| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000000000000819c1d06205b0926@google.com>
Date: Fri, 23 Aug 2024 08:00:33 -0700
From: syzbot <syzbot+f499adf92735b1da225e@...kaller.appspotmail.com>
To: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: [syzbot] [fs?] KASAN: stack-out-of-bounds Read in proc_pid_stack (2)
Hello,
syzbot found the following issue on:
HEAD commit: c562ba719df5 riscv: kexec: Avoid deadlock in kexec crash p..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=1568d6e9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=f5d1a27c56011377
dashboard link: https://syzkaller.appspot.com/bug?extid=f499adf92735b1da225e
compiler: riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-c562ba71.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9afe016b0e4/vmlinux-c562ba71.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd6f9ae3bf94/Image-c562ba71.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f499adf92735b1da225e@...kaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in walk_stackframe+0x3f0/0x452 arch/riscv/kernel/stacktrace.c:66
Read of size 8 at addr ff20000002fab5e8 by task syz.0.1927/19558
CPU: 1 PID: 19558 Comm: syz.0.1927 Not tainted 6.10.0-rc6-syzkaller-gc562ba719df5 #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000f6fc>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85c33fac>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85c8ddfa>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff85c8ddfa>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:114
[<ffffffff85c3e31c>] print_address_description mm/kasan/report.c:377 [inline]
[<ffffffff85c3e31c>] print_report+0x288/0x596 mm/kasan/report.c:488
[<ffffffff8091ece8>] kasan_report+0xec/0x118 mm/kasan/report.c:601
[<ffffffff80920b80>] __asan_report_load8_noabort+0x12/0x1a mm/kasan/report_generic.c:381
[<ffffffff8000f5ec>] walk_stackframe+0x3f0/0x452 arch/riscv/kernel/stacktrace.c:66
[<ffffffff85c90236>] arch_stack_walk+0x1c/0x26 arch/riscv/kernel/stacktrace.c:163
[<ffffffff8030832e>] stack_trace_save_tsk+0x16c/0x1f6 kernel/stacktrace.c:150
[<ffffffff80bd1a68>] proc_pid_stack+0x176/0x27e fs/proc/base.c:458
[<ffffffff80bd2df8>] proc_single_show+0xf0/0x224 fs/proc/base.c:778
[<ffffffff80a61004>] seq_read_iter+0x454/0x1020 fs/seq_file.c:230
[<ffffffff80a61e5c>] seq_read+0x28c/0x350 fs/seq_file.c:162
[<ffffffff809becf6>] vfs_read+0x1b0/0x85c fs/read_write.c:474
[<ffffffff809c098e>] ksys_read+0x12a/0x270 fs/read_write.c:619
[<ffffffff809c0b42>] __do_sys_read fs/read_write.c:629 [inline]
[<ffffffff809c0b42>] __se_sys_read fs/read_write.c:627 [inline]
[<ffffffff809c0b42>] __riscv_sys_read+0x6e/0x94 fs/read_write.c:627
[<ffffffff8000e204>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85c900b4>] do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
[<ffffffff85cb3264>] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112
The buggy address belongs to the virtual mapping at
[ff20000002fa8000, ff20000002fad000) created by:
kernel_clone+0x11e/0x946 kernel/fork.c:2797
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xacd50
memcg:ff60000015c3cf82
flags: 0xffe000000000000(node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000000000 0000000000000000 0000000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ff60000015c3cf82
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 19550, tgid 19550 (syz.0.1925), ts 6742314481100, free_ts 6709608225100
__set_page_owner+0xa2/0x70c mm/page_owner.c:320
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1473
prep_new_page mm/page_alloc.c:1481 [inline]
get_page_from_freelist+0x123c/0x27e8 mm/page_alloc.c:3425
__alloc_pages_noprof+0x1f0/0x213e mm/page_alloc.c:4683
alloc_pages_mpol_noprof+0xf8/0x48c mm/mempolicy.c:2265
alloc_pages_noprof+0x174/0x2f0 mm/mempolicy.c:2336
vm_area_alloc_pages mm/vmalloc.c:3575 [inline]
__vmalloc_area_node mm/vmalloc.c:3651 [inline]
__vmalloc_node_range_noprof+0x99a/0x11d6 mm/vmalloc.c:3832
alloc_thread_stack_node kernel/fork.c:309 [inline]
dup_task_struct kernel/fork.c:1115 [inline]
copy_process+0x2c3c/0x6b22 kernel/fork.c:2220
kernel_clone+0x11e/0x946 kernel/fork.c:2797
__do_sys_clone+0xe4/0x118 kernel/fork.c:2940
__se_sys_clone kernel/fork.c:2908 [inline]
__riscv_sys_clone+0xa0/0x10e kernel/fork.c:2908
syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330
ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112
page last free pid 19445 tgid 19439 stack trace:
__reset_page_owner+0x8c/0x400 mm/page_owner.c:297
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1093 [inline]
free_unref_page+0x59c/0xe9c mm/page_alloc.c:2588
__free_pages+0x13a/0x1ba mm/page_alloc.c:4770
vfree+0x1c6/0xb9e mm/vmalloc.c:3355
kcov_put kernel/kcov.c:429 [inline]
kcov_put kernel/kcov.c:425 [inline]
kcov_close+0x44/0x72 kernel/kcov.c:525
__fput+0x37c/0xa12 fs/file_table.c:422
____fput+0x1a/0x24 fs/file_table.c:450
task_work_run+0x16a/0x25e kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0x9ee/0x2896 kernel/exit.c:874
do_group_exit+0xd4/0x26c kernel/exit.c:1023
get_signal+0x1e1c/0x232a kernel/signal.c:2909
arch_do_signal_or_restart+0x8bc/0x1172 arch/riscv/kernel/signal.c:437
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x2a6/0x31e kernel/entry/common.c:218
do_trap_ecall_u+0x8e/0x214 arch/riscv/kernel/traps.c:345
ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112
Memory state around the buggy address:
ff20000002fab480: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3
ff20000002fab500: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ff20000002fab580: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 f3
^
ff20000002fab600: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
ff20000002fab680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists