lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1df448bd-7e22-408a-807a-4f4a6c679915@I-love.SAKURA.ne.jp>
Date: Wed, 3 Jul 2024 00:21:08 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: syzbot <syzbot+e9be5674af5e3a0b9ecc@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        kasan-dev <kasan-dev@...glegroups.com>, linux-mm <linux-mm@...ck.org>,
        bp@...en8.de, dave.hansen@...ux.intel.com, hpa@...or.com,
        mingo@...hat.com, tglx@...utronix.de, x86@...nel.org
Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs
 (2)

On 2024/07/02 23:29, Andrey Konovalov wrote:
> One other thing that comes to mind with regards to your patch: if the
> task is still executing, the location of things on its stack might
> change due to CONFIG_RANDOMIZE_KSTACK_OFFSET while you're printing the
> task info. However, if the task is sleeping on a lock, this shouldn't
> happen... But maybe a task can wake up during sched_show_task() and
> start handling a new syscall? Just some guesses.

https://syzkaller.appspot.com/bug?extid=d7491e9e156404745fbb says that
this bug happens without my patch. It seems that this bug happens when
printing registers of a preempted thread. 5.15 kernel does not have
CONFIG_RANDOMIZE_KSTACK_OFFSET config option, but

  __schedule()
  preempt_schedule_irq()
  irqentry_exit_cond_resched()
  irqentry_exit()

pattern in 5.15 resembles

  __schedule()
  preempt_schedule_irq()
  irqentry_exit()

pattern in linux-next.

[ 1008.224617][T14487] task:syz-executor.1  state:R  running task     stack:22256 pid:14483 ppid:   434 flags:0x00004000
[ 1008.224656][T14487] Call Trace:
[ 1008.224661][T14487]  <TASK>
[ 1008.224669][T14487]  __schedule+0xcbe/0x1580
[ 1008.224689][T14487]  ? __sched_text_start+0x8/0x8
[ 1008.224709][T14487]  ? ttwu_do_activate+0x15d/0x280
[ 1008.224732][T14487]  ? _raw_spin_unlock_irqrestore+0x5c/0x80
[ 1008.224758][T14487]  preempt_schedule_irq+0xc7/0x140
[ 1008.224781][T14487]  ? __cond_resched+0x20/0x20
[ 1008.224802][T14487]  ? try_invoke_on_locked_down_task+0x2a0/0x2a0
[ 1008.224829][T14487]  irqentry_exit_cond_resched+0x2a/0x30
[ 1008.224851][T14487]  irqentry_exit+0x30/0x40
[ 1008.224874][T14487]  sysvec_apic_timer_interrupt+0x55/0xc0
[ 1008.224900][T14487]  asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ 1008.224923][T14487] RIP: 0010:preempt_schedule_thunk+0x5/0x18
[ 1008.224950][T14487] Code: fd 85 db 0f 84 98 00 00 00 44 8d 73 01 44 89 f6 09 de bf ff ff ff ff e8 47 e4 8f fd 41 09 de 0f 88 88 00 00 00 e8 89 e0 8f fd <4c> 89 e0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 84
[ 1008.224970][T14487] RSP: 0000:0000000000000001 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
[ 1008.224991][T14487] RAX: ffff88811532d948 RBX: ffffc900072ef560 RCX: ffffc900077e7680
[ 1008.225009][T14487] RDX: ffffc900072ef5b0 RSI: ffffffff8100817a RDI: dffffc0000000001
[ 1008.225027][T14487] RBP: 0000000000000001 R08: ffff88811532d948 R09: ffffc900077e7690
[ 1008.225043][T14487] R10: 1ffff92000efced2 R11: ffffffff84bfe126 R12: ffffc900077e7680
[ 1008.225062][T14487] ==================================================================
[ 1008.225071][T14487] BUG: KASAN: stack-out-of-bounds in __show_regs+0x252/0x4d0
[ 1008.225098][T14487] Read of size 8 at addr ffffc900072ef4f8 by task syz-executor.3/14487
[ 1008.225117][T14487] 
[ 1008.225123][T14487] CPU: 0 PID: 14487 Comm: syz-executor.3 Not tainted 5.15.118-syzkaller-01748-g241da2ad5601 #0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ