lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <691241eb.a70a0220.22f260.0107.GAE@google.com>
Date: Mon, 10 Nov 2025 11:50:03 -0800
From: syzbot <syzbot+d1b7fa1092def3628bd7@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, listout@...tout.xyz, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bpf?] KASAN: stack-out-of-bounds Write in __bpf_get_stack

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
invalid opcode in error_return

Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6994 Comm: syz.1.247 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:error_return+0xa/0x20 arch/x86/entry/entry_64.S:1091
Code: cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 7c 24 08 e8 5a 4c 46 0a 48 89 c7 e9 12 4c 46 0a 90 90 50 9c 58 a9 00 02 00 00 74 02 <0f> 0b 58 f6 84 24 88 00 00 00 03 0f 84 31 fc ff ff e9 60 fb ff ff
RSP: 0018:ffffc90000007a78 EFLAGS: 00010206
RAX: 0000000000000286 RBX: 1ffff1100f9266d4 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000007a70
RBP: ffffffff8b46984e R08: ffffc90000007a6f R09: 0000000000000000
R10: ffffc90000007a68 R11: fffff52000000f4e R12: ffffc9000c2c3048
R13: ffffc90000007b00 R14: ffff88807c9336a0 R15: ffffc9000c2c3060
FS:  00007f9d4ee566c0(0000) GS:ffff88812613b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000000 CR3: 00000000726c6000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
RIP: 3100:rcu_lock_release include/linux/rcupdate.h:341 [inline]
RIP: 3100:rcu_do_batch kernel/rcu/tree.c:2607 [inline]
RIP: 3100:rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
Code: 00 00 00 00 fc ff df 41 80 3c 06 00 74 08 4c 89 ff e8 59 1d 7e 00 48 c7 43 08 00 00 00 00 48 89 df 4d 89 e3 2e e8 4d 4e 58 1e <48> c7 c7 40 d7 f3 8d 4c 89 ee e8 b6 77 f5 ff 65 8b 05 7f 61 c6 10
RSP: f400:0000000000000000 EFLAGS: 404bee7c878af400
==================================================================
BUG: KASAN: stack-out-of-bounds in __show_regs+0x4e/0x620 arch/x86/kernel/process_64.c:79
Read of size 8 at addr ffffc90000007af8 by task syz.1.247/6994

CPU: 0 UID: 0 PID: 6994 Comm: syz.1.247 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 __show_regs+0x4e/0x620 arch/x86/kernel/process_64.c:79
 show_regs_if_on_stack arch/x86/kernel/dumpstack.c:165 [inline]
 show_trace_log_lvl+0x31d/0x550 arch/x86/kernel/dumpstack.c:237
 show_regs arch/x86/kernel/dumpstack.c:470 [inline]
 __die_body+0xa6/0xb0 arch/x86/kernel/dumpstack.c:412
 die+0x2a/0x50 arch/x86/kernel/dumpstack.c:439
 do_trap_no_signal arch/x86/kernel/traps.c:206 [inline]
 do_trap+0x14a/0x3d0 arch/x86/kernel/traps.c:247
 do_error_trap+0x1c1/0x280 arch/x86/kernel/traps.c:267
 handle_invalid_op+0x34/0x40 arch/x86/kernel/traps.c:304
 exc_invalid_op+0x39/0x50 arch/x86/kernel/traps.c:397
 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:616
RIP: 0010:error_return+0xa/0x20 arch/x86/entry/entry_64.S:1091
Code: cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 7c 24 08 e8 5a 4c 46 0a 48 89 c7 e9 12 4c 46 0a 90 90 50 9c 58 a9 00 02 00 00 74 02 <0f> 0b 58 f6 84 24 88 00 00 00 03 0f 84 31 fc ff ff e9 60 fb ff ff
RSP: 0018:ffffc90000007a78 EFLAGS: 00010206
RAX: 0000000000000286 RBX: 1ffff1100f9266d4 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90000007a70
RBP: ffffffff8b46984e R08: ffffc90000007a6f R09: 0000000000000000
R10: ffffc90000007a68 R11: fffff52000000f4e R12: ffffc9000c2c3048
R13: ffffc90000007b00 R14: ffff88807c9336a0 R15: ffffc9000c2c3060
RIP: 3100:rcu_lock_release include/linux/rcupdate.h:341 [inline]
RIP: 3100:rcu_do_batch kernel/rcu/tree.c:2607 [inline]
RIP: 3100:rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
Code: 00 00 00 00 fc ff df 41 80 3c 06 00 74 08 4c 89 ff e8 59 1d 7e 00 48 c7 43 08 00 00 00 00 48 89 df 4d 89 e3 2e e8 4d 4e 58 1e <48> c7 c7 40 d7 f3 8d 4c 89 ee e8 b6 77 f5 ff 65 8b 05 7f 61 c6 10
RSP: f400:0000000000000000 EFLAGS: 404bee7c878af400 ORIG_RAX: 0000000000000000
RAX: ffffffff81cbf590 RBX: ffffc9000c2c3040 RCX: 0000000000000000
RDX: 0000008000000008 RSI: 0000000000000000 RDI: ffffffff8df3d740
RBP: 0000000000000000 R08: ffffffff8d74996d R09: 0000000041b58ab3
R10: 1ffff92000000f58 R11: 1ffff92001858608 R12: ffffffff81cbf716
R13: ffff88807c932970 R14: ffff88807c9309f3 R15: ffffffff81ed3477
 </IRQ>
 <TASK>
 </TASK>

The buggy address belongs to a 0-page vmalloc region starting at 0xffffc90000000000 allocated at map_irq_stack arch/x86/kernel/irq_64.c:49 [inline]
The buggy address belongs to a 0-page vmalloc region starting at 0xffffc90000000000 allocated at irq_init_percpu_irqstack+0x342/0x4a0 arch/x86/kernel/irq_64.c:76
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb8808
flags: 0xfff00000002000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000002000 ffffea0002e20208 ffffea0002e20208 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000007a80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2
                                                                ^
 ffffc90000007b00: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000007b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess), 6 bytes skipped:
   0:	df 41 80             	filds  -0x80(%rcx)
   3:	3c 06                	cmp    $0x6,%al
   5:	00 74 08 4c          	add    %dh,0x4c(%rax,%rcx,1)
   9:	89 ff                	mov    %edi,%edi
   b:	e8 59 1d 7e 00       	call   0x7e1d69
  10:	48 c7 43 08 00 00 00 	movq   $0x0,0x8(%rbx)
  17:	00
  18:	48 89 df             	mov    %rbx,%rdi
  1b:	4d 89 e3             	mov    %r12,%r11
  1e:	2e e8 4d 4e 58 1e    	cs call 0x1e584e71
* 24:	48 c7 c7 40 d7 f3 8d 	mov    $0xffffffff8df3d740,%rdi <-- trapping instruction
  2b:	4c 89 ee             	mov    %r13,%rsi
  2e:	e8 b6 77 f5 ff       	call   0xfff577e9
  33:	65 8b 05 7f 61 c6 10 	mov    %gs:0x10c6617f(%rip),%eax        # 0x10c661b9


Tested on:

commit:         f8c67d85 bpf: Use kmalloc_nolock() in range tree
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee6412580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e46b8a1c645465a9
dashboard link: https://syzkaller.appspot.com/bug?extid=d1b7fa1092def3628bd7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13eaa60a580000

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ