| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202410062215.255fb5b7-oliver.sang@intel.com>
Date: Sun, 6 Oct 2024 22:55:19 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Philipp Hortmann <philipp.g.hortmann@...il.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <bpf@...r.kernel.org>, "Gustavo
A . R . Silva" <gustavo@...eddedor.com>, Andrew Morton
<akpm@...ux-foundation.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Christian Brauner <brauner@...nel.org>, Jakub Kicinski <kuba@...nel.org>,
<linux-kernel@...r.kernel.org>, Philipp Hortmann
<philipp.g.hortmann@...il.com>, <oliver.sang@...el.com>
Subject: Re: [PATCH] include: linux: Fix flex array member not at the end in
bpf_empty_prog_array
Hello,
kernel test robot noticed "BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission" on:
commit: fa410b506a9aa6faf7277cd478e670670d73a206 ("[PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array")
url: https://github.com/intel-lab-lkp/linux/commits/Philipp-Hortmann/include-linux-Fix-flex-array-member-not-at-the-end-in-bpf_empty_prog_array/20241001-022346
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master
patch link: https://lore.kernel.org/all/20240930181700.22839-1-philipp.g.hortmann@gmail.com/
patch subject: [PATCH] include: linux: Fix flex array member not at the end in bpf_empty_prog_array
in testcase: boot
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+--------------------------------------------------------------------+------------+------------+
| | 93eeaab456 | fa410b506a |
+--------------------------------------------------------------------+------------+------------+
| BUG:KASAN:global-out-of-bounds_in__cgroup_bpf_check_dev_permission | 0 | 12 |
+--------------------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410062215.255fb5b7-oliver.sang@intel.com
[ 23.682727][ T112] BUG: KASAN: global-out-of-bounds in __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545)
[ 23.683467][ T112] Read of size 8 at addr ffffffffa8495ff8 by task (modprobe)/112
[ 23.684089][ T112]
[ 23.684349][ T112] CPU: 1 UID: 0 PID: 112 Comm: (modprobe) Not tainted 6.11.0-10575-gfa410b506a9a #1
[ 23.685081][ T112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 23.685872][ T112] Call Trace:
[ 23.686179][ T112] <TASK>
[ 23.686457][ T112] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1))
[ 23.686839][ T112] print_address_description+0x2c/0x3a0
[ 23.687351][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545)
[ 23.687856][ T112] print_report (mm/kasan/report.c:489)
[ 23.688241][ T112] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 23.688648][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545)
[ 23.689148][ T112] kasan_report (mm/kasan/report.c:603)
[ 23.689523][ T112] ? __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545)
[ 23.690028][ T112] __cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:49 kernel/bpf/cgroup.c:1545)
[ 23.690524][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82)
[ 23.690932][ T112] ? read_word_at_a_time (include/asm-generic/rwonce.h:86)
[ 23.691342][ T112] ? __pfx___cgroup_bpf_check_dev_permission (kernel/bpf/cgroup.c:1534)
[ 23.691867][ T112] ? __pfx_make_vfsuid (fs/mnt_idmapping.c:82)
[ 23.692282][ T112] ? generic_permission (fs/namei.c:353 fs/namei.c:414)
[ 23.692700][ T112] devcgroup_check_permission (security/device_cgroup.c:864)
[ 23.693150][ T112] inode_permission (fs/namei.c:540 fs/namei.c:510)
[ 23.693549][ T112] ? try_to_unlazy (fs/namei.c:793)
[ 23.693941][ T112] may_open (fs/namei.c:3365)
[ 23.694288][ T112] do_open (fs/namei.c:3772)
[ 23.694638][ T112] path_openat (fs/namei.c:3934)
[ 23.695008][ T112] ? __pfx_path_openat (fs/namei.c:3915)
[ 23.695410][ T112] do_filp_open (fs/namei.c:3960)
[ 23.695788][ T112] ? __pfx_do_filp_open (fs/namei.c:3954)
[ 23.696201][ T112] ? alloc_fd (fs/file.c:556 (discriminator 10))
[ 23.696580][ T112] ? getname_flags (include/linux/audit.h:316)
[ 23.697003][ T112] do_sys_openat2 (fs/open.c:1415)
[ 23.697390][ T112] ? __pfx_do_sys_openat2 (fs/open.c:1401)
[ 23.697810][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
[ 23.698231][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285)
[ 23.698602][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394)
[ 23.698999][ T112] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91)
[ 23.699420][ T112] ? sched_clock (arch/x86/include/asm/preempt.h:94 arch/x86/kernel/tsc.c:285)
[ 23.699793][ T112] ? sched_clock_cpu (kernel/sched/clock.c:394)
[ 23.700190][ T112] __x64_sys_openat (fs/open.c:1441)
[ 23.700608][ T112] ? __pfx_sched_clock_cpu (kernel/sched/clock.c:389)
[ 23.701030][ T112] ? __pfx___x64_sys_openat (fs/open.c:1441)
[ 23.701462][ T112] ? kmem_cache_free (mm/slub.c:2308 mm/slub.c:4580 mm/slub.c:4682)
[ 23.701869][ T112] ? irqtime_account_irq (kernel/sched/cputime.c:64)
[ 23.702291][ T112] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 23.702666][ T112] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 23.703132][ T112] RIP: 0033:0x7efe9635df01
[ 23.703505][ T112] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
All code
========
0: 75 57 jne 0x59
2: 89 f0 mov %esi,%eax
4: 25 00 00 41 00 and $0x410000,%eax
9: 3d 00 00 41 00 cmp $0x410000,%eax
e: 74 49 je 0x59
10: 80 3d ea 26 0e 00 00 cmpb $0x0,0xe26ea(%rip) # 0xe2701
17: 74 6d je 0x86
19: 89 da mov %ebx,%edx
1b: 48 89 ee mov %rbp,%rsi
1e: bf 9c ff ff ff mov $0xffffff9c,%edi
23: b8 01 01 00 00 mov $0x101,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 0f 87 93 00 00 00 ja 0xc9
36: 48 8b 54 24 28 mov 0x28(%rsp),%rdx
3b: 64 fs
3c: 48 rex.W
3d: 2b .byte 0x2b
3e: 14 25 adc $0x25,%al
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 0f 87 93 00 00 00 ja 0x9f
c: 48 8b 54 24 28 mov 0x28(%rsp),%rdx
11: 64 fs
12: 48 rex.W
13: 2b .byte 0x2b
14: 14 25 adc $0x25,%al
[ 23.704934][ T112] RSP: 002b:00007ffdf04d5790 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 23.705595][ T112] RAX: ffffffffffffffda RBX: 0000000000000100 RCX: 00007efe9635df01
[ 23.708307][ T112] RDX: 0000000000000100 RSI: 00007efe968bd74b RDI: 00000000ffffff9c
[ 23.708942][ T112] RBP: 00007efe968bd74b R08: 0000000000000007 R09: 000055d1f2bf6cc0
[ 23.709571][ T112] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d1f2bf6cc0
[ 23.710203][ T112] R13: 000055d1f2b45540 R14: 00007ffdf04d5d50 R15: 000055d1f2b42520
[ 23.710833][ T112] </TASK>
[ 23.711116][ T112]
[ 23.711351][ T112] The buggy address belongs to the variable:
[ 23.711816][ T112] bpf_empty_prog_array+0x18/0x40
[ 23.712227][ T112]
[ 23.712471][ T112] The buggy address belongs to the physical page:
[ 23.712963][ T112] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17e695
[ 23.713649][ T112] flags: 0x17ffffc0002000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[ 23.714299][ T112] raw: 0017ffffc0002000 ffffea0005f9a548 ffffea0005f9a548 0000000000000000
[ 23.714968][ T112] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 23.715641][ T112] page dumped because: kasan: bad access detected
[ 23.716134][ T112] page_owner info is not present (never set?)
[ 23.716613][ T112]
[ 23.716851][ T112] Memory state around the buggy address:
[ 23.717296][ T112] ffffffffa8495e80: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
[ 23.717932][ T112] ffffffffa8495f00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
[ 23.718573][ T112] >ffffffffa8495f80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9
[ 23.719207][ T112] ^
[ 23.719841][ T112] ffffffffa8496000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
[ 23.720480][ T112] ffffffffa8496080: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
[ 23.721119][ T112] ==================================================================
[ 23.721795][ T112] Disabling lock debugging due to kernel taint
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241006/202410062215.255fb5b7-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists