| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3A6D2300-7787-4C96-8509-B8D5907B9135@psu.edu> Date: Mon, 18 Nov 2024 04:32:38 +0000 From: "Bai, Shuangpeng" <SJB7183@....EDU> To: "jack@...e.com" <jack@...e.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> CC: "syzkaller@...glegroups.com" <syzkaller@...glegroups.com> Subject: KASAN: wild-memory-access in dqput.part.0 Hi Kernel Maintainers, Our tool found a new kernel bug KASAN: wild-memory-access in dqput.part.0. Please see the details below. Kernel commit: v6.12 (upstream) Kernel config: attachment C/Syz reproducer: attachment [ 341.442215][T17431] ================================================================== [341.444194][T17431] BUG: KASAN: wild-memory-access in dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [ 341.448056][T17431] Read of size 4 at addr 006d03ff00000150 by task a.out/17431 [ 341.449702][T17431] [ 341.450245][T17431] CPU: 1 UID: 0 PID: 17431 Comm: a.out Not tainted 6.12.0 #8 [ 341.451865][T17431] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 341.453827][T17431] Call Trace: [ 341.454559][T17431] <TASK> [341.455199][T17431] dump_stack_lvl (lib/dump_stack.c:123) [341.457411][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.458459][T17431] kasan_report (mm/kasan/report.c:603) [341.459399][T17431] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:737) [341.460465][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.461472][T17431] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [341.462560][T17431] dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.463548][T17431] __dquot_drop (fs/quota/dquot.c:422 fs/quota/dquot.c:1607) [341.464548][T17431] ? __pfx___dquot_drop (fs/quota/dquot.c:1595) [341.465592][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321) [341.466683][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [341.467852][T17431] dquot_drop (fs/quota/dquot.c:1633) [341.468844][T17431] jfs_evict_inode (./include/linux/list.h:373 fs/jfs/inode.c:169) [341.469841][T17431] ? __pfx_jfs_evict_inode (fs/jfs/inode.c:140) [341.471018][T17431] evict (fs/inode.c:730) [341.471878][T17431] ? __pfx_evict (fs/inode.c:701) [341.472844][T17431] ? evict_inodes (fs/inode.c:828) [341.473850][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833) [341.474965][T17431] dispose_list (fs/inode.c:775) [341.475931][T17431] evict_inodes (fs/inode.c:789) [341.476929][T17431] ? __pfx_evict_inodes (fs/inode.c:789) [341.478083][T17431] ? sync_blockdev (block/bdev.c:220) [341.480239][T17431] generic_shutdown_super (fs/super.c:633) [341.481352][T17431] kill_block_super (fs/super.c:1711) [341.482294][T17431] deactivate_locked_super (fs/super.c:475) [341.483433][T17431] deactivate_super (fs/super.c:508) [341.484415][T17431] cleanup_mnt (fs/namespace.c:250 fs/namespace.c:1374) [341.485400][T17431] task_work_run (kernel/task_work.c:241 (discriminator 1)) [341.486378][T17431] ? __pfx_task_work_run (kernel/task_work.c:207) [341.487470][T17431] ? __put_net (net/core/net_namespace.c:675) [341.488455][T17431] do_exit (kernel/exit.c:940) [341.489372][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833) [341.490389][T17431] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [341.491477][T17431] ? __pfx_do_exit (kernel/exit.c:878) [341.492477][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [341.493553][T17431] do_group_exit (kernel/exit.c:1069) [341.494577][T17431] __x64_sys_exit_group (kernel/exit.c:1097) [341.495730][T17431] x64_sys_call (./arch/x86/include/generated/asm/syscalls_64.h:61) [341.496761][T17431] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [341.497753][T17431] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 341.499093][T17431] RIP: 0033:0x7fb31b2de146 [ 341.500054][T17431] Code: Unable to access opcode bytes at 0x7fb31b2de11c. Code starting with the faulting instruction =========================================== [ 341.501546][T17431] RSP: 002b:00007ffc5afbf7b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 341.503383][T17431] RAX: ffffffffffffffda RBX: 00007fb31b3e38a0 RCX: 00007fb31b2de146 [ 341.505155][T17431] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 341.506907][T17431] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80 [ 341.508600][T17431] R10: 0000000000000002 R11: 0000000000000246 R12: 00007fb31b3e38a0 [ 341.510320][T17431] R13: 0000000000000001 R14: 00007fb31b3ec2e8 R15: 0000000000000000 [ 341.512053][T17431] </TASK> [ 341.512753][T17431] ================================================================== [ 341.514883][T17431] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 341.516508][T17431] CPU: 1 UID: 0 PID: 17431 Comm: a.out Not tainted 6.12.0 #8 [ 341.518075][T17431] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 341.520110][T17431] Call Trace: [ 341.520841][T17431] <TASK> [341.521478][T17431] dump_stack_lvl (lib/dump_stack.c:124 (discriminator 7)) [341.522380][T17431] panic (kernel/panic.c:354) [341.523136][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321) [341.524057][T17431] ? __pfx_panic (kernel/panic.c:288) [341.525001][T17431] ? irqentry_exit (kernel/entry/common.c:358) [341.526063][T17431] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4468) [341.527213][T17431] ? check_panic_on_warn (kernel/panic.c:242) [341.528379][T17431] check_panic_on_warn (kernel/panic.c:243) [341.529413][T17431] end_report (mm/kasan/report.c:226) [341.530412][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.531436][T17431] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) [341.532391][T17431] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:737) [341.533429][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.534496][T17431] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) [341.535592][T17431] dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867) [341.536598][T17431] __dquot_drop (fs/quota/dquot.c:422 fs/quota/dquot.c:1607) [341.537612][T17431] ? __pfx___dquot_drop (fs/quota/dquot.c:1595) [341.538756][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321) [341.539798][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [341.540960][T17431] dquot_drop (fs/quota/dquot.c:1633) [341.541927][T17431] jfs_evict_inode (./include/linux/list.h:373 fs/jfs/inode.c:169) [341.542976][T17431] ? __pfx_jfs_evict_inode (fs/jfs/inode.c:140) [341.544121][T17431] evict (fs/inode.c:730) [341.544961][T17431] ? __pfx_evict (fs/inode.c:701) [341.545974][T17431] ? evict_inodes (fs/inode.c:828) [341.547059][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833) [341.548146][T17431] dispose_list (fs/inode.c:775) [341.549081][T17431] evict_inodes (fs/inode.c:789) [341.550043][T17431] ? __pfx_evict_inodes (fs/inode.c:789) [341.551081][T17431] ? sync_blockdev (block/bdev.c:220) [341.552101][T17431] generic_shutdown_super (fs/super.c:633) [341.553173][T17431] kill_block_super (fs/super.c:1711) [341.554216][T17431] deactivate_locked_super (fs/super.c:475) [341.555353][T17431] deactivate_super (fs/super.c:508) [341.556360][T17431] cleanup_mnt (fs/namespace.c:250 fs/namespace.c:1374) [341.557394][T17431] task_work_run (kernel/task_work.c:241 (discriminator 1)) [341.558438][T17431] ? __pfx_task_work_run (kernel/task_work.c:207) [341.559595][T17431] ? __put_net (net/core/net_namespace.c:675) [341.560526][T17431] do_exit (kernel/exit.c:940) [341.561426][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833) [341.562555][T17431] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) [341.563642][T17431] ? __pfx_do_exit (kernel/exit.c:878) [341.564688][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202) [341.565796][T17431] do_group_exit (kernel/exit.c:1069) [341.566798][T17431] __x64_sys_exit_group (kernel/exit.c:1097) [341.567988][T17431] x64_sys_call (./arch/x86/include/generated/asm/syscalls_64.h:61) [341.569005][T17431] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [341.569991][T17431] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) [ 341.571281][T17431] RIP: 0033:0x7fb31b2de146 [ 341.572302][T17431] Code: Unable to access opcode bytes at 0x7fb31b2de11c. Code starting with the faulting instruction =========================================== [ 341.573763][T17431] RSP: 002b:00007ffc5afbf7b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 341.575510][T17431] RAX: ffffffffffffffda RBX: 00007fb31b3e38a0 RCX: 00007fb31b2de146 [ 341.577279][T17431] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 341.578979][T17431] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80 [ 341.580726][T17431] R10: 0000000000000002 R11: 0000000000000246 R12: 00007fb31b3e38a0 [ 341.582427][T17431] R13: 0000000000000001 R14: 00007fb31b3ec2e8 R15: 0000000000000000 [ 341.584109][T17431] </TASK> [ 341.584889][T17431] Kernel Offset: disabled [ 341.585801][T17431] Rebooting in 86400 seconds.. Best, Shuangpeng Content of type "text/html" skipped Download attachment "config" of type "application/octet-stream" (263743 bytes) Download attachment "repro.c" of type "application/octet-stream" (128731 bytes)
Powered by blists - more mailing lists