| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e045dcff-a6cd-4110-83e0-6fc2a56d0413@I-love.SAKURA.ne.jp>
Date: Tue, 2 Jul 2024 16:05:19 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: syzbot <syzbot+e9be5674af5e3a0b9ecc@...kaller.appspotmail.com>,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
kasan-dev <kasan-dev@...glegroups.com>, linux-mm <linux-mm@...ck.org>,
bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com,
mingo@...hat.com, tglx@...utronix.de, x86@...nel.org
Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs
(2)
On 2024/07/02 15:11, Tetsuo Handa wrote:
> Well, KASAN says "out-of-bounds". But the reported address
>
> BUG: KASAN: stack-out-of-bounds in __show_regs+0x172/0x610
> Read of size 8 at addr ffffc90003c4f798 by task kworker/u8:5/234
>
> is within the kernel stack memory mapping
>
> The buggy address belongs to the virtual mapping at
> [ffffc90003c48000, ffffc90003c51000) created by:
> copy_process+0x5d1/0x3d7
>
> . Why is this "out-of-bounds" ? What boundary did KASAN compare with?
I think I found a hint. The KASAN message is printed when the call trace
starts with
__schedule()
preempt_schedule_irq()
irqentry_exit()
. That is, when preemption happens, KASAN by error tries to compare with
unintended stack boundary?
[ 504.507489][ C0] DEBUG: holding rtnl_mutex for 3212 jiffies.
[ 504.513708][ C0] task:kworker/u8:5 state:R running task stack:19992 pid:340 tgid:340 ppid:2 flags:0x00004000
[ 504.525827][ C0] Workqueue: netns cleanup_net
[ 504.530890][ C0] Call Trace:
[ 504.534213][ C0] <TASK>
[ 504.537244][ C0] __schedule+0x17e8/0x4a20
[ 504.541874][ C0] ? mark_lock+0x9a/0x360
[ 504.546279][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 504.552396][ C0] ? __virt_addr_valid+0x183/0x520
[ 504.557711][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 504.564121][ C0] ? lock_release+0xbf/0x9f0
[ 504.568918][ C0] ? __pfx___schedule+0x10/0x10
[ 504.573835][ C0] ? lockdep_hardirqs_on+0x99/0x150
[ 504.579189][ C0] ? mark_lock+0x9a/0x360
[ 504.583592][ C0] preempt_schedule_irq+0xfb/0x1c0
[ 504.588984][ C0] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 504.594785][ C0] irqentry_exit+0x5e/0x90
[ 504.599421][ C0] asm_sysvec_reschedule_ipi+0x1a/0x20
[ 463.514954][ C1] DEBUG: holding rtnl_mutex for 993 jiffies.
[ 463.528845][ C1] task:kworker/u8:10 state:R running task stack:19856 pid:5725 tgid:5725 ppid:2 flags:0x00004000
[ 463.536743][ T9938] rock: corrupted directory entry. extent=41, offset=65536, size=8
[ 463.540652][ C1] Workqueue: netns cleanup_net
[ 463.553421][ C1] Call Trace:
[ 463.556740][ C1] <TASK>
[ 463.559706][ C1] __schedule+0x17e8/0x4a20
[ 463.564304][ C1] ? __pfx_validate_chain+0x10/0x10
[ 463.569611][ C1] ? __pfx___schedule+0x10/0x10
[ 463.574628][ C1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 463.580760][ C1] ? preempt_schedule_irq+0xf0/0x1c0
[ 463.586149][ C1] preempt_schedule_irq+0xfb/0x1c0
[ 463.591401][ C1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 463.597269][ C1] irqentry_exit+0x5e/0x90
[ 463.601834][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 1558.178669][ C1] DEBUG: holding rtnl_mutex for 536 jiffies.
[ 1558.184806][ C1] task:syz-executor.3 state:R running task stack:25968 pid:6351 tgid:6345 ppid:6200 flags:0x00004006
[ 1558.196699][ C1] Call Trace:
[ 1558.200068][ C1] <TASK>
[ 1558.203055][ C1] __schedule+0x17e8/0x4a20
[ 1558.207638][ C1] ? __pfx___schedule+0x10/0x10
[ 1558.212585][ C1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 1558.218675][ C1] ? preempt_schedule_irq+0xf0/0x1c0
[ 1558.224004][ C1] preempt_schedule_irq+0xfb/0x1c0
[ 1558.229196][ C1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 1558.234986][ C1] irqentry_exit+0x5e/0x90
[ 1558.239503][ C1] asm_sysvec_reschedule_ipi+0x1a/0x20
[ 1104.439430][ C0] DEBUG: holding rtnl_mutex for 578 jiffies.
[ 1104.445729][ C0] task:kworker/u8:3 state:R running task stack:18544 pid:53 tgid:53 ppid:2 flags:0x00004000
[ 1104.459070][ C0] Workqueue: netns cleanup_net
[ 1104.464170][ C0] Call Trace:
[ 1104.467478][ C0] <TASK>
[ 1104.470481][ C0] __schedule+0x17e8/0x4a20
[ 1104.476080][ C0] ? mark_lock+0x9a/0x360
[ 1104.480776][ C0] ? __lock_acquire+0x1359/0x2000
[ 1104.486043][ C0] ? __pfx___schedule+0x10/0x10
[ 1104.490987][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 1104.497017][ C0] ? preempt_schedule_irq+0xf0/0x1c0
[ 1104.502486][ C0] preempt_schedule_irq+0xfb/0x1c0
[ 1104.507809][ C0] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 1104.514030][ C0] irqentry_exit+0x5e/0x90
[ 1104.518689][ C0] asm_sysvec_reschedule_ipi+0x1a/0x20
[ 926.207053][ C1] DEBUG: holding rtnl_mutex for 517 jiffies.
[ 926.213142][ C1] task:syz.1.1365 state:R running task stack:24672 pid:11152 tgid:11152 ppid:10992 flags:0x00004006
[ 926.225053][ C1] Call Trace:
[ 926.228434][ C1] <TASK>
[ 926.231441][ C1] __schedule+0x17e8/0x4a20
[ 926.236054][ C1] ? __pfx___schedule+0x10/0x10
[ 926.241130][ C1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 926.247265][ C1] ? kasan_save_track+0x51/0x80
[ 926.252225][ C1] ? preempt_schedule_irq+0xf0/0x1c0
[ 926.257705][ C1] preempt_schedule_irq+0xfb/0x1c0
[ 926.262899][ C1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 926.268725][ C1] ? __pfx_pfifo_fast_destroy+0x10/0x10
[ 926.274379][ C1] irqentry_exit+0x5e/0x90
[ 926.278903][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 940.917894][ C0] DEBUG: holding rtnl_mutex for 1611 jiffies.
[ 940.924066][ C0] task:syz.2.2274 state:R running task stack:24336 pid:15954 tgid:15954 ppid:14850 flags:0x00004006
[ 940.936192][ C0] Call Trace:
[ 940.939550][ C0] <TASK>
[ 940.942540][ C0] __schedule+0x17e8/0x4a20
[ 940.947134][ C0] ? __pfx___schedule+0x10/0x10
[ 940.952070][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 940.958362][ C0] ? kasan_save_track+0x51/0x80
[ 940.963266][ C0] ? preempt_schedule_irq+0xf0/0x1c0
[ 940.968628][ C0] preempt_schedule_irq+0xfb/0x1c0
[ 940.973790][ C0] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 940.979610][ C0] ? __pfx_pfifo_fast_destroy+0x10/0x10
[ 940.985227][ C0] irqentry_exit+0x5e/0x90
[ 940.989731][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 2120.744289][ C1] DEBUG: holding rtnl_mutex for 1675 jiffies.
[ 2120.750440][ C1] task:syz-executor state:R running task stack:20288 pid:2431 tgid:2431 ppid:1 flags:0x00004006
[ 2120.762291][ C1] Call Trace:
[ 2120.765647][ C1] <TASK>
[ 2120.768615][ C1] __schedule+0x17e8/0x4a20
[ 2120.773210][ C1] ? __pfx___schedule+0x10/0x10
[ 2120.778152][ C1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 2120.784188][ C1] ? kasan_save_track+0x51/0x80
[ 2120.789118][ C1] ? preempt_schedule_irq+0xf0/0x1c0
[ 2120.794445][ C1] preempt_schedule_irq+0xfb/0x1c0
[ 2120.799621][ C1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 2120.805378][ C1] ? kvm_kick_cpu+0x26/0xb0
[ 2120.809965][ C1] irqentry_exit+0x5e/0x90
[ 2120.814423][ C1] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 1465.514982][ C1] DEBUG: holding rtnl_mutex for 583 jiffies.
[ 1465.521071][ C1] task:kworker/u8:2 state:R running task stack:20232 pid:35 tgid:35 ppid:2 flags:0x00004000
[ 1465.532945][ C1] Workqueue: netns cleanup_net
[ 1465.537846][ C1] Call Trace:
[ 1465.541164][ C1] <TASK>
[ 1465.544132][ C1] __schedule+0x17e8/0x4a20
[ 1465.548730][ C1] ? mark_lock+0x9a/0x360
[ 1465.553148][ C1] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 1465.559257][ C1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 1465.565697][ C1] ? __pfx___schedule+0x10/0x10
[ 1465.570636][ C1] ? lockdep_hardirqs_on+0x99/0x150
[ 1465.575968][ C1] ? mark_lock+0x9a/0x360
[ 1465.580381][ C1] preempt_schedule_irq+0xfb/0x1c0
[ 1465.585599][ C1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 1465.591383][ C1] irqentry_exit+0x5e/0x90
[ 1465.595895][ C1] asm_sysvec_reschedule_ipi+0x1a/0x20
Powered by blists - more mailing lists