lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000819c1d06205b0926@google.com>
Date: Fri, 23 Aug 2024 08:00:33 -0700
From: syzbot <syzbot+f499adf92735b1da225e@...kaller.appspotmail.com>
To: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [fs?] KASAN: stack-out-of-bounds Read in proc_pid_stack (2)

Hello,

syzbot found the following issue on:

HEAD commit:    c562ba719df5 riscv: kexec: Avoid deadlock in kexec crash p..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=1568d6e9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5d1a27c56011377
dashboard link: https://syzkaller.appspot.com/bug?extid=f499adf92735b1da225e
compiler:       riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-c562ba71.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9afe016b0e4/vmlinux-c562ba71.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd6f9ae3bf94/Image-c562ba71.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f499adf92735b1da225e@...kaller.appspotmail.com

==================================================================
BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x3f0/0x452 arch/riscv/kernel/stacktrace.c:66
Read of size 8 at addr ff20000002fab5e8 by task syz.0.1927/19558

CPU: 1 PID: 19558 Comm: syz.0.1927 Not tainted 6.10.0-rc6-syzkaller-gc562ba719df5 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000f6fc>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85c33fac>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85c8ddfa>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff85c8ddfa>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:114
[<ffffffff85c3e31c>] print_address_description mm/kasan/report.c:377 [inline]
[<ffffffff85c3e31c>] print_report+0x288/0x596 mm/kasan/report.c:488
[<ffffffff8091ece8>] kasan_report+0xec/0x118 mm/kasan/report.c:601
[<ffffffff80920b80>] __asan_report_load8_noabort+0x12/0x1a mm/kasan/report_generic.c:381
[<ffffffff8000f5ec>] walk_stackframe+0x3f0/0x452 arch/riscv/kernel/stacktrace.c:66
[<ffffffff85c90236>] arch_stack_walk+0x1c/0x26 arch/riscv/kernel/stacktrace.c:163
[<ffffffff8030832e>] stack_trace_save_tsk+0x16c/0x1f6 kernel/stacktrace.c:150
[<ffffffff80bd1a68>] proc_pid_stack+0x176/0x27e fs/proc/base.c:458
[<ffffffff80bd2df8>] proc_single_show+0xf0/0x224 fs/proc/base.c:778
[<ffffffff80a61004>] seq_read_iter+0x454/0x1020 fs/seq_file.c:230
[<ffffffff80a61e5c>] seq_read+0x28c/0x350 fs/seq_file.c:162
[<ffffffff809becf6>] vfs_read+0x1b0/0x85c fs/read_write.c:474
[<ffffffff809c098e>] ksys_read+0x12a/0x270 fs/read_write.c:619
[<ffffffff809c0b42>] __do_sys_read fs/read_write.c:629 [inline]
[<ffffffff809c0b42>] __se_sys_read fs/read_write.c:627 [inline]
[<ffffffff809c0b42>] __riscv_sys_read+0x6e/0x94 fs/read_write.c:627
[<ffffffff8000e204>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85c900b4>] do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
[<ffffffff85cb3264>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112

The buggy address belongs to the virtual mapping at
 [ff20000002fa8000, ff20000002fad000) created by:
 kernel_clone+0x11e/0x946 kernel/fork.c:2797

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xacd50
memcg:ff60000015c3cf82
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 0000000000000000 0000000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ff60000015c3cf82
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 19550, tgid 19550 (syz.0.1925), ts 6742314481100, free_ts 6709608225100
 __set_page_owner+0xa2/0x70c mm/page_owner.c:320
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x123c/0x27e8 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x1f0/0x213e mm/page_alloc.c:4683
 alloc_pages_mpol_noprof+0xf8/0x48c mm/mempolicy.c:2265
 alloc_pages_noprof+0x174/0x2f0 mm/mempolicy.c:2336
 vm_area_alloc_pages mm/vmalloc.c:3575 [inline]
 __vmalloc_area_node mm/vmalloc.c:3651 [inline]
 __vmalloc_node_range_noprof+0x99a/0x11d6 mm/vmalloc.c:3832
 alloc_thread_stack_node kernel/fork.c:309 [inline]
 dup_task_struct kernel/fork.c:1115 [inline]
 copy_process+0x2c3c/0x6b22 kernel/fork.c:2220
 kernel_clone+0x11e/0x946 kernel/fork.c:2797
 __do_sys_clone+0xe4/0x118 kernel/fork.c:2940
 __se_sys_clone kernel/fork.c:2908 [inline]
 __riscv_sys_clone+0xa0/0x10e kernel/fork.c:2908
 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
 do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
 ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112
page last free pid 19445 tgid 19439 stack trace:
 __reset_page_owner+0x8c/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 free_unref_page+0x59c/0xe9c mm/page_alloc.c:2588
 __free_pages+0x13a/0x1ba mm/page_alloc.c:4770
 vfree+0x1c6/0xb9e mm/vmalloc.c:3355
 kcov_put kernel/kcov.c:429 [inline]
 kcov_put kernel/kcov.c:425 [inline]
 kcov_close+0x44/0x72 kernel/kcov.c:525
 __fput+0x37c/0xa12 fs/file_table.c:422
 ____fput+0x1a/0x24 fs/file_table.c:450
 task_work_run+0x16a/0x25e kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x9ee/0x2896 kernel/exit.c:874
 do_group_exit+0xd4/0x26c kernel/exit.c:1023
 get_signal+0x1e1c/0x232a kernel/signal.c:2909
 arch_do_signal_or_restart+0x8bc/0x1172 arch/riscv/kernel/signal.c:437
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
 do_trap_ecall_u+0x8e/0x214 arch/riscv/kernel/traps.c:345
 ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112

Memory state around the buggy address:
 ff20000002fab480: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3
 ff20000002fab500: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ff20000002fab580: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 f3
                                                          ^
 ff20000002fab600: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ff20000002fab680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ