| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <672d207c.050a0220.15a23d.019e.GAE@google.com>
Date: Thu, 07 Nov 2024 12:18:04 -0800
From: syzbot <syzbot+7534f060ebda6b8b51b3@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, surajsonawane0215@...il.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [acpi?] [nvdimm?] KASAN: vmalloc-out-of-bounds Read in
acpi_nfit_ctl (2)
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
nx6: QNX6 filesystem 1.0.0 registered.
[ 8.170952][ T1] fuse: init (API version 7.41)
[ 8.177946][ T1] orangefs_debugfs_init: called with debug mask: :none: :0:
[ 8.183363][ T1] orangefs_init: module version upstream loaded
[ 8.187965][ T1] JFS: nTxBlock = 6193, nTxLock = 49545
[ 8.208314][ T1] SGI XFS with ACLs, security attributes, realtime, quota, no debug enabled
[ 8.216600][ T1] 9p: Installing v9fs 9p2000 file system support
[ 8.220716][ T1] NILFS version 2 loaded
[ 8.223207][ T1] befs: version: 0.9.3
[ 8.226735][ T1] ocfs2: Registered cluster interface o2cb
[ 8.231974][ T1] ocfs2: Registered cluster interface user
[ 8.236251][ T1] OCFS2 User DLM kernel interface loaded
[ 8.249844][ T1] gfs2: GFS2 installed
[ 8.263620][ T1] ceph: loaded (mds proto 32)
[ 8.291737][ T1] NET: Registered PF_ALG protocol family
[ 8.295731][ T1] xor: automatically using best checksumming function avx
[ 8.301190][ T1] async_tx: api initialized (async)
[ 8.304560][ T1] Key type asymmetric registered
[ 8.308011][ T1] Asymmetric key parser 'x509' registered
[ 8.311630][ T1] Asymmetric key parser 'pkcs8' registered
[ 8.315349][ T1] Key type pkcs7_test registered
[ 8.319667][ T1] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
[ 8.325838][ T1] io scheduler mq-deadline registered
[ 8.329570][ T1] io scheduler kyber registered
[ 8.332988][ T1] io scheduler bfq registered
[ 8.359110][ T1] ACPI: \_SB_.GSIE: Enabled at IRQ 20
[ 8.370806][ T1] pcieport 0000:00:04.0: PME: Signaling with IRQ 25
[ 8.379322][ T1] pcieport 0000:00:04.0: AER: enabled with IRQ 26
[ 8.391225][ T140] kworker/u4:2 (140) used greatest stack depth: 25104 bytes left
[ 8.398097][ T1] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 8.436998][ T1] ACPI: button: Power Button [PWRF]
[ 8.637134][ T1] ==================================================================
[ 8.642545][ T1] BUG: KASAN: stack-out-of-bounds in acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] Read of size 4 at addr ffffc900003371e0 by task swapper/0/1
[ 8.646090][ T1]
[ 8.646090][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 8.646090][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 8.646090][ T1] Call Trace:
[ 8.646090][ T1] <TASK>
[ 8.646090][ T1] dump_stack_lvl+0x241/0x360
[ 8.646090][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 8.646090][ T1] ? __pfx__printk+0x10/0x10
[ 8.646090][ T1] ? _printk+0xd5/0x120
[ 8.646090][ T1] print_report+0x169/0x550
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __virt_addr_valid+0xbd/0x530
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] kasan_report+0x143/0x180
[ 8.646090][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 8.646090][ T1] ? nfit_spa_type+0x81/0x410
[ 8.646090][ T1] ? nfit_spa_type+0x378/0x410
[ 8.646090][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 8.646090][ T1] ? mark_lock+0x9a/0x360
[ 8.646090][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 8.646090][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 8.646090][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 8.646090][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 8.646090][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 8.646090][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 8.646090][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 8.646090][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 8.646090][ T1] acpi_nfit_add+0x469/0x620
[ 8.646090][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 8.646090][ T1] ? kernfs_put+0x315/0x370
[ 8.646090][ T1] acpi_device_probe+0xa5/0x2b0
[ 8.646090][ T1] ? really_probe+0x274/0xad0
[ 8.646090][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 8.646090][ T1] really_probe+0x2b8/0xad0
[ 8.646090][ T1] __driver_probe_device+0x1a2/0x390
[ 8.646090][ T1] driver_probe_device+0x50/0x430
[ 8.646090][ T1] __driver_attach+0x45f/0x710
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] bus_for_each_dev+0x239/0x2b0
[ 8.646090][ T1] ? __pfx___driver_attach+0x10/0x10
[ 8.646090][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 8.646090][ T1] bus_add_driver+0x346/0x670
[ 8.646090][ T1] driver_register+0x23a/0x320
[ 8.646090][ T1] nfit_init+0x166/0x1b0
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] do_one_initcall+0x248/0x880
[ 8.646090][ T1] ? __pfx_nfit_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 8.646090][ T1] ? __pfx_parse_args+0x10/0x10
[ 8.646090][ T1] ? rcu_is_watching+0x15/0xb0
[ 8.646090][ T1] do_initcall_level+0x157/0x210
[ 8.646090][ T1] do_initcalls+0x3f/0x80
[ 8.646090][ T1] kernel_init_freeable+0x435/0x5d0
[ 8.646090][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 8.646090][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] kernel_init+0x1d/0x2b0
[ 8.646090][ T1] ret_from_fork+0x4b/0x80
[ 8.646090][ T1] ? __pfx_kernel_init+0x10/0x10
[ 8.646090][ T1] ret_from_fork_asm+0x1a/0x30
[ 8.646090][ T1] </TASK>
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to stack of task swapper/0/1
[ 8.646090][ T1] and is located at offset 160 in frame:
[ 8.646090][ T1] acpi_nfit_register_regions+0x0/0xf50
[ 8.646090][ T1]
[ 8.646090][ T1] This frame has 4 objects:
[ 8.646090][ T1] [32, 36) 'cmd_rc.i.i87'
[ 8.646090][ T1] [48, 80) 'ars_start.i.i'
[ 8.646090][ T1] [112, 116) 'cmd_rc.i.i'
[ 8.646090][ T1] [128, 160) 'ars_cap.i'
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the virtual mapping at
[ 8.646090][ T1] [ffffc90000330000, ffffc90000339000) created by:
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1]
[ 8.646090][ T1] The buggy address belongs to the physical page:
[ 8.646090][ T1] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x312a4
[ 8.646090][ T1] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 8.646090][ T1] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[ 8.646090][ T1] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 8.646090][ T1] page dumped because: kasan: bad access detected
[ 8.646090][ T1] page_owner tracks the page as allocated
[ 8.646090][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2102(__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 0, tgid 0 (swapper/0), ts 2318285947, free_ts 0
[ 8.646090][ T1] post_alloc_hook+0x1f3/0x230
[ 8.646090][ T1] get_page_from_freelist+0x303f/0x3190
[ 8.646090][ T1] __alloc_pages_noprof+0x292/0x710
[ 8.646090][ T1] alloc_pages_mpol_noprof+0x3e8/0x680
[ 8.646090][ T1] __vmalloc_node_range_noprof+0xa2b/0x13f0
[ 8.646090][ T1] dup_task_struct+0x444/0x8c0
[ 8.646090][ T1] copy_process+0x5d1/0x3d50
[ 8.646090][ T1] kernel_clone+0x226/0x8f0
[ 8.646090][ T1] user_mode_thread+0x132/0x1a0
[ 8.646090][ T1] rest_init+0x23/0x300
[ 8.646090][ T1] start_kernel+0x47f/0x500
[ 8.646090][ T1] x86_64_start_reservations+0x2a/0x30
[ 8.646090][ T1] x86_64_start_kernel+0x9f/0xa0
[ 8.646090][ T1] common_startup_64+0x13e/0x147
[ 8.646090][ T1] page_owner free stack trace missing
[ 8.646090][ T1]
[ 8.646090][ T1] Memory state around the buggy address:
[ 8.646090][ T1] ffffc90000337080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337100: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 00 00
[ 8.646090][ T1] >ffffc90000337180: 00 00 f2 f2 f2 f2 04 f2 00 00 00 00 f3 f3 f3 f3
[ 8.646090][ T1] ^
[ 8.646090][ T1] ffffc90000337200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ffffc90000337280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 8.646090][ T1] ==================================================================
[ 9.044043][ T1] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 9.048635][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00114-g80fb25341631-dirty #0
[ 9.053640][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 9.053640][ T1] Call Trace:
[ 9.053640][ T1] <TASK>
[ 9.053640][ T1] dump_stack_lvl+0x241/0x360
[ 9.053640][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 9.053640][ T1] ? __pfx__printk+0x10/0x10
[ 9.053640][ T1] ? preempt_schedule+0xe1/0xf0
[ 9.053640][ T1] ? vscnprintf+0x5d/0x90
[ 9.053640][ T1] panic+0x349/0x880
[ 9.053640][ T1] ? check_panic_on_warn+0x21/0xb0
[ 9.053640][ T1] ? __pfx_panic+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? print_report+0x502/0x550
[ 9.053640][ T1] check_panic_on_warn+0x86/0xb0
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] end_report+0x77/0x160
[ 9.053640][ T1] kasan_report+0x154/0x180
[ 9.053640][ T1] ? acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] acpi_nfit_ctl+0x1c8a/0x2540
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] ? __pfx_acpi_nfit_ctl+0x10/0x10
[ 9.053640][ T1] ? nfit_spa_type+0x81/0x410
[ 9.053640][ T1] ? nfit_spa_type+0x378/0x410
[ 9.053640][ T1] ? __pfx_nfit_spa_type+0x10/0x10
[ 9.053640][ T1] ? mark_lock+0x9a/0x360
[ 9.053640][ T1] acpi_nfit_register_regions+0x2ae/0xf50
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_acpi_nfit_register_regions+0x10/0x10
[ 9.053640][ T1] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 9.053640][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 9.053640][ T1] ? __kmalloc_node_track_caller_noprof+0x242/0x440
[ 9.053640][ T1] acpi_nfit_init+0x6fd0/0x7060
[ 9.053640][ T1] ? __pfx_acpi_nfit_init+0x10/0x10
[ 9.053640][ T1] ? acpi_evaluate_object+0x9a3/0xaf0
[ 9.053640][ T1] ? acpi_nfit_add+0x2f3/0x620
[ 9.053640][ T1] acpi_nfit_add+0x469/0x620
[ 9.053640][ T1] ? __pfx_acpi_nfit_add+0x10/0x10
[ 9.053640][ T1] ? kernfs_put+0x315/0x370
[ 9.053640][ T1] acpi_device_probe+0xa5/0x2b0
[ 9.053640][ T1] ? really_probe+0x274/0xad0
[ 9.053640][ T1] ? __pfx_acpi_device_probe+0x10/0x10
[ 9.053640][ T1] really_probe+0x2b8/0xad0
[ 9.053640][ T1] __driver_probe_device+0x1a2/0x390
[ 9.053640][ T1] driver_probe_device+0x50/0x430
[ 9.053640][ T1] __driver_attach+0x45f/0x710
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] bus_for_each_dev+0x239/0x2b0
[ 9.053640][ T1] ? __pfx___driver_attach+0x10/0x10
[ 9.053640][ T1] ? __pfx_bus_for_each_dev+0x10/0x10
[ 9.053640][ T1] bus_add_driver+0x346/0x670
[ 9.053640][ T1] driver_register+0x23a/0x320
[ 9.053640][ T1] nfit_init+0x166/0x1b0
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] do_one_initcall+0x248/0x880
[ 9.053640][ T1] ? __pfx_nfit_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 9.053640][ T1] ? __pfx_parse_args+0x10/0x10
[ 9.053640][ T1] ? rcu_is_watching+0x15/0xb0
[ 9.053640][ T1] do_initcall_level+0x157/0x210
[ 9.053640][ T1] do_initcalls+0x3f/0x80
[ 9.053640][ T1] kernel_init_freeable+0x435/0x5d0
[ 9.053640][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 9.053640][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] kernel_init+0x1d/0x2b0
[ 9.053640][ T1] ret_from_fork+0x4b/0x80
[ 9.053640][ T1] ? __pfx_kernel_init+0x10/0x10
[ 9.053640][ T1] ret_from_fork_asm+0x1a/0x30
[ 9.053640][ T1] </TASK>
[ 9.053640][ T1] Kernel Offset: disabled
[ 9.053640][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build70911805=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at da38b4c931f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=da38b4c931f2882f34163d41ac10bfc78112afc8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241105-104654'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"da38b4c931f2882f34163d41ac10bfc78112afc8\"
/usr/bin/ld: /tmp/cco8PKHf.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cco8PKHf.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15fb3f40580000
Tested on:
commit: 80fb2534 Merge tag 'pwm/for-6.12-rc7-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=11254d3590b16717
dashboard link: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100b2d87980000
Powered by blists - more mailing lists