| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJuCfpGMM1=3eS_1yCEFrwdFHv_dYZ3f1fXaFaKzT-hcNfjxfw@mail.gmail.com>
Date: Wed, 13 Nov 2024 21:34:57 +0000
From: Suren Baghdasaryan <surenb@...gle.com>
To: kernel test robot <oliver.sang@...el.com>
Cc: oe-lkp@...ts.linux.dev, lkp@...el.com,
Andrew Morton <akpm@...ux-foundation.org>, Pasha Tatashin <pasha.tatashin@...een.com>,
Ard Biesheuvel <ardb@...nel.org>, Arnd Bergmann <arnd@...db.de>, Borislav Petkov <bp@...en8.de>,
Christoph Hellwig <hch@...radead.org>, Daniel Gomez <da.gomez@...sung.com>,
David Hildenbrand <david@...hat.com>, Davidlohr Bueso <dave@...olabs.net>,
David Rientjes <rientjes@...gle.com>, Dennis Zhou <dennis@...nel.org>,
Johannes Weiner <hannes@...xchg.org>, John Hubbard <jhubbard@...dia.com>,
Jonathan Corbet <corbet@....net>, Joonsoo Kim <iamjoonsoo.kim@....com>,
Kalesh Singh <kaleshsingh@...gle.com>, Kees Cook <keescook@...omium.org>,
Kent Overstreet <kent.overstreet@...ux.dev>, "Liam R. Howlett" <Liam.Howlett@...cle.com>,
Luis Chamberlain <mcgrof@...nel.org>, Matthew Wilcox <willy@...radead.org>, Michal Hocko <mhocko@...e.com>,
Mike Rapoport <rppt@...nel.org>, Minchan Kim <minchan@...gle.com>,
"Paul E. McKenney" <paulmck@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>,
Roman Gushchin <roman.gushchin@...ux.dev>, Sami Tolvanen <samitolvanen@...gle.com>,
Sourav Panda <souravpanda@...gle.com>, Steven Rostedt <rostedt@...dmis.org>,
Thomas Gleixner <tglx@...utronix.de>, Thomas Huth <thuth@...hat.com>,
Uladzislau Rezki <urezki@...il.com>, Vlastimil Babka <vbabka@...e.cz>,
Xiongwei Song <xiongwei.song@...driver.com>, Yu Zhao <yuzhao@...gle.com>,
linux-kernel@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [linux-next:master] [alloc_tag] 0f9b685626: BUG:KASAN:vmalloc-out-of-bounds_in_move_module
On Wed, Nov 13, 2024 at 2:07 PM kernel test robot <oliver.sang@...el.com> wrote:
>
>
>
> Hello,
>
>
> we reported
> "[linux-next:master] [alloc_tag] a9c60bb0d0: BUG:KASAN:vmalloc-out-of-bounds_in_load_module"
> in
> https://lore.kernel.org/all/202410281441.216670ac-lkp@intel.com/
>
> we noticed it seems there is following patch.
>
> we made below report just FYI that the commit still cause similar issue on
> linux-next/master and not fixed on tip of linux-next/master when this bisect
> is done.
>
>
> kernel test robot noticed "BUG:KASAN:vmalloc-out-of-bounds_in_move_module" on:
>
> commit: 0f9b685626daa2f8e19a9788625c9b624c223e45 ("alloc_tag: populate memory for module tags as needed")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master 929beafbe7acce3267c06115e13e03ff6e50548a]
>
> in testcase: rcuscale
> version:
> with following parameters:
>
> runtime: 300s
> scale_type: srcu
>
>
>
> config: x86_64-randconfig-014-20241107
> compiler: gcc-12
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
> +------------------------------------------------+------------+------------+
> | | 0db6f8d782 | 0f9b685626 |
> +------------------------------------------------+------------+------------+
> | boot_successes | 18 | 0 |
> | boot_failures | 0 | 18 |
> | BUG:KASAN:vmalloc-out-of-bounds_in_move_module | 0 | 18 |
> | BUG:unable_to_handle_page_fault_for_address | 0 | 18 |
> | Oops | 0 | 18 |
> | RIP:kasan_metadata_fetch_row | 0 | 18 |
> | Kernel_panic-not_syncing:Fatal_exception | 0 | 18 |
> +------------------------------------------------+------------+------------+
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@...el.com>
> | Closes: https://lore.kernel.org/oe-lkp/202411132111.6a221562-lkp@intel.com
Thanks for the report! I'm looking into this but so far could not find
an obvious issue. Will try to reproduce.
>
>
> [ 153.897376][ T402] BUG: KASAN: vmalloc-out-of-bounds in move_module (kernel/module/main.c:2357)
> [ 153.899141][ T402] Write of size 40 at addr ffffffffa0000000 by task modprobe/402
> [ 153.900837][ T402]
> [ 153.901496][ T402] CPU: 0 UID: 0 PID: 402 Comm: modprobe Tainted: G T 6.12.0-rc6-00146-g0f9b685626da #1 87c8486a909ba2f90eff061a4c9c1fa5c9cd90ea
> [ 153.904537][ T402] Tainted: [T]=RANDSTRUCT
> [ 153.905500][ T402] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 153.907702][ T402] Call Trace:
> [ 153.908510][ T402] <TASK>
> [ 153.909241][ T402] print_address_description+0x65/0x2fa
> [ 153.910663][ T402] print_report (mm/kasan/report.c:489)
> [ 153.911771][ T402] ? move_module (kernel/module/main.c:2357)
> [ 153.912825][ T402] kasan_report (mm/kasan/report.c:603)
> [ 153.913821][ T402] ? move_module (kernel/module/main.c:2357)
> [ 153.914904][ T402] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
> [ 153.916029][ T402] __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 1))
> [ 153.917057][ T402] move_module (kernel/module/main.c:2357)
> [ 153.918071][ T402] layout_and_allocate+0x446/0x523
> [ 153.919459][ T402] load_module (kernel/module/main.c:2985)
> [ 153.920457][ T402] ? mode_strip_umask (fs/namei.c:3248)
> [ 153.921557][ T402] init_module_from_file (kernel/module/main.c:3266)
> [ 153.922825][ T402] ? __ia32_sys_init_module (kernel/module/main.c:3266)
> [ 153.923992][ T402] ? __lock_release+0x106/0x38c
> [ 153.925173][ T402] ? idempotent_init_module (kernel/module/main.c:3301)
> [ 153.926364][ T402] ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
> [ 153.944053][ T402] idempotent_init_module (kernel/module/main.c:3302)
> [ 153.945164][ T402] ? init_module_from_file (kernel/module/main.c:3294)
> [ 153.946268][ T402] ? security_capable (security/security.c:1143)
> [ 153.947421][ T402] __do_sys_finit_module (include/linux/file.h:68 kernel/module/main.c:3330)
> [ 153.948495][ T402] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> [ 153.949540][ T402] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 153.950855][ T402] RIP: 0033:0x7f0f37df7719
> [ 153.951869][ T402] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
> All code
> ========
> 0: 08 89 e8 5b 5d c3 or %cl,-0x3ca2a418(%rcx)
> 6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
> d: 00 00 00
> 10: 90 nop
> 11: 48 89 f8 mov %rdi,%rax
> 14: 48 89 f7 mov %rsi,%rdi
> 17: 48 89 d6 mov %rdx,%rsi
> 1a: 48 89 ca mov %rcx,%rdx
> 1d: 4d 89 c2 mov %r8,%r10
> 20: 4d 89 c8 mov %r9,%r8
> 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
> 28: 0f 05 syscall
> 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
> 30: 73 01 jae 0x33
> 32: c3 ret
> 33: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06f1
> 3a: f7 d8 neg %eax
> 3c: 64 89 01 mov %eax,%fs:(%rcx)
> 3f: 48 rex.W
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
> 6: 73 01 jae 0x9
> 8: c3 ret
> 9: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06c7
> 10: f7 d8 neg %eax
> 12: 64 89 01 mov %eax,%fs:(%rcx)
> 15: 48 rex.W
> [ 153.955810][ T402] RSP: 002b:00007ffccd7f7198 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> [ 153.957666][ T402] RAX: ffffffffffffffda RBX: 000055cc9f9fddd0 RCX: 00007f0f37df7719
> [ 153.959411][ T402] RDX: 0000000000000000 RSI: 000055cc9f9f24a0 RDI: 0000000000000004
> [ 153.961142][ T402] RBP: 000055cc9f9f24a0 R08: 0000000000000000 R09: 000055cc9f9ff250
> [ 153.962910][ T402] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000040000
> [ 153.964665][ T402] R13: 0000000000000000 R14: 000055cc9f9fdd80 R15: 0000000000000000
> [ 153.966393][ T402] </TASK>
> [ 153.967209][ T402]
> [ 153.967856][ T402] Memory state around the buggy address:
> [ 153.969123][ T402] BUG: unable to handle page fault for address: fffffbfff3ffffe0
> [ 153.970807][ T402] #PF: supervisor read access in kernel mode
> [ 153.972036][ T402] #PF: error_code(0x0000) - not-present page
> [ 153.973220][ T402] PGD 417fdb067 P4D 417fdb067 PUD 417fd7067 PMD 0
> [ 153.974560][ T402] Oops: Oops: 0000 [#1] PREEMPT KASAN
> [ 153.975758][ T402] CPU: 0 UID: 0 PID: 402 Comm: modprobe Tainted: G T 6.12.0-rc6-00146-g0f9b685626da #1 87c8486a909ba2f90eff061a4c9c1fa5c9cd90ea
> [ 153.978853][ T402] Tainted: [T]=RANDSTRUCT
> [ 153.979851][ T402] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 153.982008][ T402] RIP: 0010:kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
> [ 153.983368][ T402] Code: 40 08 48 89 43 58 5b 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc 66 0f 1f 00 b8 ff ff 37 00 48 c1 ee 03 48 c1 e0 2a 48 01 c6 <48> 8b 06 48 89 07 48 8b 46 08 48 89 47 08 31 c0 31 f6 31 ff c3 cc
> All code
> ========
> 0: 40 08 48 89 rex or %cl,-0x77(%rax)
> 4: 43 58 rex.XB pop %r8
> 6: 5b pop %rbx
> 7: 31 c0 xor %eax,%eax
> 9: 31 d2 xor %edx,%edx
> b: 31 c9 xor %ecx,%ecx
> d: 31 f6 xor %esi,%esi
> f: 31 ff xor %edi,%edi
> 11: c3 ret
> 12: cc int3
> 13: cc int3
> 14: cc int3
> 15: cc int3
> 16: 66 0f 1f 00 nopw (%rax)
> 1a: b8 ff ff 37 00 mov $0x37ffff,%eax
> 1f: 48 c1 ee 03 shr $0x3,%rsi
> 23: 48 c1 e0 2a shl $0x2a,%rax
> 27: 48 01 c6 add %rax,%rsi
> 2a:* 48 8b 06 mov (%rsi),%rax <-- trapping instruction
> 2d: 48 89 07 mov %rax,(%rdi)
> 30: 48 8b 46 08 mov 0x8(%rsi),%rax
> 34: 48 89 47 08 mov %rax,0x8(%rdi)
> 38: 31 c0 xor %eax,%eax
> 3a: 31 f6 xor %esi,%esi
> 3c: 31 ff xor %edi,%edi
> 3e: c3 ret
> 3f: cc int3
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 8b 06 mov (%rsi),%rax
> 3: 48 89 07 mov %rax,(%rdi)
> 6: 48 8b 46 08 mov 0x8(%rsi),%rax
> a: 48 89 47 08 mov %rax,0x8(%rdi)
> e: 31 c0 xor %eax,%eax
> 10: 31 f6 xor %esi,%esi
> 12: 31 ff xor %edi,%edi
> 14: c3 ret
> 15: cc int3
> [ 153.987254][ T402] RSP: 0018:ffffc9000218f9f8 EFLAGS: 00010082
> [ 153.988595][ T402] RAX: dffffc0000000000 RBX: ffffffff9fffff00 RCX: 0000000000000000
> [ 153.990325][ T402] RDX: 0000000000000000 RSI: fffffbfff3ffffe0 RDI: ffffc9000218fa04
> [ 153.992086][ T402] RBP: 00000000fffffffe R08: 0000000000000000 R09: 0000000000000000
> [ 153.993786][ T402] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0000000
> [ 153.995554][ T402] R13: ffffffff864b4994 R14: ffffffff9fffff80 R15: 0000000000000028
> [ 153.997305][ T402] FS: 00007f0f37cf5040(0000) GS:ffffffff86989000(0000) knlGS:0000000000000000
> [ 153.999133][ T402] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 154.000578][ T402] CR2: fffffbfff3ffffe0 CR3: 0000000128853000 CR4: 00000000000006b0
> [ 154.002367][ T402] Call Trace:
> [ 154.003318][ T402] <TASK>
> [ 154.004087][ T402] ? __die_body (arch/x86/kernel/dumpstack.c:421)
> [ 154.005074][ T402] ? page_fault_oops (arch/x86/mm/fault.c:710)
> [ 154.006242][ T402] ? show_fault_oops (arch/x86/mm/fault.c:643)
> [ 154.007368][ T402] ? search_module_extables (kernel/module/main.c:3369)
> [ 154.008525][ T402] ? fixup_exception (arch/x86/mm/extable.c:321)
> [ 154.009629][ T402] ? exc_page_fault (arch/x86/mm/fault.c:1479 arch/x86/mm/fault.c:1539)
> [ 154.010771][ T402] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623)
> [ 154.011853][ T402] ? kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
> [ 154.013072][ T402] print_report (mm/kasan/report.c:466 mm/kasan/report.c:489)
> [ 154.014122][ T402] ? move_module (kernel/module/main.c:2357)
> [ 154.015238][ T402] kasan_report (mm/kasan/report.c:603)
> [ 154.016231][ T402] ? move_module (kernel/module/main.c:2357)
> [ 154.017255][ T402] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
> [ 154.018379][ T402] __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 1))
> [ 154.019400][ T402] move_module (kernel/module/main.c:2357)
> [ 154.020435][ T402] layout_and_allocate+0x446/0x523
> [ 154.021792][ T402] load_module (kernel/module/main.c:2985)
> [ 154.022822][ T402] ? mode_strip_umask (fs/namei.c:3248)
> [ 154.023928][ T402] init_module_from_file (kernel/module/main.c:3266)
> [ 154.025069][ T402] ? __ia32_sys_init_module (kernel/module/main.c:3266)
> [ 154.026265][ T402] ? __lock_release+0x106/0x38c
> [ 154.027496][ T402] ? idempotent_init_module (kernel/module/main.c:3301)
> [ 154.028688][ T402] ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
> [ 154.029766][ T402] idempotent_init_module (kernel/module/main.c:3302)
> [ 154.030985][ T402] ? init_module_from_file (kernel/module/main.c:3294)
> [ 154.032192][ T402] ? security_capable (security/security.c:1143)
> [ 154.033310][ T402] __do_sys_finit_module (include/linux/file.h:68 kernel/module/main.c:3330)
> [ 154.034478][ T402] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> [ 154.035532][ T402] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 154.036819][ T402] RIP: 0033:0x7f0f37df7719
> [ 154.037865][ T402] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
> All code
> ========
> 0: 08 89 e8 5b 5d c3 or %cl,-0x3ca2a418(%rcx)
> 6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
> d: 00 00 00
> 10: 90 nop
> 11: 48 89 f8 mov %rdi,%rax
> 14: 48 89 f7 mov %rsi,%rdi
> 17: 48 89 d6 mov %rdx,%rsi
> 1a: 48 89 ca mov %rcx,%rdx
> 1d: 4d 89 c2 mov %r8,%r10
> 20: 4d 89 c8 mov %r9,%r8
> 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
> 28: 0f 05 syscall
> 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
> 30: 73 01 jae 0x33
> 32: c3 ret
> 33: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06f1
> 3a: f7 d8 neg %eax
> 3c: 64 89 01 mov %eax,%fs:(%rcx)
> 3f: 48 rex.W
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
> 6: 73 01 jae 0x9
> 8: c3 ret
> 9: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06c7
> 10: f7 d8 neg %eax
> 12: 64 89 01 mov %eax,%fs:(%rcx)
> 15: 48 rex.W
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20241113/202411132111.6a221562-lkp@intel.com
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
Powered by blists - more mailing lists