| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202512011452.55f7fa0a-lkp@intel.com>
Date: Mon, 1 Dec 2025 15:21:49 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Ard Biesheuvel <ardb@...nel.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
<linux-hardening@...r.kernel.org>, <oliver.sang@...el.com>
Subject: [ardb:lockless-random] [randomize_kstack] 05894b44c1:
KASAN:probably_user-memory-access_in_range[#-#]
Hello,
as we understand, commit 05894b44c1 is not the root cause of the issue, but due
to its change, the issues stats are changed: from below (1) for parent, changes
to (2) for 05894b44c1.
we also see a random behavior that stats (3) changed to (4) but still randomly
keep the original stats (3) in one instance.
=========================================================================================
tbox_group/testcase/rootfs/kconfig/compiler/sleep:
vm-snb/boot/debian-11.1-i386-20220923.cgz/x86_64-randconfig-075-20251128/gcc-14/1
7492bfcc5b0908ca 05894b44c19c9050c63946f12c5
---------------- ---------------------------
fail:runs %reproduction fail:runs
| | |
6:6 -100% :6 dmesg.KASAN:maybe_wild-memory-access_in_range[#-#] <---- (1)
:6 100% 6:6 dmesg.KASAN:probably_user-memory-access_in_range[#-#] <---- (2)
6:6 0% 6:6 dmesg.Kernel_panic-not_syncing:Fatal_exception
6:6 0% 6:6 dmesg.Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]KASAN
6:6 -83% 1:6 dmesg.RIP:get_random_u32 <----- (3)
:6 83% 5:6 dmesg.RIP:get_random_u8 <----- (4)
6:6 0% 6:6 dmesg.UBSAN:array-index-out-of-bounds_in_drivers/char/random.c
we make out this report just FYI what issues we saw in our tests which seems be
related with relavant code with this change.
kernel test robot noticed "KASAN:probably_user-memory-access_in_range[#-#]" on:
commit: 05894b44c19c9050c63946f12c5755389c79c80b ("randomize_kstack: Use get_random_u8() at entry for entropy")
https://git.kernel.org/cgit/linux/kernel/git/ardb/linux.git lockless-random
in testcase: boot
config: x86_64-randconfig-075-20251128
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202512011452.55f7fa0a-lkp@intel.com
[ 614.795260][ T1] ------------[ cut here ]------------
[ 614.796338][ T1] UBSAN: array-index-out-of-bounds in drivers/char/random.c:571:1
[ 614.798170][ T1] index 4294967294 is out of range for type 'u8 [96]'
[ 614.803553][ T1] CPU: 0 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc7-00006-g05894b44c19c #1 PREEMPT
[ 614.805622][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 614.807866][ T1] Call Trace:
[ 614.808654][ T1] <TASK>
[ 614.809372][ T1] dump_stack_lvl (lib/dump_stack.c:122)
[ 614.810372][ T1] dump_stack (lib/dump_stack.c:130)
[ 614.811235][ T1] ubsan_epilogue (lib/ubsan.c:234 (discriminator 1))
[ 614.812173][ T1] __ubsan_handle_out_of_bounds (lib/ubsan.c:456)
[ 614.813355][ T1] get_random_u8 (drivers/char/random.c:571 (discriminator 1))
[ 614.814307][ T1] ? get_random_bytes (drivers/char/random.c:571)
[ 614.815364][ T1] ? trace_hardirqs_off (include/trace/events/preemptirq.h:40 (discriminator 5) include/trace/events/preemptirq.h:40 (discriminator 5))
[ 614.816587][ T1] do_int80_emulation (arch/x86/entry/syscall_32.c:148 (discriminator 1))
[ 614.817763][ T1] asm_int80_emulation (arch/x86/include/asm/idtentry.h:621)
[ 614.822855][ T1] RIP: 0023:0xf7f16092
[ 614.823753][ T1] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
All code
========
0: 00 00 add %al,(%rax)
2: 00 e9 add %ch,%cl
4: 90 nop
5: ff (bad)
6: ff (bad)
7: ff (bad)
8: ff a3 24 00 00 00 jmp *0x24(%rbx)
e: 68 30 00 00 00 push $0x30
13: e9 80 ff ff ff jmp 0xffffffffffffff98
18: ff a3 f8 ff ff ff jmp *-0x8(%rbx)
1e: 66 90 xchg %ax,%ax
...
28: cd 80 int $0x80
2a:* c3 ret <-- trapping instruction
2b: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
32: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
38: 8b 1c 24 mov (%rsp),%ebx
3b: c3 ret
3c: 8d .byte 0x8d
3d: b4 26 mov $0x26,%ah
...
Code starting with the faulting instruction
===========================================
0: c3 ret
1: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
8: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
e: 8b 1c 24 mov (%rsp),%ebx
11: c3 ret
12: 8d .byte 0x8d
13: b4 26 mov $0x26,%ah
...
[ 614.826848][ T1] RSP: 002b:00000000ffb0486c EFLAGS: 00200246
[ 614.827740][ T1] RAX: 0000000000000006 RBX: 000000000000000c RCX: 00000000ffb0494c
[ 614.828916][ T1] RDX: 0000000000000010 RSI: 0000000000000000 RDI: 00000000f72786cc
[ 614.830100][ T1] RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
[ 614.831290][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 614.832390][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 614.833524][ T1] </TASK>
[ 614.834029][ T1] ---[ end trace ]---
[ 614.838773][ T1] Oops: general protection fault, probably for non-canonical address 0xdffffc0010eb0463: 0000 [#1] KASAN
[ 614.840947][ T1] KASAN: probably user-memory-access in range [0x0000000087582318-0x000000008758231f]
[ 614.846839][ T1] CPU: 0 UID: 0 PID: 1 Comm: systemd Not tainted 6.18.0-rc7-00006-g05894b44c19c #1 PREEMPT
[ 614.848810][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 614.850837][ T1] RIP: 0010:get_random_u8 (drivers/char/random.c:571 (discriminator 1))
[ 614.851939][ T1] Code: fb 60 72 0f 48 89 de 48 c7 c7 c0 16 58 87 e8 e0 60 c2 ff 48 8d bb 20 23 58 87 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <8a> 04 02 48 89 fa 83 e2 07 38 d0 7f 09 84 c0 74 05 e8 b3 c6 ea fe
All code
========
0: fb sti
1: 60 (bad)
2: 72 0f jb 0x13
4: 48 89 de mov %rbx,%rsi
7: 48 c7 c7 c0 16 58 87 mov $0xffffffff875816c0,%rdi
e: e8 e0 60 c2 ff call 0xffffffffffc260f3
13: 48 8d bb 20 23 58 87 lea -0x78a7dce0(%rbx),%rdi
1a: b8 ff ff 37 00 mov $0x37ffff,%eax
1f: 48 89 fa mov %rdi,%rdx
22: 48 c1 e0 2a shl $0x2a,%rax
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 8a 04 02 mov (%rdx,%rax,1),%al <-- trapping instruction
2d: 48 89 fa mov %rdi,%rdx
30: 83 e2 07 and $0x7,%edx
33: 38 d0 cmp %dl,%al
35: 7f 09 jg 0x40
37: 84 c0 test %al,%al
39: 74 05 je 0x40
3b: e8 b3 c6 ea fe call 0xfffffffffeeac6f3
Code starting with the faulting instruction
===========================================
0: 8a 04 02 mov (%rdx,%rax,1),%al
3: 48 89 fa mov %rdi,%rdx
6: 83 e2 07 and $0x7,%edx
9: 38 d0 cmp %dl,%al
b: 7f 09 jg 0x16
d: 84 c0 test %al,%al
f: 74 05 je 0x16
11: e8 b3 c6 ea fe call 0xfffffffffeeac6c9
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251201/202512011452.55f7fa0a-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists