| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2bd0b5b9-47fa-4373-a81d-bcc20a07e5fd@oracle.com>
Date: Thu, 21 Nov 2024 17:15:19 -0600
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Jan Kara <jack@...e.cz>, "Bai, Shuangpeng" <SJB7183@....EDU>
Cc: "jack@...e.com" <jack@...e.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"syzkaller@...glegroups.com" <syzkaller@...glegroups.com>,
jfs-discussion@...ts.sourceforge.net
Subject: Re: KASAN: wild-memory-access in dqput.part.0
On 11/18/24 5:04AM, Jan Kara wrote:
> Hello!
>
> On Mon 18-11-24 04:32:38, Bai, Shuangpeng wrote:
>> Our tool found a new kernel bug KASAN: wild-memory-access in
>> dqput.part.0. Please see the details below.
>>
>> Kernel commit: v6.12 (upstream)
>> Kernel config: attachment
>> C/Syz reproducer: attachment
>>
>> [ 341.442215][T17431] ==================================================================
>> [341.444194][T17431] BUG: KASAN: wild-memory-access in dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [ 341.448056][T17431] Read of size 4 at addr 006d03ff00000150 by task a.out/17431
>
> This is a call to atomic_read(&dquot->dq_count) inside dqput(). And the
> address 006d03ff00000150 shows that dqput() has just been called with bogus
> pointer. Which means that jfs2_evict_inode() calls dquot_drop() likely with
> uninitialized i_dquot array. Shaggy, can you have a look?
The i_dquot array gets initialized when the inode is allocated. Maybe it's being overwritten.
>
> Honza
>
>> [ 341.449702][T17431]
>> [ 341.450245][T17431] CPU: 1 UID: 0 PID: 17431 Comm: a.out Not tainted 6.12.0 #8
>> [ 341.451865][T17431] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>> [ 341.453827][T17431] Call Trace:
>> [ 341.454559][T17431] <TASK>
>> [341.455199][T17431] dump_stack_lvl (lib/dump_stack.c:123)
>> [341.457411][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.458459][T17431] kasan_report (mm/kasan/report.c:603)
>> [341.459399][T17431] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:737)
>> [341.460465][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.461472][T17431] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
>> [341.462560][T17431] dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.463548][T17431] __dquot_drop (fs/quota/dquot.c:422 fs/quota/dquot.c:1607)
>> [341.464548][T17431] ? __pfx___dquot_drop (fs/quota/dquot.c:1595)
>> [341.465592][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321)
>> [341.466683][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
>> [341.467852][T17431] dquot_drop (fs/quota/dquot.c:1633)
>> [341.468844][T17431] jfs_evict_inode (./include/linux/list.h:373 fs/jfs/inode.c:169)
>> [341.469841][T17431] ? __pfx_jfs_evict_inode (fs/jfs/inode.c:140)
>> [341.471018][T17431] evict (fs/inode.c:730)
>> [341.471878][T17431] ? __pfx_evict (fs/inode.c:701)
>> [341.472844][T17431] ? evict_inodes (fs/inode.c:828)
>> [341.473850][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833)
>> [341.474965][T17431] dispose_list (fs/inode.c:775)
>> [341.475931][T17431] evict_inodes (fs/inode.c:789)
>> [341.476929][T17431] ? __pfx_evict_inodes (fs/inode.c:789)
>> [341.478083][T17431] ? sync_blockdev (block/bdev.c:220)
>> [341.480239][T17431] generic_shutdown_super (fs/super.c:633)
>> [341.481352][T17431] kill_block_super (fs/super.c:1711)
>> [341.482294][T17431] deactivate_locked_super (fs/super.c:475)
>> [341.483433][T17431] deactivate_super (fs/super.c:508)
>> [341.484415][T17431] cleanup_mnt (fs/namespace.c:250 fs/namespace.c:1374)
>> [341.485400][T17431] task_work_run (kernel/task_work.c:241 (discriminator 1))
>> [341.486378][T17431] ? __pfx_task_work_run (kernel/task_work.c:207)
>> [341.487470][T17431] ? __put_net (net/core/net_namespace.c:675)
>> [341.488455][T17431] do_exit (kernel/exit.c:940)
>> [341.489372][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833)
>> [341.490389][T17431] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116)
>> [341.491477][T17431] ? __pfx_do_exit (kernel/exit.c:878)
>> [341.492477][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
>> [341.493553][T17431] do_group_exit (kernel/exit.c:1069)
>> [341.494577][T17431] __x64_sys_exit_group (kernel/exit.c:1097)
>> [341.495730][T17431] x64_sys_call (./arch/x86/include/generated/asm/syscalls_64.h:61)
>> [341.496761][T17431] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
>> [341.497753][T17431] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>> [ 341.499093][T17431] RIP: 0033:0x7fb31b2de146
>> [ 341.500054][T17431] Code: Unable to access opcode bytes at 0x7fb31b2de11c.
>>
>> Code starting with the faulting instruction
>> ===========================================
>> [ 341.501546][T17431] RSP: 002b:00007ffc5afbf7b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> [ 341.503383][T17431] RAX: ffffffffffffffda RBX: 00007fb31b3e38a0 RCX: 00007fb31b2de146
>> [ 341.505155][T17431] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
>> [ 341.506907][T17431] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
>> [ 341.508600][T17431] R10: 0000000000000002 R11: 0000000000000246 R12: 00007fb31b3e38a0
>> [ 341.510320][T17431] R13: 0000000000000001 R14: 00007fb31b3ec2e8 R15: 0000000000000000
>> [ 341.512053][T17431] </TASK>
>> [ 341.512753][T17431] ==================================================================
>> [ 341.514883][T17431] Kernel panic - not syncing: KASAN: panic_on_warn set ...
>> [ 341.516508][T17431] CPU: 1 UID: 0 PID: 17431 Comm: a.out Not tainted 6.12.0 #8
>> [ 341.518075][T17431] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>> [ 341.520110][T17431] Call Trace:
>> [ 341.520841][T17431] <TASK>
>> [341.521478][T17431] dump_stack_lvl (lib/dump_stack.c:124 (discriminator 7))
>> [341.522380][T17431] panic (kernel/panic.c:354)
>> [341.523136][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321)
>> [341.524057][T17431] ? __pfx_panic (kernel/panic.c:288)
>> [341.525001][T17431] ? irqentry_exit (kernel/entry/common.c:358)
>> [341.526063][T17431] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4468)
>> [341.527213][T17431] ? check_panic_on_warn (kernel/panic.c:242)
>> [341.528379][T17431] check_panic_on_warn (kernel/panic.c:243)
>> [341.529413][T17431] end_report (mm/kasan/report.c:226)
>> [341.530412][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.531436][T17431] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606)
>> [341.532391][T17431] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:737)
>> [341.533429][T17431] ? dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.534496][T17431] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
>> [341.535592][T17431] dqput.part.0 (./arch/x86/include/asm/atomic.h:23 ./include/linux/atomic/atomic-arch-fallback.h:457 ./include/linux/atomic/atomic-instrumented.h:33 fs/quota/dquot.c:867)
>> [341.536598][T17431] __dquot_drop (fs/quota/dquot.c:422 fs/quota/dquot.c:1607)
>> [341.537612][T17431] ? __pfx___dquot_drop (fs/quota/dquot.c:1595)
>> [341.538756][T17431] ? mark_held_locks (kernel/locking/lockdep.c:4321)
>> [341.539798][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
>> [341.540960][T17431] dquot_drop (fs/quota/dquot.c:1633)
>> [341.541927][T17431] jfs_evict_inode (./include/linux/list.h:373 fs/jfs/inode.c:169)
>> [341.542976][T17431] ? __pfx_jfs_evict_inode (fs/jfs/inode.c:140)
>> [341.544121][T17431] evict (fs/inode.c:730)
>> [341.544961][T17431] ? __pfx_evict (fs/inode.c:701)
>> [341.545974][T17431] ? evict_inodes (fs/inode.c:828)
>> [341.547059][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833)
>> [341.548146][T17431] dispose_list (fs/inode.c:775)
>> [341.549081][T17431] evict_inodes (fs/inode.c:789)
>> [341.550043][T17431] ? __pfx_evict_inodes (fs/inode.c:789)
>> [341.551081][T17431] ? sync_blockdev (block/bdev.c:220)
>> [341.552101][T17431] generic_shutdown_super (fs/super.c:633)
>> [341.553173][T17431] kill_block_super (fs/super.c:1711)
>> [341.554216][T17431] deactivate_locked_super (fs/super.c:475)
>> [341.555353][T17431] deactivate_super (fs/super.c:508)
>> [341.556360][T17431] cleanup_mnt (fs/namespace.c:250 fs/namespace.c:1374)
>> [341.557394][T17431] task_work_run (kernel/task_work.c:241 (discriminator 1))
>> [341.558438][T17431] ? __pfx_task_work_run (kernel/task_work.c:207)
>> [341.559595][T17431] ? __put_net (net/core/net_namespace.c:675)
>> [341.560526][T17431] do_exit (kernel/exit.c:940)
>> [341.561426][T17431] ? __pfx_lock_release (kernel/locking/lockdep.c:5833)
>> [341.562555][T17431] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116)
>> [341.563642][T17431] ? __pfx_do_exit (kernel/exit.c:878)
>> [341.564688][T17431] ? _raw_spin_unlock_irq (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./include/linux/spinlock_api_smp.h:159 kernel/locking/spinlock.c:202)
>> [341.565796][T17431] do_group_exit (kernel/exit.c:1069)
>> [341.566798][T17431] __x64_sys_exit_group (kernel/exit.c:1097)
>> [341.567988][T17431] x64_sys_call (./arch/x86/include/generated/asm/syscalls_64.h:61)
>> [341.569005][T17431] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
>> [341.569991][T17431] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
>> [ 341.571281][T17431] RIP: 0033:0x7fb31b2de146
>> [ 341.572302][T17431] Code: Unable to access opcode bytes at 0x7fb31b2de11c.
>>
>> Code starting with the faulting instruction
>> ===========================================
>> [ 341.573763][T17431] RSP: 002b:00007ffc5afbf7b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> [ 341.575510][T17431] RAX: ffffffffffffffda RBX: 00007fb31b3e38a0 RCX: 00007fb31b2de146
>> [ 341.577279][T17431] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
>> [ 341.578979][T17431] RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffff80
>> [ 341.580726][T17431] R10: 0000000000000002 R11: 0000000000000246 R12: 00007fb31b3e38a0
>> [ 341.582427][T17431] R13: 0000000000000001 R14: 00007fb31b3ec2e8 R15: 0000000000000000
>> [ 341.584109][T17431] </TASK>
>> [ 341.584889][T17431] Kernel Offset: disabled
>> [ 341.585801][T17431] Rebooting in 86400 seconds..
>>
>>
>> Best,
>> Shuangpeng
>>
>>
>
>
>
Powered by blists - more mailing lists