T8079] ? gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.796124][ T8079] gfs2_check_blk_type (fs/gfs2/rgrp.c:153 fs/gfs2/rgrp.c:2638) > [ 71.797166][ T8079] ? __pfx_gfs2_check_blk_type (fs/gfs2/rgrp.c:2614) > [ 71.798273][ T8079] ? gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) > [ 71.799279][ T8079] ? __gfs2_holder_init (fs/gfs2/glock.c:1272) > [ 71.800333][ T8079] gfs2_evict_inode (fs/gfs2/super.c:1346 fs/gfs2/super.c:1492) > [ 71.801313][ T8079] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389) > [ 71.802342][ T8079] ? pick_eevdf (kernel/sched/fair.c:909) > [ 71.803240][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) > [ 71.804316][ T8079] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/spinlock_api_smp.h:143 kernel/locking/spinlock.c:186) > [ 71.805280][ T8079] ? finish_task_switch.isra.0 (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:77 kernel/sched/sched.h:1399 kernel/sched/core.c:5163 kernel/sched/core.c:5281) > [ 71.806403][ T8079] ? __inode_wait_for_writeback (fs/fs-writeback.c:1512) > [ 71.807560][ T8079] ? __pfx___inode_wait_for_writeback (fs/fs-writeback.c:1512) > [ 71.808805][ T8079] ? evict (fs/inode.c:672) > [ 71.809617][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) > [ 71.810623][ T8079] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) > [ 71.811620][ T8079] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) > [ 71.812546][ T8079] ? __pfx_gfs2_evict_inode (fs/gfs2/super.c:1473) > [ 71.813592][ T8079] evict (fs/inode.c:672) > [ 71.814368][ T8079] iput.part.0 (fs/inode.c:1741 fs/inode.c:1767) > [ 71.815242][ T8079] ? __pfx_gfs2_drop_inode (fs/gfs2/super.c:1025) > [ 71.816287][ T8079] iput (fs/inode.c:1769) > [ 71.817017][ T8079] dentry_unlink_inode (fs/dcache.c:401) > [ 71.818015][ T8079] __dentry_kill (fs/dcache.c:606) > [ 71.818920][ T8079] dput (fs/dcache.c:846 fs/dcache.c:833) > [ 71.819674][ T8079] shrink_dcache_for_umount (./include/linux/list_bl.h:74 fs/dcache.c:1557) > [ 71.820782][ T8079] generic_shutdown_super (fs/super.c:620) > [ 71.821828][ T8079] kill_block_super (fs/super.c:1676) > [ 71.822766][ T8079] gfs2_kill_sb (fs/gfs2/ops_fstype.c:1805) > [ 71.823658][ T8079] deactivate_locked_super (fs/super.c:433 fs/super.c:474) > [ 71.824712][ T8079] deactivate_super (fs/super.c:507) > [ 71.825633][ T8079] cleanup_mnt (fs/namespace.c:144 fs/namespace.c:1268) > [ 71.826501][ T8079] task_work_run (kernel/task_work.c:181 (discriminator 1)) > [ 71.827407][ T8079] ? __pfx_task_work_run (kernel/task_work.c:148) > [ 71.828436][ T8079] ? __put_net (net/core/net_namespace.c:689) > [ 71.829281][ T8079] do_exit (kernel/exit.c:879) > [ 71.830111][ T8079] ? __count_memcg_events (mm/memcontrol.c:723 mm/memcontrol.c:962) > [ 71.831169][ T8079] ? __pfx_do_exit (kernel/exit.c:819) > [ 71.832055][ T8079] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) > [ 71.833161][ T8079] ? zap_other_threads (kernel/signal.c:1390) > [ 71.834169][ T8079] do_group_exit (kernel/exit.c:1008) > [ 71.835077][ T8079] __x64_sys_exit_group (kernel/exit.c:1036) > [ 71.836064][ T8079] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) > [ 71.836965][ T8079] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) > [ 71.838114][ T8079] RIP: 0033:0x7f5ca99d3146 > [ 71.838990][ T8079] Code: Unable to access opcode bytes at 0x7f5ca99d311c. > > Code starting with the faulting instruction > =========================================== > [ 71.840378][ T8079] RSP: 002b:00007ffe66c629e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > [ 71.841988][ T8079] RAX: ffffffffffffffda RBX: 00007f5ca9ad88a0 RCX: 00007f5ca99d3146 > [ 71.843542][ T8079] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 > [ 71.845086][ T8079] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80 > [ 71.846664][ T8079] R10: 0000000000000002 R11: 0000000000000246 R12: 00007f5ca9ad88a0 > [ 71.848199][ T8079] R13: 0000000000000001 R14: 00007f5ca9ae12e8 R15: 0000000000000000 > [ 71.849736][ T8079] </TASK> > [ 71.850486][ T8079] Kernel Offset: disabled > [ 71.851322][ T8079] Rebooting in 86400 seconds.. > > <repro.c><.config> >
Powered by blists - more mailing lists