lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202410281441.216670ac-lkp@intel.com>
Date: Mon, 28 Oct 2024 15:05:33 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Suren Baghdasaryan <surenb@...gle.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, Andrew Morton
	<akpm@...ux-foundation.org>, Pasha Tatashin <pasha.tatashin@...een.com>, "Ard
 Biesheuvel" <ardb@...nel.org>, Arnd Bergmann <arnd@...db.de>, Borislav Petkov
	<bp@...en8.de>, Christoph Hellwig <hch@...radead.org>, Daniel Gomez
	<da.gomez@...sung.com>, David Hildenbrand <david@...hat.com>, Davidlohr Bueso
	<dave@...olabs.net>, David Rientjes <rientjes@...gle.com>, Dennis Zhou
	<dennis@...nel.org>, Johannes Weiner <hannes@...xchg.org>, John Hubbard
	<jhubbard@...dia.com>, Jonathan Corbet <corbet@....net>, Joonsoo Kim
	<iamjoonsoo.kim@....com>, Kalesh Singh <kaleshsingh@...gle.com>, Kees Cook
	<keescook@...omium.org>, Kent Overstreet <kent.overstreet@...ux.dev>, "Liam
 R. Howlett" <Liam.Howlett@...cle.com>, Luis Chamberlain <mcgrof@...nel.org>,
	Matthew Wilcox <willy@...radead.org>, Michal Hocko <mhocko@...e.com>, "Mike
 Rapoport" <rppt@...nel.org>, Minchan Kim <minchan@...gle.com>, "Paul E.
 McKenney" <paulmck@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, "Roman
 Gushchin" <roman.gushchin@...ux.dev>, Sami Tolvanen
	<samitolvanen@...gle.com>, Sourav Panda <souravpanda@...gle.com>, Steven
 Rostedt <rostedt@...dmis.org>, Thomas Gleixner <tglx@...utronix.de>, Thomas
 Huth <thuth@...hat.com>, Uladzislau Rezki <urezki@...il.com>, Vlastimil Babka
	<vbabka@...e.cz>, Xiongwei Song <xiongwei.song@...driver.com>, Yu Zhao
	<yuzhao@...gle.com>, <linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
	<oliver.sang@...el.com>
Subject: [linux-next:master] [alloc_tag]  a9c60bb0d0:
 BUG:KASAN:vmalloc-out-of-bounds_in_load_module



Hello,

kernel test robot noticed "BUG:KASAN:vmalloc-out-of-bounds_in_load_module" on:

commit: a9c60bb0d0e58ca30b8bfd00bddbe5bf79bd120c ("alloc_tag: populate memory for module tags as needed")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

[test failed on linux-next/master a39230ecf6b3057f5897bc4744a790070cfbe7a8]

in testcase: boot

config: x86_64-randconfig-016-20241026
compiler: clang-19
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+------------------------------------------------+------------+------------+
|                                                | e88dfe467a | a9c60bb0d0 |
+------------------------------------------------+------------+------------+
| boot_successes                                 | 6          | 0          |
| boot_failures                                  | 0          | 6          |
| BUG:KASAN:vmalloc-out-of-bounds_in_load_module | 0          | 6          |
| BUG:unable_to_handle_page_fault_for_address    | 0          | 6          |
| Oops                                           | 0          | 6          |
| RIP:kasan_metadata_fetch_row                   | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception       | 0          | 6          |
+------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410281441.216670ac-lkp@intel.com


[ 42.810547][ T114] BUG: KASAN: vmalloc-out-of-bounds in load_module (kernel/module/main.c:2353)
[   42.811473][  T114] Write of size 520 at addr ffffffffa0000000 by task modprobe/114
[   42.812394][  T114]
[   42.812758][  T114] CPU: 0 UID: 0 PID: 114 Comm: modprobe Tainted: G                T  6.12.0-rc4-00199-ga9c60bb0d0e5 #1 18071a02e852b21a65d5fedadb69938108f9c3ec
[   42.814382][  T114] Tainted: [T]=RANDSTRUCT
[   42.814943][  T114] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   42.816126][  T114] Call Trace:
[   42.816599][  T114]  <TASK>
[ 42.817020][ T114] dump_stack_lvl (lib/dump_stack.c:122)
[ 42.817627][ T114] print_report (mm/kasan/report.c:378)
[ 42.818207][ T114] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
[ 42.818822][ T114] ? __virt_addr_valid (arch/x86/mm/physaddr.c:?)
[ 42.819469][ T114] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 42.823016][ T114] kasan_report (mm/kasan/report.c:603)
[ 42.823612][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.824202][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.824819][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.825390][ T114] kasan_check_range (mm/kasan/generic.c:?)
[ 42.825997][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.826578][ T114] __asan_memcpy (mm/kasan/shadow.c:105)
[ 42.827149][ T114] load_module (kernel/module/main.c:2353)
[ 42.827719][ T114] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3298 kernel/module/main.c:3325 kernel/module/main.c:3308)
[ 42.828345][ T114] __ia32_sys_finit_module (kernel/module/main.c:3308)
[ 42.828988][ T114] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-016-20241026/./arch/x86/include/generated/asm/syscalls_32.h:463)
[ 42.829614][ T114] __do_fast_syscall_32 (arch/x86/entry/common.c:?)
[ 42.830291][ T114] ? irqentry_exit_to_user_mode (kernel/entry/common.c:234)
[ 42.830316][ T114] do_fast_syscall_32 (arch/x86/entry/common.c:411)
[ 42.830334][ T114] do_SYSENTER_32 (arch/x86/entry/common.c:449)
[ 42.830349][ T114] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[   42.830370][  T114] RIP: 0023:0xf7f77539
[ 42.830381][ T114] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
   0:   03 74 b4 01             add    0x1(%rsp,%rsi,4),%esi
   4:   10 07                   adc    %al,(%rdi)
   6:   03 74 b0 01             add    0x1(%rax,%rsi,4),%esi
   a:   10 08                   adc    %cl,(%rax)
   c:   03 74 d8 01             add    0x1(%rax,%rbx,8),%esi
        ...
  20:   00 51 52                add    %dl,0x52(%rcx)
  23:   55                      push   %rbp
  24:*  89 e5                   mov    %esp,%ebp                <-- trapping instruction
  26:   0f 34                   sysenter
  28:   cd 80                   int    $0x80
  2a:   5d                      pop    %rbp
  2b:   5a                      pop    %rdx
  2c:   59                      pop    %rcx
  2d:   c3                      ret
  2e:   90                      nop
  2f:   90                      nop
  30:   90                      nop
  31:   90                      nop
  32:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
  39:   00 00 00
  3c:   0f                      .byte 0xf
  3d:   1f                      (bad)
  3e:   44                      rex.R
        ...

Code starting with the faulting instruction
===========================================
   0:   5d                      pop    %rbp
   1:   5a                      pop    %rdx
   2:   59                      pop    %rcx
   3:   c3                      ret
   4:   90                      nop
   5:   90                      nop
   6:   90                      nop
   7:   90                      nop
   8:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
   f:   00 00 00
  12:   0f                      .byte 0xf
  13:   1f                      (bad)
  14:   44                      rex.R
        ...
[   42.830390][  T114] RSP: 002b:00000000ff9f932c EFLAGS: 00200292 ORIG_RAX: 000000000000015e
[   42.830406][  T114] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000565d4214
[   42.830415][  T114] RDX: 0000000000000000 RSI: 00000000565e7420 RDI: 00000000565e7090
[   42.830424][  T114] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   42.830433][  T114] R10: 0000000000000000 R11: 0000000000200246 R12: 0000000000000000
[   42.830442][  T114] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   42.830455][  T114]  </TASK>
[   42.830461][  T114]
[   42.830464][  T114] Memory state around the buggy address:
[   42.830478][  T114] BUG: unable to handle page fault for address: fffffbfff3ffffe0
[   42.830485][  T114] #PF: supervisor read access in kernel mode
[   42.830492][  T114] #PF: error_code(0x0000) - not-present page
[   42.830500][  T114] PGD 417fd7067 P4D 417fd7067 PUD 417fd3067 PMD 0
[   42.830522][  T114] Oops: Oops: 0000 [#1] SMP KASAN
[   42.830536][  T114] CPU: 0 UID: 0 PID: 114 Comm: modprobe Tainted: G                T  6.12.0-rc4-00199-ga9c60bb0d0e5 #1 18071a02e852b21a65d5fedadb69938108f9c3ec
[   42.830555][  T114] Tainted: [T]=RANDSTRUCT
[   42.830560][  T114] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 42.830568][ T114] RIP: 0010:kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
[ 42.830586][ T114] Code: 86 e9 e8 fd ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 66 0f 1f 00 55 48 89 e5 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f 5d 31 c0 31 c9 31
All code
========
   0:   86 e9                   xchg   %ch,%cl
   2:   e8 fd ff ff 66          call   0x67000004
   7:   2e 0f 1f 84 00 00 00    cs nopl 0x0(%rax,%rax,1)
   e:   00 00
  10:   0f 1f 40 00             nopl   0x0(%rax)
  14:   66 0f 1f 00             nopw   (%rax)
  18:   55                      push   %rbp
  19:   48 89 e5                mov    %rsp,%rbp
  1c:   48 c1 ee 03             shr    $0x3,%rsi
  20:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  27:   fc ff df
  2a:*  48 8b 0c 06             mov    (%rsi,%rax,1),%rcx               <-- trapping instruction
  2e:   48 8b 44 06 08          mov    0x8(%rsi,%rax,1),%rax
  33:   48 89 47 08             mov    %rax,0x8(%rdi)
  37:   48 89 0f                mov    %rcx,(%rdi)
  3a:   5d                      pop    %rbp
  3b:   31 c0                   xor    %eax,%eax
  3d:   31 c9                   xor    %ecx,%ecx
  3f:   31                      .byte 0x31

Code starting with the faulting instruction
===========================================
   0:   48 8b 0c 06             mov    (%rsi,%rax,1),%rcx
   4:   48 8b 44 06 08          mov    0x8(%rsi,%rax,1),%rax
   9:   48 89 47 08             mov    %rax,0x8(%rdi)
   d:   48 89 0f                mov    %rcx,(%rdi)
  10:   5d                      pop    %rbp
  11:   31 c0                   xor    %eax,%eax
  13:   31 c9                   xor    %ecx,%ecx
  15:   31                      .byte 0x31
[   42.830596][  T114] RSP: 0018:ffffc90002107a60 EFLAGS: 00210802
[   42.830607][  T114] RAX: dffffc0000000000 RBX: ffffffffa0000000 RCX: 0000000000000000
[   42.830617][  T114] RDX: 0000000000000000 RSI: 1ffffffff3ffffe0 RDI: ffffc90002107aa0
[   42.830625][  T114] RBP: ffffc90002107a60 R08: 0000000000000000 R09: 0000000000000000
[   42.830634][  T114] R10: 0000000000000000 R11: 0000000000000000 R12: aaaaaaaaaaaaaaaa
[   42.830643][  T114] R13: ffffffffa0000000 R14: ffffc90002107aa0 R15: ffffffff9fffff00
[   42.830653][  T114] FS:  0000000000000000(0000) GS:ffff8883aee00000(0063) knlGS:00000000f7a65700
[   42.830664][  T114] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   42.830674][  T114] CR2: fffffbfff3ffffe0 CR3: 0000000195e7b000 CR4: 00000000000406b0
[   42.830689][  T114] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   42.830698][  T114] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   42.830707][  T114] Call Trace:
[   42.830711][  T114]  <TASK>
[ 42.830716][ T114] ? __die_body (arch/x86/kernel/dumpstack.c:421)
[ 42.830736][ T114] ? __die (arch/x86/kernel/dumpstack.c:434)
[ 42.830753][ T114] ? page_fault_oops (arch/x86/mm/fault.c:711)
[ 42.830770][ T114] ? number (lib/vsprintf.c:574)
[ 42.830788][ T114] ? kernelmode_fixup_or_oops (arch/x86/mm/fault.c:739)
[ 42.830801][ T114] ? __bad_area_nosemaphore (arch/x86/mm/fault.c:793)
[ 42.830817][ T114] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
[ 42.830829][ T114] ? do_kern_addr_fault (arch/x86/mm/fault.c:1199)
[ 42.830843][ T114] ? exc_page_fault (arch/x86/mm/fault.c:1480)
[ 42.830860][ T114] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623)
[ 42.830878][ T114] ? kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
[ 42.830892][ T114] print_report (mm/kasan/report.c:466)
[ 42.830903][ T114] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
[ 42.830917][ T114] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 42.830928][ T114] kasan_report (mm/kasan/report.c:603)
[ 42.830939][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830956][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830968][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830979][ T114] kasan_check_range (mm/kasan/generic.c:?)
[ 42.830991][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.831003][ T114] __asan_memcpy (mm/kasan/shadow.c:105)
[ 42.831017][ T114] load_module (kernel/module/main.c:2353)
[ 42.831035][ T114] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3298 kernel/module/main.c:3325 kernel/module/main.c:3308)
[ 42.831054][ T114] __ia32_sys_finit_module (kernel/module/main.c:3308)
[ 42.831067][ T114] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-016-20241026/./arch/x86/include/generated/asm/syscalls_32.h:463)
[ 42.831084][ T114] __do_fast_syscall_32 (arch/x86/entry/common.c:?)
[ 42.831100][ T114] ? irqentry_exit_to_user_mode (kernel/entry/common.c:234)
[ 42.831121][ T114] do_fast_syscall_32 (arch/x86/entry/common.c:411)
[ 42.831137][ T114] do_SYSENTER_32 (arch/x86/entry/common.c:449)
[ 42.831150][ T114] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[   42.831167][  T114] RIP: 0023:0xf7f77539
[ 42.831177][ T114] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
   0:   03 74 b4 01             add    0x1(%rsp,%rsi,4),%esi
   4:   10 07                   adc    %al,(%rdi)
   6:   03 74 b0 01             add    0x1(%rax,%rsi,4),%esi
   a:   10 08                   adc    %cl,(%rax)
   c:   03 74 d8 01             add    0x1(%rax,%rbx,8),%esi
        ...
  20:   00 51 52                add    %dl,0x52(%rcx)
  23:   55                      push   %rbp
  24:*  89 e5                   mov    %esp,%ebp                <-- trapping instruction
  26:   0f 34                   sysenter
  28:   cd 80                   int    $0x80
  2a:   5d                      pop    %rbp
  2b:   5a                      pop    %rdx
  2c:   59                      pop    %rcx
  2d:   c3                      ret
  2e:   90                      nop
  2f:   90                      nop
  30:   90                      nop
  31:   90                      nop
  32:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
  39:   00 00 00
  3c:   0f                      .byte 0xf
  3d:   1f                      (bad)
  3e:   44                      rex.R
        ...

Code starting with the faulting instruction
===========================================
   0:   5d                      pop    %rbp
   1:   5a                      pop    %rdx
   2:   59                      pop    %rcx
   3:   c3                      ret
   4:   90                      nop
   5:   90                      nop
   6:   90                      nop
   7:   90                      nop
   8:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
   f:   00 00 00
  12:   0f                      .byte 0xf
  13:   1f                      (bad)
  14:   44                      rex.R


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241028/202410281441.216670ac-lkp@intel.com



--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ