lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Jul 2024 16:29:15 +0200
From: Andrey Konovalov <andreyknvl@...il.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc: syzbot <syzbot+e9be5674af5e3a0b9ecc@...kaller.appspotmail.com>, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, 
	kasan-dev <kasan-dev@...glegroups.com>, linux-mm <linux-mm@...ck.org>, bp@...en8.de, 
	dave.hansen@...ux.intel.com, hpa@...or.com, mingo@...hat.com, 
	tglx@...utronix.de, x86@...nel.org
Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)

On Tue, Jul 2, 2024 at 8:11 AM Tetsuo Handa
<penguin-kernel@...ove.sakura.ne.jp> wrote:
>
> Well, KASAN says "out-of-bounds". But the reported address
>
>   BUG: KASAN: stack-out-of-bounds in __show_regs+0x172/0x610
>   Read of size 8 at addr ffffc90003c4f798 by task kworker/u8:5/234
>
> is within the kernel stack memory mapping
>
>   The buggy address belongs to the virtual mapping at
>    [ffffc90003c48000, ffffc90003c51000) created by:
>    copy_process+0x5d1/0x3d7
>
> . Why is this "out-of-bounds" ? What boundary did KASAN compare with?
> Is this just a race of KASAN detecting a problem and KASAN reporting
> that problem? (But as I explained above, it is unlikely that the thread
> to be reported can die while processing report_rtnl_holders()...)

KASAN creates the bug title based on the memory state byte, it doesn't
compare any boundaries. So if the memory state got
corrupted/out-of-sync, the title can end up arbitrary. In this case,
the bad access likely touched a redzone between stack variables, so
KASAN reported out-of-bounds.

Since syzbot managed to find a reproducer for this bug, you can ask it
to run the reproducer with additional testing patches to check various
hypotheses [1]. Perhaps, you can write a magic value into task_struct
(or into pt_regs of the task?) in get_rtnl_holder() before saving the
task_struct reference, and then check that marker value in
report_rtnl_holders() before doing sched_show_task(). Depending of
whether the check succeeds, this will give additional information.

One other thing that comes to mind with regards to your patch: if the
task is still executing, the location of things on its stack might
change due to CONFIG_RANDOMIZE_KSTACK_OFFSET while you're printing the
task info. However, if the task is sleeping on a lock, this shouldn't
happen... But maybe a task can wake up during sched_show_task() and
start handling a new syscall? Just some guesses.

[1] https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ