lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZTMyd4SZQRuTSwHSNY_ZxuZOk90ekMJLhzerJ-3wzROQ@mail.gmail.com>
Date: Thu, 26 Sep 2024 09:04:55 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, 
	syzkaller <syzkaller@...glegroups.com>, Marco Elver <elver@...gle.com>, 
	Alexander Potapenko <glider@...gle.com>
Cc: syzbot <syzbot+d5db198a0f40411f24c3@...kaller.appspotmail.com>, 
	syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org
Subject: Re: [syzbot] upstream test error: BUG: stack guard page was hit in corrupted

On Thu, 26 Sept 2024 at 08:48, Dmitry Vyukov <dvyukov@...gle.com> wrote:
>
> On Mon, 23 Sept 2024 at 16:04, Tetsuo Handa
> <penguin-kernel@...ove.sakura.ne.jp> wrote:
> >
> > This bug suggests code added by commit 6cd0dd934b03 ("kcov: Add interrupt handling self test").
> >
> > The location that triggers page fault looks like
> >
> >   pos = READ_ONCE(area[0]) + 1;
> >
> > in __sanitizer_cov_trace_pc().
> > When is t->kcov_area initialized with appropriate buffer
> > after selftest() does current->kcov_mode = KCOV_MODE_TRACE_PC ?
> >
> > At commit de5cb0dcb74c ("Merge branch 'address-masking'"):
> > $ ./scripts/faddr2line vmlinux-de5cb0dc asm_exc_page_fault+0x26/0x30 sched_clock+0xb/0x60 __sanitizer_cov_trace_pc+0x53/0x70 sched_clock+0xb/0x60 lock_pin_lock+0x1a9/0x2d0 preempt_schedule_irq+0x51/0x90 __schedule+0x2f2/0x5920 lockdep_hardirqs_on+0x7c/0x110 preempt_schedule_thunk+0x1a/0x30 preempt_schedule_common+0x44/0xc0 preempt_schedule_thunk+0x1a/0x30 __pfx___schedule+0x10/0x10 vprintk_emit+0x39e/0x6f0 __pfx_vprintk_emit+0x10/0x10 __debugfs_create_file+0x40e/0x660 __pfx_lock_release+0x10/0x10 preempt_schedule_irq+0x51/0x90 irqentry_exit+0x36/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __wake_up_klogd.part.0+0x99/0xf0 vprintk+0x86/0xa0 kcov_init+0xcc/0x120 kcov_init+0xb3/0x120
> > asm_exc_page_fault+0x26/0x30:
> > asm_exc_page_fault at arch/x86/include/asm/idtentry.h:623
> >
> > sched_clock+0xb/0x60:
> > __preempt_count_add at arch/x86/include/asm/preempt.h:79
> > (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
> >
> > __sanitizer_cov_trace_pc+0x53/0x70:
> > __sanitizer_cov_trace_pc at kernel/kcov.c:222
> >
> > sched_clock+0xb/0x60:
> > __preempt_count_add at arch/x86/include/asm/preempt.h:79
> > (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
> >
> > lock_pin_lock+0x1a9/0x2d0:
> > __lock_pin_lock at kernel/locking/lockdep.c:5593
> > (inlined by) lock_pin_lock at kernel/locking/lockdep.c:5915
> >
> > preempt_schedule_irq+0x51/0x90:
> > native_save_fl at arch/x86/include/asm/irqflags.h:26
> > (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> > (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> > (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
> >
> > __schedule+0x2f2/0x5920:
> > __schedule at kernel/sched/core.c:6579
> >
> > lockdep_hardirqs_on+0x7c/0x110:
> > lockdep_hardirqs_on at kernel/locking/lockdep.c:4465
> >
> > preempt_schedule_thunk+0x1a/0x30:
> > preempt_schedule_thunk at arch/x86/entry/thunk.S:12
> >
> > preempt_schedule_common+0x44/0xc0:
> > __preempt_count_sub at arch/x86/include/asm/preempt.h:84
> > (inlined by) preempt_schedule_common at kernel/sched/core.c:6855
> >
> > preempt_schedule_thunk+0x1a/0x30:
> > preempt_schedule_thunk at arch/x86/entry/thunk.S:12
> >
> > __pfx___schedule+0x10/0x10:
> > __schedule at kernel/sched/core.c:6533
> >
> > vprintk_emit+0x39e/0x6f0:
> > vprintk_emit at kernel/printk/printk.c:2356
> >
> > __pfx_vprintk_emit+0x10/0x10:
> > vprintk_emit at kernel/printk/printk.c:2356
> >
> > __debugfs_create_file+0x40e/0x660:
> > end_creating at fs/debugfs/inode.c:409
> > (inlined by) __debugfs_create_file at fs/debugfs/inode.c:450
> >
> > __pfx_lock_release+0x10/0x10:
> > lock_release at kernel/locking/lockdep.c:5830
> >
> > preempt_schedule_irq+0x51/0x90:
> > native_save_fl at arch/x86/include/asm/irqflags.h:26
> > (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> > (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> > (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
> >
> > irqentry_exit+0x36/0x90:
> > irqentry_exit at kernel/entry/common.c:357
> >
> > asm_sysvec_apic_timer_interrupt+0x1a/0x20:
> > asm_sysvec_apic_timer_interrupt at arch/x86/include/asm/idtentry.h:702
> >
> > __wake_up_klogd.part.0+0x99/0xf0:
> > __wake_up_klogd at kernel/printk/printk.c:4495
> >
> > vprintk+0x86/0xa0:
> > vprintk at kernel/printk/printk_safe.c:69
> >
> > kcov_init+0xcc/0x120:
> > selftest at kernel/kcov.c:1090
> > (inlined by) kcov_init at kernel/kcov.c:1117
> >
> > kcov_init+0xb3/0x120:
> > selftest at kernel/kcov.c:1088
> > (inlined by) kcov_init at kernel/kcov.c:1117
>
>
> The call chain here seems to be:
>
> asm_sysvec_apic_timer_interrupt
>
> irqentry_exit (calls next function inside of instrumentation_begin/end
> thus undetected statically)
> irqentry_exit_cond_resched
> raw_irqentry_exit_cond_resched
> preempt_schedule_irq
> [some locking function]
> lock_pin_lock
> sched_clock
> __sanitizer_cov_trace_pc
> [BOOM]
>
> All functions in the scheduler and lockdep (preempt_schedule_irq,
> lock_pin_lock) are not instrumented due to KCOV_INSTRUMENT := n in
> Makefiles.
>
> But sched_clock is instrumented. It has notrace, but no noinstr.
>
> Should notrace imply noinstr? Or should we mark sched_clock as noinstr as well?

We shouldn't mark sched_clock as noinstr b/c there is already
sched_clock_noinstr.
So another option is to call sched_clock_noinstr from lock_pin_lock,
which looks reasonable.

So far I can't reproduce this locally.


> > On 2024/09/19 7:23, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
> > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ