| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68c5321c.050a0220.2ff435.0374.GAE@google.com>
Date: Sat, 13 Sep 2025 01:58:04 -0700
From: syzbot <syzbot+e34177f6091df113ef20@...kaller.appspotmail.com>
To: chandna.linuxkernel@...il.com, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [kernel?] KASAN: slab-out-of-bounds Read in change_page_attr_set_clr
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
0.117687][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.118945][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.191858][ T0] On node 0, zone Normal: 3 pages in unavailable ranges
[ 0.591055][ T0] KernelAddressSanitizer initialized (generic)
[ 0.592543][ T0] ACPI: PM-Timer IO Port: 0xb008
[ 0.593237][ T0] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.594216][ T0] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.595248][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.596231][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.597251][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.598341][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.599361][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.600305][ T0] CPU topo: Max. logical packages: 1
[ 0.601019][ T0] CPU topo: Max. logical dies: 1
[ 0.601741][ T0] CPU topo: Max. dies per package: 1
[ 0.602451][ T0] CPU topo: Max. threads per core: 2
[ 0.603170][ T0] CPU topo: Num. cores per package: 1
[ 0.604190][ T0] CPU topo: Num. threads per package: 2
[ 0.605342][ T0] CPU topo: Allowing 2 present CPUs plus 0 hotplug CPUs
[ 0.607146][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.608518][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.609600][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xffffffff]
[ 0.610790][ T0] [mem 0xc0000000-0xfffbbfff] available for PCI devices
[ 0.611783][ T0] Booting paravirtualized kernel on KVM
[ 0.612589][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.710223][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[ 0.713115][ T0] percpu: Embedded 70 pages/cpu s246472 r8192 d32056 u1048576
[ 0.714761][ T0] kvm-guest: PV spinlocks enabled
[ 0.715870][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.717508][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 comedi.comedi
[ 0.721851][ T0] Unknown kernel command line parameters "spec_store_bypass_disable=prctl nbds_max=32", will be passed to user space.
[ 0.740391][ T0] random: crng init done
[ 0.741353][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.743154][ T0] software IO TLB: area num 2.
[ 0.774274][ T0] Fallback order for Node 0: 0 1
[ 0.774296][ T0] Fallback order for Node 1: 1 0
[ 0.774309][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2097051
[ 0.777680][ T0] Policy zone: Normal
[ 0.778999][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[ 0.780853][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.782531][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 0.789345][ T0] stackdepot: allocating space for 8192 stack pools via memblock
[ 1.500850][ T0] **********************************************************
[ 1.502043][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.503166][ T0] ** **
[ 1.504232][ T0] ** This system shows unhashed kernel memory addresses **
[ 1.505248][ T0] ** via the console, logs, and other interfaces. This **
[ 1.506238][ T0] ** might reduce the security of your system. **
[ 1.507271][ T0] ** **
[ 1.508232][ T0] ** If you see this message and you are not debugging **
[ 1.509932][ T0] ** the kernel, report this immediately to your system **
[ 1.511161][ T0] ** administrator! **
[ 1.512178][ T0] ** **
[ 1.513153][ T0] ** Use hash_pointers=always to force this mode off **
[ 1.514361][ T0] ** **
[ 1.515322][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.516374][ T0] **********************************************************
[ 1.519323][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 1.641406][ T0] allocated 167772160 bytes of page_ext
[ 1.642504][ T0] Node 0, zone DMA: page owner found early allocated 0 pages
[ 1.658376][ T0] Node 0, zone DMA32: page owner found early allocated 21222 pages
[ 1.665126][ T0] Node 0, zone Normal: page owner found early allocated 0 pages
[ 1.677811][ T0] Node 1, zone Normal: page owner found early allocated 19843 pages
[ 1.680062][ T0] Kernel/User page tables isolation: enabled
[ 1.681474][ T0] ------------[ cut here ]------------
[ 1.682278][ T0] WARNING: arch/x86/mm/pat/set_memory.c:308 at __change_page_attr_set_clr+0x493/0x27d0, CPU#0: swapper/0
[ 1.685037][ T0] Modules linked in:
[ 1.685814][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted syzkaller #0 PREEMPT(undef)
[ 1.687198][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
[ 1.688616][ T0] RIP: 0010:__change_page_attr_set_clr+0x493/0x27d0
[ 1.689528][ T0] Code: 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 72 05 ae 00 49 c1 e7 0c 4d 03 3e 4d 89 fe e9 84 00 00 00 e8 4e 83 49 00 90 <0f> 0b 90 45 31 f6 eb 76 e8 40 83 49 00 48 8b 84 24 d0 00 00 00 42
[ 1.692899][ T0] RSP: 0000:ffffffff8e2079c0 EFLAGS: 00010093
[ 1.694082][ T0] RAX: ffffffff817689f2 RBX: ffffffff8e207da0 RCX: ffffffff8e2951c0
[ 1.695136][ T0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8e207940
[ 1.696263][ T0] RBP: ffffffff8e207c70 R08: 0000000000000003 R09: 0000000000000004
[ 1.697533][ T0] R10: dffffc0000000000 R11: fffffbfff1c40f28 R12: dffffc0000000000
[ 1.698807][ T0] R13: ffffffff8e207d68 R14: ffffffff8e207d80 R15: 0000000000000000
[ 1.700400][ T0] FS: 0000000000000000(0000) GS:ffff8881257a7000(0000) knlGS:0000000000000000
[ 1.701650][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.702993][ T0] CR2: ffff88823ffff000 CR3: 000000000e338000 CR4: 00000000000000b0
[ 1.704598][ T0] Call Trace:
[ 1.705070][ T0] <TASK>
[ 1.705835][ T0] ? rcu_is_watching+0x15/0xb0
[ 1.706667][ T0] ? _vm_unmap_aliases+0x747/0x7b0
[ 1.707668][ T0] ? _vm_unmap_aliases+0x1b2/0x7b0
[ 1.708569][ T0] ? __pfx___change_page_attr_set_clr+0x10/0x10
[ 1.709581][ T0] ? __pfx_get_page_from_freelist+0x10/0x10
[ 1.710500][ T0] ? 0xffffffff81000000
[ 1.711200][ T0] change_page_attr_set_clr+0x37f/0x1140
[ 1.712132][ T0] ? __alloc_frozen_pages_noprof+0x1d6/0x370
[ 1.713012][ T0] ? __pfx_change_page_attr_set_clr+0x10/0x10
[ 1.713991][ T0] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[ 1.714991][ T0] ? pti_user_pagetable_walk_p4d+0x392/0x3c0
[ 1.716094][ T0] ? 0xffffffff81000000
[ 1.716884][ T0] set_memory_nonglobal+0x8c/0xd0
[ 1.717658][ T0] ? __pfx_set_memory_nonglobal+0x10/0x10
[ 1.719436][ T0] ? pti_user_pagetable_walk_pte+0x12c/0x1f0
[ 1.720219][ T0] ? 0xffffffff81000000
[ 1.720849][ T0] ? pti_clone_user_shared+0xe7/0x260
[ 1.721561][ T0] pti_init+0x7b/0xb0
[ 1.722159][ T0] mm_core_init+0x60/0x70
[ 1.722884][ T0] start_kernel+0x16c/0x410
[ 1.723747][ T0] x86_64_start_reservations+0x24/0x30
[ 1.724587][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.725381][ T0] common_startup_64+0x13e/0x147
[ 1.726093][ T0] </TASK>
[ 1.726518][ T0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 1.727483][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted syzkaller #0 PREEMPT(undef)
[ 1.728683][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
[ 1.729972][ T0] Call Trace:
[ 1.730396][ T0] <TASK>
[ 1.730934][ T0] dump_stack_lvl+0x99/0x250
[ 1.731550][ T0] ? __asan_memcpy+0x40/0x70
[ 1.732221][ T0] ? __pfx_dump_stack_lvl+0x10/0x10
[ 1.733092][ T0] ? __pfx__printk+0x10/0x10
[ 1.733749][ T0] vpanic+0x237/0x6d0
[ 1.734283][ T0] ? __pfx_vpanic+0x10/0x10
[ 1.734950][ T0] ? is_bpf_text_address+0x292/0x2b0
[ 1.735846][ T0] ? is_bpf_text_address+0x26/0x2b0
[ 1.736715][ T0] panic+0xb9/0xc0
[ 1.737552][ T0] ? __pfx_panic+0x10/0x10
[ 1.738251][ T0] ? common_startup_64+0x13e/0x147
[ 1.739224][ T0] __warn+0x334/0x4c0
[ 1.739919][ T0] ? __change_page_attr_set_clr+0x493/0x27d0
[ 1.740968][ T0] ? __change_page_attr_set_clr+0x493/0x27d0
[ 1.742023][ T0] report_bug+0x2be/0x4f0
[ 1.742881][ T0] ? __change_page_attr_set_clr+0x493/0x27d0
[ 1.743797][ T0] ? __change_page_attr_set_clr+0x493/0x27d0
[ 1.744810][ T0] ? __change_page_attr_set_clr+0x495/0x27d0
[ 1.745668][ T0] handle_bug+0x84/0x160
[ 1.746373][ T0] exc_invalid_op+0x1a/0x50
[ 1.747033][ T0] asm_exc_invalid_op+0x1a/0x20
[ 1.747839][ T0] RIP: 0010:__change_page_attr_set_clr+0x493/0x27d0
[ 1.748968][ T0] Code: 89 f0 48 c1 e8 0serialport: Connected to syzkaller.us-central1-c.ci-upstream-rust-kasan-gce-test-job-parallel-1 port 1 (session ID: 3978b10c74a07ae5fe60c93b7c11c75e17aef18e4a4f5fae07a6404b7404a6d6, active connections: 1).
3 42 80 3c 20 00 74 08 4c 89 f7 e8 72 05 ae 00 49 c1 e7 0c 4d 03 3e 4d 89 fe e9 84 00 00 00 e8 4e 83 49 00 90 <0f> 0b 90 45 31 f6 eb 76 e8 40 83 49 00 48 8b 84 24 d0 00 00 00 42
[ 1.751892][ T0] RSP: 0000:ffffffff8e2079c0 EFLAGS: 00010093
[ 1.753993][ T0] RAX: ffffffff817689f2 RBX: ffffffff8e207da0 RCX: ffffffff8e2951c0
[ 1.755939][ T0] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8e207940
[ 1.757076][ T0] RBP: ffffffff8e207c70 R08: 0000000000000003 R09: 0000000000000004
[ 1.758228][ T0] R10: dffffc0000000000 R11: fffffbfff1c40f28 R12: dffffc0000000000
[ 1.759282][ T0] R13: ffffffff8e207d68 R14: ffffffff8e207d80 R15: 0000000000000000
[ 1.761464][ T0] ? __change_page_attr_set_clr+0x492/0x27d0
[ 1.762846][ T0] ? rcu_is_watching+0x15/0xb0
[ 1.763703][ T0] ? _vm_unmap_aliases+0x747/0x7b0
[ 1.764626][ T0] ? _vm_unmap_aliases+0x1b2/0x7b0
[ 1.765487][ T0] ? __pfx___change_page_attr_set_clr+0x10/0x10
[ 1.766404][ T0] ? __pfx_get_page_from_freelist+0x10/0x10
[ 1.767363][ T0] ? 0xffffffff81000000
[ 1.767965][ T0] change_page_attr_set_clr+0x37f/0x1140
[ 1.769234][ T0] ? __alloc_frozen_pages_noprof+0x1d6/0x370
[ 1.770220][ T0] ? __pfx_change_page_attr_set_clr+0x10/0x10
[ 1.771366][ T0] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10
[ 1.772390][ T0] ? pti_user_pagetable_walk_p4d+0x392/0x3c0
[ 1.773669][ T0] ? 0xffffffff81000000
[ 1.774543][ T0] set_memory_nonglobal+0x8c/0xd0
[ 1.775459][ T0] ? __pfx_set_memory_nonglobal+0x10/0x10
[ 1.776456][ T0] ? pti_user_pagetable_walk_pte+0x12c/0x1f0
[ 1.777710][ T0] ? 0xffffffff81000000
[ 1.778487][ T0] ? pti_clone_user_shared+0xe7/0x260
[ 1.779634][ T0] pti_init+0x7b/0xb0
[ 1.780784][ T0] mm_core_init+0x60/0x70
[ 1.781379][ T0] start_kernel+0x16c/0x410
[ 1.782159][ T0] x86_64_start_reservations+0x24/0x30
[ 1.782881][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.783781][ T0] common_startup_64+0x13e/0x147
[ 1.784601][ T0] </TASK>
[ 1.785269][ T0] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4080916303=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 96a211bca8b
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=96a211bca8bcc72de621f8990d476177d3463857 -X github.com/google/syzkaller/prog.gitRevisionDate=20250902-105110" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=96a211bca8bcc72de621f8990d476177d3463857 -X github.com/google/syzkaller/prog.gitRevisionDate=20250902-105110" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=96a211bca8bcc72de621f8990d476177d3463857 -X github.com/google/syzkaller/prog.gitRevisionDate=20250902-105110" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"96a211bca8bcc72de621f8990d476177d3463857\"
/usr/bin/ld: /tmp/ccVWXFPq.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12e65934580000
Tested on:
commit: 590b221e Add linux-next specific files for 20250912
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=9134e501f17b95a4
dashboard link: https://syzkaller.appspot.com/bug?extid=e34177f6091df113ef20
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=100dd642580000
Powered by blists - more mailing lists