[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00000000000009e6a5057d453454@google.com>
Date: Mon, 17 Dec 2018 21:31:02 -0800
From: syzbot <syzbot+59722316960a71d9695b@...kaller.appspotmail.com>
To: netdev@...r.kernel.org,
syzkaller-upstream-moderation@...glegroups.com
Subject: KASAN: stack-out-of-bounds Read in apparmor_cred_prepare
Hello,
syzbot found the following crash on:
HEAD commit: a28777f25031 ucc_geth: Add change_carrier() for Fixed PHYs
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=16f3a885400000
kernel config: https://syzkaller.appspot.com/x/.config?x=d9655b05acfc97ff
dashboard link: https://syzkaller.appspot.com/bug?extid=59722316960a71d9695b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [jmorris@...ei.org john.johansen@...onical.com
linux-kernel@...r.kernel.org linux-security-module@...r.kernel.org
serge@...lyn.com]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+59722316960a71d9695b@...kaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in aa_get_newest_label
security/apparmor/include/label.h:429 [inline]
BUG: KASAN: stack-out-of-bounds in apparmor_cred_prepare+0x562/0x5a0
security/apparmor/lsm.c:80
kasan: CONFIG_KASAN_INLINE enabled
Read of size 8 at addr ffff8881da9c0c20 by task udevd/5686
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5686 Comm: udevd Not tainted 4.20.0-rc6+ #350
CPU: 0 PID: 5793 Comm: syz-executor3 Not tainted 4.20.0-rc6+ #350
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
RIP: 0010:lookup_object lib/debugobjects.c:156 [inline]
RIP: 0010:debug_object_deactivate+0x191/0x450 lib/debugobjects.c:542
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
------------[ cut here ]------------
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected
to SLAB object '.' (offset 18446744069414893726, size 2)!
WARNING: CPU: 0 PID: 5793 at mm/usercopy.c:83 usercopy_warn+0xee/0x110
mm/usercopy.c:78
Kernel panic - not syncing: panic_on_warn set ...
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
aa_get_newest_label security/apparmor/include/label.h:429 [inline]
apparmor_cred_prepare+0x562/0x5a0 security/apparmor/lsm.c:80
security_prepare_creds+0x60/0xc0 security/security.c:1022
prepare_creds+0x3b9/0x4d0 kernel/cred.c:278
do_coredump+0x52f/0x4001 fs/coredump.c:574
get_signal+0x9ee/0x1980 kernel/signal.c:2511
do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816
exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162
prepare_exit_to_usermode+0x342/0x3b0 arch/x86/entry/common.c:197
retint_user+0x8/0x18
RIP: 0033:0x7fd2ffc90945
Code: 3b 10 f1 ff 1f c8 09 c9 da 81 88 ff ff 00 00 00 00 00 00 00 00 50 09
c9 da 81 88 ff ff 04 f6 b1 86 ff ff ff ff e0 f5 b1 86 ff <ff> ff ff 01 00
00 00 00 00 00 00 f0 09 c9 da 81 88 ff ff 63 db bf
RSP: 002b:00007ffd55eabe48 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 00000000007c2110 RCX: 00007fd2ffc90943
RDX: 0000000000000004 RSI: 00007ffd55eabea0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000001
R13: 00000000007d3a00 R14: 00000000007c2250 R15: 000000000000000b
The buggy address belongs to the object at ffff8881da9c0040
which belongs to the cache @�ۢ���� of size -30591
The buggy address is located 33631 bytes to the right of
-30591-byte region [ffff8881da9c0040, ffff8881da9b88c1)
The buggy address belongs to the page:
page:ffffea00076a7000 count:1 mapcount:0 mapping:ffff8881da800ac0 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000010200(slab|head)
raw: 02fffc0000010200 ffffea00076a4108 ffffea0007650a08 ffff8881da800ac0
raw: 0000000000000000 ffff8881da9c0040 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881da9c0b00: f1 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 00 00 00
ffff8881da9c0b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
> ffff8881da9c0c00: f1 f8 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00
^
ffff8881da9c0c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00
ffff8881da9c0d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
==================================================================
Kernel Offset: disabled
======================================================
WARNING: possible circular locking dependency detected
4.20.0-rc6+ #350 Not tainted
------------------------------------------------------
syz-executor3/5793 is trying to acquire lock:
000000004475e30b ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70
kernel/locking/semaphore.c:136
but task is already holding lock:
0000000033b07c4a (&obj_hash[i].lock){-.-.}, at:
debug_object_deactivate+0xf7/0x450 lib/debugobjects.c:540
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&obj_hash[i].lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
__debug_object_init+0x127/0x1290 lib/debugobjects.c:383
debug_object_init+0x16/0x20 lib/debugobjects.c:431
debug_hrtimer_init kernel/time/hrtimer.c:410 [inline]
debug_init kernel/time/hrtimer.c:458 [inline]
hrtimer_init+0x97/0x490 kernel/time/hrtimer.c:1308
init_dl_task_timer+0x1b/0x50 kernel/sched/deadline.c:1057
__sched_fork+0x2ae/0x590 kernel/sched/core.c:2166
init_idle+0x75/0x740 kernel/sched/core.c:5374
sched_init+0xb33/0xc07 kernel/sched/core.c:6063
start_kernel+0x4c1/0xa30 init/main.c:608
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:470
x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:451
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
-> #2 (&rq->lock){-.-.}:
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:144
rq_lock kernel/sched/sched.h:1124 [inline]
task_fork_fair+0xb0/0x6d0 kernel/sched/fair.c:9802
sched_fork+0x443/0xba0 kernel/sched/core.c:2359
copy_process+0x25b8/0x87a0 kernel/fork.c:1887
_do_fork+0x1cb/0x11d0 kernel/fork.c:2216
kernel_thread+0x34/0x40 kernel/fork.c:2275
rest_init+0x28/0x372 init/main.c:409
arch_call_rest_init+0xe/0x1b
start_kernel+0x9f5/0xa30 init/main.c:745
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:470
x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:451
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243
-> #1 (&p->pi_lock){-.-.}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:152
try_to_wake_up+0xdc/0x1440 kernel/sched/core.c:1965
wake_up_process+0x10/0x20 kernel/sched/core.c:2129
__up.isra.1+0x1c0/0x2a0 kernel/locking/semaphore.c:262
up+0x13c/0x1c0 kernel/locking/semaphore.c:187
__up_console_sem+0xbe/0x1b0 kernel/printk/printk.c:236
console_unlock+0x811/0x1190 kernel/printk/printk.c:2432
vprintk_emit+0x391/0x990 kernel/printk/printk.c:1922
vprintk_default+0x28/0x30 kernel/printk/printk.c:1964
vprintk_func+0x7e/0x181 kernel/printk/printk_safe.c:398
printk+0xa7/0xcf kernel/printk/printk.c:1997
check_stack_usage kernel/exit.c:755 [inline]
do_exit.cold.18+0x57/0x16f kernel/exit.c:916
do_group_exit+0x177/0x440 kernel/exit.c:970
__do_sys_exit_group kernel/exit.c:981 [inline]
__se_sys_exit_group kernel/exit.c:979 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:979
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 ((console_sem).lock){-.-.}:
other info that might help us debug this:
Chain exists of:
(console_sem).lock --> &rq->lock --> &obj_hash[i].lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&obj_hash[i].lock);
lock(&rq->lock);
lock(&obj_hash[i].lock);
lock((console_sem).lock);
*** DEADLOCK ***
5 locks held by syz-executor3/5793:
#0: 00000000ced00a2c (rcu_read_lock){....}, at: __skb_unlink
include/linux/skbuff.h:1922 [inline]
#0: 00000000ced00a2c (rcu_read_lock){....}, at: __skb_dequeue
include/linux/skbuff.h:1938 [inline]
#0: 00000000ced00a2c (rcu_read_lock){....}, at:
process_backlog+0x1dd/0x7a0 net/core/dev.c:5921
#1: 00000000ced00a2c (rcu_read_lock){....}, at: __skb_pull
include/linux/skbuff.h:2155 [inline]
#1: 00000000ced00a2c (rcu_read_lock){....}, at:
ip_local_deliver_finish+0x13d/0x390 net/ipv4/ip_input.c:231
#2: 000000006ec779e6 (hrtimer_bases.lock){-.-.}, at:
hrtimer_interrupt+0xfc/0x780 kernel/time/hrtimer.c:1499
#3: 0000000033b07c4a (&obj_hash[i].lock){-.-.}, at:
debug_object_deactivate+0xf7/0x450 lib/debugobjects.c:540
#4: 00000000ced00a2c (rcu_read_lock){....}, at:
atomic_notifier_call_chain+0x0/0x190 kernel/notifier.c:329
stack backtrace:
CPU: 0 PID: 5793 Comm: syz-executor3 Not tainted 4.20.0-rc6+ #350
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
Powered by blists - more mailing lists