| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3c3d3956-250c-4216-9ebf-c85cf31fa2ba@huaweicloud.com>
Date: Mon, 22 Sep 2025 09:49:37 +0800
From: Tengda Wu <wutengda@...weicloud.com>
To: Andrey Ryabinin <ryabinin.a.a@...il.com>, x86@...nel.org,
jpoimboe@...nel.org, Dave Hansen <dave.hansen@...ux.intel.com>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Alexander Potapenko <glider@...gle.com>,
Andrey Konovalov <andreyknvl@...il.com>, Borislav Petkov <bp@...en8.de>,
Dmitry Vyukov <dvyukov@...gle.com>, Ingo Molnar <mingo@...hat.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH -next v3] x86/dumpstack: Prevent KASAN false positive
warnings in __show_regs
Gentle Reminder: Patch Not Merged Yet
Hi,
Just a quick follow-up on my patch that got acked and reviewed over two weeks
ago. Could you please check on its status? Let me know if anything is needed
from my side.
Thanks,
Tengda
On 2025/9/5 22:12, Andrey Ryabinin wrote:
>
>
> On 8/30/25 11:25 AM, Tengda Wu wrote:
>> When task A walks task B's stack without suspending it, the continuous
>> changes in task B's stack (and corresponding KASAN shadow tags) may cause
>> task A to hit KASAN redzones when accessing obsolete values on the stack,
>> resulting in false positive reports. [1][2]
>>
>> The specific issue occurs as follows:
>>
>> Task A (walk other tasks' stacks) Task B (running)
>> 1. echo t > /proc/sysrq-trigger
>>
>> show_trace_log_lvl
>> regs = unwind_get_entry_regs()
>> show_regs_if_on_stack(regs)
>> 2. The stack data pointed by
>> `regs` keeps changing, and
>> so are the tags in its
>> KASAN shadow region.
>> __show_regs(regs)
>> regs->ax, regs->bx, ...
>> 3. hit KASAN redzones, OOB
>>
>> Fix this by detecting asynchronous stack unwinding scenarios through
>> `task != current` during unwinding, and disabling KASAN checks when this
>> scenario occurs.
>>
>> [1] https://lore.kernel.org/all/000000000000cb8e3a05c4ed84bb@google.com/
>> [2] KASAN out-of-bounds:
>> [332706.552324] BUG: KASAN: out-of-bounds in __show_regs+0x4b/0x340
>> [332706.552433] Read of size 8 at addr ffff88d24999fb20 by task sysrq_t_test.sh/3977032
>> [332706.552562]
>> [332706.552652] CPU: 36 PID: 3977032 Comm: sysrq_t_test.sh Kdump: loaded Not tainted 6.6.0+ #20
>> [332706.552783] Hardware name: Huawei RH2288H V3/BC11HGSA0, BIOS 3.35 10/20/2016
>> [332706.552906] Call Trace:
>> [332706.552998] <TASK>
>> [332706.553089] dump_stack_lvl+0x32/0x50
>> [332706.553193] print_address_description.constprop.0+0x6b/0x3d0
>> [332706.553303] print_report+0xbe/0x280
>> [332706.553409] ? __virt_addr_valid+0xed/0x160
>> [332706.553512] ? __show_regs+0x4b/0x340
>> [332706.553612] kasan_report+0xa8/0xe0
>> [332706.553716] ? __show_regs+0x4b/0x340
>> [332706.553816] ? asm_exc_page_fault+0x22/0x30
>> [332706.553919] __show_regs+0x4b/0x340
>> [332706.554021] ? asm_exc_page_fault+0x22/0x30
>> [332706.554123] show_trace_log_lvl+0x274/0x3b0
>> [332706.554229] ? load_elf_binary+0xf6e/0x1610
>> [332706.554330] ? rep_stos_alternative+0x40/0x80
>> [332706.554439] sched_show_task+0x211/0x290
>> [332706.554544] ? __pfx_sched_show_task+0x10/0x10
>> [332706.554648] ? _find_next_bit+0x6/0xc0
>> [332706.554749] ? _find_next_bit+0x37/0xc0
>> [332706.554852] show_state_filter+0x72/0x130
>> [332706.554956] sysrq_handle_showstate+0x7/0x10
>> [332706.555062] __handle_sysrq+0x146/0x2d0
>> [332706.555165] write_sysrq_trigger+0x2f/0x50
>> [332706.555270] proc_reg_write+0xdd/0x140
>> [332706.555372] vfs_write+0x1ff/0x5f0
>> [332706.555474] ? __pfx_vfs_write+0x10/0x10
>> [332706.555576] ? __pfx___handle_mm_fault+0x10/0x10
>> [332706.555682] ? __fget_light+0x99/0xf0
>> [332706.555785] ksys_write+0xb8/0x150
>> [332706.555887] ? __pfx_ksys_write+0x10/0x10
>> [332706.555989] ? ktime_get_coarse_real_ts64+0x4e/0x70
>> [332706.556094] do_syscall_64+0x55/0x100
>> [332706.556196] entry_SYSCALL_64_after_hwframe+0x78/0xe2
>>
>> Fixes: 3b3fa11bc700 ("x86/dumpstack: Print any pt_regs found on the stack")
>> Signed-off-by: Tengda Wu <wutengda@...weicloud.com>
>
> Reviewed-by: Andrey Ryabinin <ryabinin.a.a@...il.com>
Powered by blists - more mailing lists