lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CABXGCsOCGWeZgzsXwSSOFqNxetsJhRbvqHCSG1iuQ7jMuFdo8g@mail.gmail.com>
Date: Thu, 29 May 2025 19:17:30 +0500
From: Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>
To: x0rw3ll@...il.com, rafael.j.wysocki@...el.com, linux-acpi@...r.kernel.org, 
	Linux List Kernel Mailing <linux-kernel@...r.kernel.org>, 
	Linux regressions mailing list <regressions@...ts.linux.dev>
Subject: 6.16-rc0/regression/bisected - commit ebf27765421c introduced a new
 warning KASAN: global-out-of-bounds in acpi_ut_safe_strncpy+0x1b

Hi,

Yesterday, after booting fresh kernel feacb1774bd5,
I spotted a new error message in the kernel log with the following stack trace:

[    3.032828] ==================================================================
[    3.032832] BUG: KASAN: global-out-of-bounds in
acpi_ut_safe_strncpy+0x1b/0x60
[    3.032839] Read of size 16 at addr ffffffffa9d32760 by task swapper/0/1

[    3.032846] CPU: 16 UID: 0 PID: 1 Comm: swapper/0 Not tainted
6.15.0-feacb1774bd5+ #2 PREEMPT(lazy)
[    3.032849] Hardware name: ASUS System Product Name/ROG STRIX
B650E-I GAMING WIFI, BIOS 3222 03/05/2025
[    3.032850] Call Trace:
[    3.032851]  <TASK>
[    3.032852]  dump_stack_lvl+0x84/0xd0
[    3.032855]  ? acpi_ut_safe_strncpy+0x1b/0x60
[    3.032857]  print_address_description.constprop.0+0x88/0x380
[    3.032859]  ? acpi_ut_safe_strncpy+0x1b/0x60
[    3.032861]  print_report+0xfc/0x1ff
[    3.032862]  ? __virt_addr_valid+0x267/0x500
[    3.032864]  ? acpi_ut_safe_strncpy+0x1b/0x60
[    3.032866]  kasan_report+0xb1/0x170
[    3.032867]  ? acpi_ut_safe_strncpy+0x1b/0x60
[    3.032870]  kasan_check_range+0x125/0x200
[    3.032872]  __asan_memcpy+0x23/0x60
[    3.032874]  acpi_ut_safe_strncpy+0x1b/0x60
[    3.032876]  acpi_ps_alloc_op+0x151/0x2f0
[    3.032878]  ? acpi_ns_get_normalized_pathname+0x76/0x1f0
[    3.032880]  acpi_ps_create_scope_op+0x1a/0x70
[    3.032882]  acpi_ps_execute_table+0x82/0x4a0
[    3.032884]  acpi_ns_execute_table+0x53b/0x8d0
[    3.032885]  ? __pfx_acpi_ns_execute_table+0x10/0x10
[    3.032887]  ? acpi_os_signal_semaphore+0xe7/0x140
[    3.032889]  ? acpi_ut_debug_dump_buffer+0x11/0x100
[    3.032891]  ? acpi_ut_release_mutex+0x1ce/0x3a0
[    3.032893]  ? __pfx_acpi_ut_trace+0x10/0x10
[    3.032895]  ? __pfx_acpi_init+0x10/0x10
[    3.032898]  acpi_ns_parse_table+0xa5/0x130
[    3.032899]  acpi_ns_load_table+0x9d/0x3e0
[    3.032901]  acpi_tb_load_namespace+0x25d/0x790
[    3.032902]  ? acpi_ev_install_region_handlers+0xfe/0x180
[    3.032905]  ? __pfx_acpi_init+0x10/0x10
[    3.032906]  acpi_load_tables+0x76/0x110
[    3.032908]  acpi_bus_init+0x83/0x5e0
[    3.032909]  ? __pfx_acpi_bus_init+0x10/0x10
[    3.032911]  ? __pfx_up+0x10/0x10
[    3.032913]  ? __pfx_acpi_pcc_address_space_handler+0x10/0x10
[    3.032915]  ? acpi_ev_install_space_handler+0x469/0x870
[    3.032917]  ? __pfx_acpi_pcc_address_space_setup+0x10/0x10
[    3.032918]  ? acpi_os_signal_semaphore+0xe7/0x140
[    3.032920]  ? acpi_ut_release_mutex+0x1ce/0x3a0
[    3.032922]  ? __pfx_acpi_pcc_address_space_setup+0x10/0x10
[    3.032923]  ? __pfx_acpi_pcc_address_space_handler+0x10/0x10
[    3.032924]  ? acpi_install_address_space_handler_internal+0xc3/0x140
[    3.032927]  acpi_init+0x105/0x290
[    3.032929]  ? __pfx_acpi_init+0x10/0x10
[    3.032930]  ? __pfx_fbmem_init+0x10/0x10
[    3.032931]  ? fbcon_output_notifier.cold+0x4a/0x63
[    3.032933]  do_one_initcall+0xd2/0x450
[    3.032934]  ? __pfx_do_one_initcall+0x10/0x10
[    3.032936]  ? do_initcalls+0x2c/0x240
[    3.032939]  do_initcalls+0x216/0x240
[    3.032941]  kernel_init_freeable+0x299/0x2d0
[    3.032943]  ? __pfx_kernel_init+0x10/0x10
[    3.032945]  kernel_init+0x1c/0x150
[    3.032946]  ? __pfx_kernel_init+0x10/0x10
[    3.032947]  ret_from_fork+0x3ef/0x510
[    3.032949]  ? __pfx_kernel_init+0x10/0x10
[    3.032950]  ? __pfx_kernel_init+0x10/0x10
[    3.032951]  ret_from_fork_asm+0x1a/0x30
[    3.032954]  </TASK>

[    3.033047] The buggy address belongs to the variable:
[    3.033049]  _acpi_module_name+0x240/0x20c0

[    3.033055] The buggy address belongs to the physical page:
[    3.033058] page: refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x67c132
[    3.033063] flags:
0x17ffffc0002000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[    3.033068] raw: 0017ffffc0002000 ffffea0019f04c88 ffffea0019f04c88
0000000000000000
[    3.033072] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[    3.033075] page dumped because: kasan: bad access detected

[    3.033080] Memory state around the buggy address:
[    3.033082]  ffffffffa9d32600: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
00 02 f9 f9
[    3.033086]  ffffffffa9d32680: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
00 03 f9 f9
[    3.033089] >ffffffffa9d32700: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
06 f9 f9 f9
[    3.033092]                                                        ^
[    3.033095]  ffffffffa9d32780: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
00 f9 f9 f9
[    3.033098]  ffffffffa9d32800: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
07 f9 f9 f9
[    3.033101] ==================================================================

git blame says the first bad commit is ebf27765421c:

commit ebf27765421c9238b7835d32a95e4a7fb8db26a4
Author: Ahmed Salem <x0rw3ll@...il.com>
Date:   Fri Apr 25 21:32:12 2025 +0200

    ACPICA: Replace strncpy() with memcpy()

    ACPICA commit 83019b471e1902151e67c588014ba2d09fa099a3

    strncpy() is deprecated for NUL-terminated destination buffers[1].

    Use memcpy() for length-bounded destinations.

    Link: https://github.com/KSPP/linux/issues/90 [1]
    Link: https://github.com/acpica/acpica/commit/83019b47
    Signed-off-by: Ahmed Salem <x0rw3ll@...il.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@...el.com>
    Link: https://patch.msgid.link/1910878.atdPhlSkOF@rjwysocki.net

 drivers/acpi/acpica/exconvrt.c  | 4 ++--
 drivers/acpi/acpica/tbfind.c    | 4 ++--
 drivers/acpi/acpica/utnonansi.c | 2 +-
 include/acpi/actypes.h          | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

And yes, I can confirm this catch.
The kernel with ebf27765421c reverted no longer triggers this error message.

> sh /usr/src/kernels/6.16.0-0.rc0.250528gfeacb1774bd5.5.fc43.x86_64+debug/scripts/faddr2line /lib/debug/lib/modules/6.16.0-0.rc0.250528gfeacb1774bd5.5.fc43.x86_64+debug/vmlinux acpi_ut_safe_strncpy+0x1b
acpi_ut_safe_strncpy+0x1b/0x60:
acpi_ut_safe_strncpy at drivers/acpi/acpica/utnonansi.c:172

Ahmed, Let me know if you need further logs or help reproducing.

Full hardware specs are here:
https://linux-hardware.org/?probe=1244406425

I’m also attaching build config, full bisect logs, and kernel logs
from each bisect step in archives.

-- 
Best Regards,
Mike Gavrilov.

Download attachment ".config.zip" of type "application/zip" (69236 bytes)

Download attachment "bisect-log-kasan-global-out-of-bounds-in-acpi_ut_safe_strncpy.zip" of type "application/zip" (1235 bytes)

Download attachment "dmesg.zip" of type "application/zip" (700780 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ