| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202410281441.216670ac-lkp@intel.com>
Date: Mon, 28 Oct 2024 15:05:33 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Suren Baghdasaryan <surenb@...gle.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, Andrew Morton
<akpm@...ux-foundation.org>, Pasha Tatashin <pasha.tatashin@...een.com>, "Ard
Biesheuvel" <ardb@...nel.org>, Arnd Bergmann <arnd@...db.de>, Borislav Petkov
<bp@...en8.de>, Christoph Hellwig <hch@...radead.org>, Daniel Gomez
<da.gomez@...sung.com>, David Hildenbrand <david@...hat.com>, Davidlohr Bueso
<dave@...olabs.net>, David Rientjes <rientjes@...gle.com>, Dennis Zhou
<dennis@...nel.org>, Johannes Weiner <hannes@...xchg.org>, John Hubbard
<jhubbard@...dia.com>, Jonathan Corbet <corbet@....net>, Joonsoo Kim
<iamjoonsoo.kim@....com>, Kalesh Singh <kaleshsingh@...gle.com>, Kees Cook
<keescook@...omium.org>, Kent Overstreet <kent.overstreet@...ux.dev>, "Liam
R. Howlett" <Liam.Howlett@...cle.com>, Luis Chamberlain <mcgrof@...nel.org>,
Matthew Wilcox <willy@...radead.org>, Michal Hocko <mhocko@...e.com>, "Mike
Rapoport" <rppt@...nel.org>, Minchan Kim <minchan@...gle.com>, "Paul E.
McKenney" <paulmck@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, "Roman
Gushchin" <roman.gushchin@...ux.dev>, Sami Tolvanen
<samitolvanen@...gle.com>, Sourav Panda <souravpanda@...gle.com>, Steven
Rostedt <rostedt@...dmis.org>, Thomas Gleixner <tglx@...utronix.de>, Thomas
Huth <thuth@...hat.com>, Uladzislau Rezki <urezki@...il.com>, Vlastimil Babka
<vbabka@...e.cz>, Xiongwei Song <xiongwei.song@...driver.com>, Yu Zhao
<yuzhao@...gle.com>, <linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>,
<oliver.sang@...el.com>
Subject: [linux-next:master] [alloc_tag] a9c60bb0d0:
BUG:KASAN:vmalloc-out-of-bounds_in_load_module
Hello,
kernel test robot noticed "BUG:KASAN:vmalloc-out-of-bounds_in_load_module" on:
commit: a9c60bb0d0e58ca30b8bfd00bddbe5bf79bd120c ("alloc_tag: populate memory for module tags as needed")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master a39230ecf6b3057f5897bc4744a790070cfbe7a8]
in testcase: boot
config: x86_64-randconfig-016-20241026
compiler: clang-19
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+------------------------------------------------+------------+------------+
| | e88dfe467a | a9c60bb0d0 |
+------------------------------------------------+------------+------------+
| boot_successes | 6 | 0 |
| boot_failures | 0 | 6 |
| BUG:KASAN:vmalloc-out-of-bounds_in_load_module | 0 | 6 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 6 |
| Oops | 0 | 6 |
| RIP:kasan_metadata_fetch_row | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410281441.216670ac-lkp@intel.com
[ 42.810547][ T114] BUG: KASAN: vmalloc-out-of-bounds in load_module (kernel/module/main.c:2353)
[ 42.811473][ T114] Write of size 520 at addr ffffffffa0000000 by task modprobe/114
[ 42.812394][ T114]
[ 42.812758][ T114] CPU: 0 UID: 0 PID: 114 Comm: modprobe Tainted: G T 6.12.0-rc4-00199-ga9c60bb0d0e5 #1 18071a02e852b21a65d5fedadb69938108f9c3ec
[ 42.814382][ T114] Tainted: [T]=RANDSTRUCT
[ 42.814943][ T114] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 42.816126][ T114] Call Trace:
[ 42.816599][ T114] <TASK>
[ 42.817020][ T114] dump_stack_lvl (lib/dump_stack.c:122)
[ 42.817627][ T114] print_report (mm/kasan/report.c:378)
[ 42.818207][ T114] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
[ 42.818822][ T114] ? __virt_addr_valid (arch/x86/mm/physaddr.c:?)
[ 42.819469][ T114] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 42.823016][ T114] kasan_report (mm/kasan/report.c:603)
[ 42.823612][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.824202][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.824819][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.825390][ T114] kasan_check_range (mm/kasan/generic.c:?)
[ 42.825997][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.826578][ T114] __asan_memcpy (mm/kasan/shadow.c:105)
[ 42.827149][ T114] load_module (kernel/module/main.c:2353)
[ 42.827719][ T114] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3298 kernel/module/main.c:3325 kernel/module/main.c:3308)
[ 42.828345][ T114] __ia32_sys_finit_module (kernel/module/main.c:3308)
[ 42.828988][ T114] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-016-20241026/./arch/x86/include/generated/asm/syscalls_32.h:463)
[ 42.829614][ T114] __do_fast_syscall_32 (arch/x86/entry/common.c:?)
[ 42.830291][ T114] ? irqentry_exit_to_user_mode (kernel/entry/common.c:234)
[ 42.830316][ T114] do_fast_syscall_32 (arch/x86/entry/common.c:411)
[ 42.830334][ T114] do_SYSENTER_32 (arch/x86/entry/common.c:449)
[ 42.830349][ T114] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[ 42.830370][ T114] RIP: 0023:0xf7f77539
[ 42.830381][ T114] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
0: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
4: 10 07 adc %al,(%rdi)
6: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
a: 10 08 adc %cl,(%rax)
c: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24:* 89 e5 mov %esp,%ebp <-- trapping instruction
26: 0f 34 sysenter
28: cd 80 int $0x80
2a: 5d pop %rbp
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 ret
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
39: 00 00 00
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 44 rex.R
...
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 ret
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
f: 00 00 00
12: 0f .byte 0xf
13: 1f (bad)
14: 44 rex.R
...
[ 42.830390][ T114] RSP: 002b:00000000ff9f932c EFLAGS: 00200292 ORIG_RAX: 000000000000015e
[ 42.830406][ T114] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000565d4214
[ 42.830415][ T114] RDX: 0000000000000000 RSI: 00000000565e7420 RDI: 00000000565e7090
[ 42.830424][ T114] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 42.830433][ T114] R10: 0000000000000000 R11: 0000000000200246 R12: 0000000000000000
[ 42.830442][ T114] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 42.830455][ T114] </TASK>
[ 42.830461][ T114]
[ 42.830464][ T114] Memory state around the buggy address:
[ 42.830478][ T114] BUG: unable to handle page fault for address: fffffbfff3ffffe0
[ 42.830485][ T114] #PF: supervisor read access in kernel mode
[ 42.830492][ T114] #PF: error_code(0x0000) - not-present page
[ 42.830500][ T114] PGD 417fd7067 P4D 417fd7067 PUD 417fd3067 PMD 0
[ 42.830522][ T114] Oops: Oops: 0000 [#1] SMP KASAN
[ 42.830536][ T114] CPU: 0 UID: 0 PID: 114 Comm: modprobe Tainted: G T 6.12.0-rc4-00199-ga9c60bb0d0e5 #1 18071a02e852b21a65d5fedadb69938108f9c3ec
[ 42.830555][ T114] Tainted: [T]=RANDSTRUCT
[ 42.830560][ T114] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 42.830568][ T114] RIP: 0010:kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
[ 42.830586][ T114] Code: 86 e9 e8 fd ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 66 0f 1f 00 55 48 89 e5 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f 5d 31 c0 31 c9 31
All code
========
0: 86 e9 xchg %ch,%cl
2: e8 fd ff ff 66 call 0x67000004
7: 2e 0f 1f 84 00 00 00 cs nopl 0x0(%rax,%rax,1)
e: 00 00
10: 0f 1f 40 00 nopl 0x0(%rax)
14: 66 0f 1f 00 nopw (%rax)
18: 55 push %rbp
19: 48 89 e5 mov %rsp,%rbp
1c: 48 c1 ee 03 shr $0x3,%rsi
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 48 8b 0c 06 mov (%rsi,%rax,1),%rcx <-- trapping instruction
2e: 48 8b 44 06 08 mov 0x8(%rsi,%rax,1),%rax
33: 48 89 47 08 mov %rax,0x8(%rdi)
37: 48 89 0f mov %rcx,(%rdi)
3a: 5d pop %rbp
3b: 31 c0 xor %eax,%eax
3d: 31 c9 xor %ecx,%ecx
3f: 31 .byte 0x31
Code starting with the faulting instruction
===========================================
0: 48 8b 0c 06 mov (%rsi,%rax,1),%rcx
4: 48 8b 44 06 08 mov 0x8(%rsi,%rax,1),%rax
9: 48 89 47 08 mov %rax,0x8(%rdi)
d: 48 89 0f mov %rcx,(%rdi)
10: 5d pop %rbp
11: 31 c0 xor %eax,%eax
13: 31 c9 xor %ecx,%ecx
15: 31 .byte 0x31
[ 42.830596][ T114] RSP: 0018:ffffc90002107a60 EFLAGS: 00210802
[ 42.830607][ T114] RAX: dffffc0000000000 RBX: ffffffffa0000000 RCX: 0000000000000000
[ 42.830617][ T114] RDX: 0000000000000000 RSI: 1ffffffff3ffffe0 RDI: ffffc90002107aa0
[ 42.830625][ T114] RBP: ffffc90002107a60 R08: 0000000000000000 R09: 0000000000000000
[ 42.830634][ T114] R10: 0000000000000000 R11: 0000000000000000 R12: aaaaaaaaaaaaaaaa
[ 42.830643][ T114] R13: ffffffffa0000000 R14: ffffc90002107aa0 R15: ffffffff9fffff00
[ 42.830653][ T114] FS: 0000000000000000(0000) GS:ffff8883aee00000(0063) knlGS:00000000f7a65700
[ 42.830664][ T114] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 42.830674][ T114] CR2: fffffbfff3ffffe0 CR3: 0000000195e7b000 CR4: 00000000000406b0
[ 42.830689][ T114] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 42.830698][ T114] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 42.830707][ T114] Call Trace:
[ 42.830711][ T114] <TASK>
[ 42.830716][ T114] ? __die_body (arch/x86/kernel/dumpstack.c:421)
[ 42.830736][ T114] ? __die (arch/x86/kernel/dumpstack.c:434)
[ 42.830753][ T114] ? page_fault_oops (arch/x86/mm/fault.c:711)
[ 42.830770][ T114] ? number (lib/vsprintf.c:574)
[ 42.830788][ T114] ? kernelmode_fixup_or_oops (arch/x86/mm/fault.c:739)
[ 42.830801][ T114] ? __bad_area_nosemaphore (arch/x86/mm/fault.c:793)
[ 42.830817][ T114] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
[ 42.830829][ T114] ? do_kern_addr_fault (arch/x86/mm/fault.c:1199)
[ 42.830843][ T114] ? exc_page_fault (arch/x86/mm/fault.c:1480)
[ 42.830860][ T114] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623)
[ 42.830878][ T114] ? kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
[ 42.830892][ T114] print_report (mm/kasan/report.c:466)
[ 42.830903][ T114] ? do_raw_spin_lock (arch/x86/include/asm/atomic.h:107)
[ 42.830917][ T114] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 42.830928][ T114] kasan_report (mm/kasan/report.c:603)
[ 42.830939][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830956][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830968][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.830979][ T114] kasan_check_range (mm/kasan/generic.c:?)
[ 42.830991][ T114] ? load_module (kernel/module/main.c:2353)
[ 42.831003][ T114] __asan_memcpy (mm/kasan/shadow.c:105)
[ 42.831017][ T114] load_module (kernel/module/main.c:2353)
[ 42.831035][ T114] __se_sys_finit_module (kernel/module/main.c:? kernel/module/main.c:3298 kernel/module/main.c:3325 kernel/module/main.c:3308)
[ 42.831054][ T114] __ia32_sys_finit_module (kernel/module/main.c:3308)
[ 42.831067][ T114] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-016-20241026/./arch/x86/include/generated/asm/syscalls_32.h:463)
[ 42.831084][ T114] __do_fast_syscall_32 (arch/x86/entry/common.c:?)
[ 42.831100][ T114] ? irqentry_exit_to_user_mode (kernel/entry/common.c:234)
[ 42.831121][ T114] do_fast_syscall_32 (arch/x86/entry/common.c:411)
[ 42.831137][ T114] do_SYSENTER_32 (arch/x86/entry/common.c:449)
[ 42.831150][ T114] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[ 42.831167][ T114] RIP: 0023:0xf7f77539
[ 42.831177][ T114] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
0: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
4: 10 07 adc %al,(%rdi)
6: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
a: 10 08 adc %cl,(%rax)
c: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24:* 89 e5 mov %esp,%ebp <-- trapping instruction
26: 0f 34 sysenter
28: cd 80 int $0x80
2a: 5d pop %rbp
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 ret
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
39: 00 00 00
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 44 rex.R
...
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 ret
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
f: 00 00 00
12: 0f .byte 0xf
13: 1f (bad)
14: 44 rex.R
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241028/202410281441.216670ac-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists