| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e6bd4034-9e2b-2110-b0fd-d7edd1f93845@puri.sm>
Date: Thu, 19 Mar 2020 15:31:47 +0100
From: Martin Kepplinger <martin.kepplinger@...i.sm>
To: amitkarwar@...il.com, siva8118@...il.com, kvalo@...eaurora.org
Cc: davem@...emloft.net, linux-wireless@...r.kernel.org,
netdev@...r.kernel.org
Subject: BUG: KASAN: slab-out-of-bounds in
rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]
hi,
I'm running Linus' tree and hit the following when KASAN is enabled. Do
you have an idea of what goes wrong here? I'm happy to test any changes:
Mar 19 11:26:24 pureos kernel: [ 23.375247]
==================================================================
Mar 19 11:26:24 pureos kernel: [ 23.382592] BUG: KASAN:
slab-out-of-bounds in rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.391761] Read of size 16 at addr
ffff0000bf1ed400 by task systemd-udevd/338
Mar 19 11:26:24 pureos kernel: [ 23.399003]
Mar 19 11:26:24 pureos kernel: [ 23.400528] CPU: 0 PID: 338 Comm:
systemd-udevd Not tainted 5.6.0-1-librem5 #31
Mar 19 11:26:24 pureos kernel: [ 23.400542] Hardware name: Purism
Librem 5 (DT)
Mar 19 11:26:24 pureos kernel: [ 23.400555] Call trace:
Mar 19 11:26:24 pureos kernel: [ 23.400590] dump_backtrace+0x0/0x2a8
Mar 19 11:26:24 pureos kernel: [ 23.400615] show_stack+0x1c/0x28
Mar 19 11:26:24 pureos kernel: [ 23.400638] dump_stack+0x110/0x188
Mar 19 11:26:24 pureos kernel: [ 23.400669]
print_address_description.isra.11+0x6c/0x354
Mar 19 11:26:24 pureos kernel: [ 23.400691] __kasan_report+0x130/0x244
Mar 19 11:26:24 pureos kernel: [ 23.400712] kasan_report+0xc/0x18
Mar 19 11:26:24 pureos kernel: [ 23.400736]
check_memory_region+0x17c/0x1e8
Mar 19 11:26:24 pureos kernel: [ 23.400758] __asan_loadN+0x14/0x20
Mar 19 11:26:24 pureos kernel: [ 23.400813]
rsi_sdio_write_register_multiple+0xdc/0x1b8 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.400863]
rsi_sdio_master_reg_write+0x94/0x140 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.400962]
rsi_hal_prepare_fwload+0x1a8/0x250 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [ 23.401049]
rsi_hal_device_init+0xd4/0x1110 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [ 23.401099] rsi_probe+0x3d0/0x5a0
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.401122] sdio_bus_probe+0x13c/0x288
Mar 19 11:26:24 pureos kernel: [ 23.401147] really_probe+0x1bc/0x5e0
Mar 19 11:26:24 pureos kernel: [ 23.401170]
driver_probe_device+0xdc/0x1a8
Mar 19 11:26:24 pureos kernel: [ 23.401193]
device_driver_attach+0x9c/0xa8
Mar 19 11:26:24 pureos kernel: [ 23.401215] __driver_attach+0x110/0x1a0
Mar 19 11:26:24 pureos kernel: [ 23.401237] bus_for_each_dev+0xf0/0x158
Mar 19 11:26:24 pureos kernel: [ 23.401258] driver_attach+0x38/0x48
Mar 19 11:26:24 pureos kernel: [ 23.401279] bus_add_driver+0x280/0x2e8
Mar 19 11:26:24 pureos kernel: [ 23.401302] driver_register+0xc4/0x1d8
Mar 19 11:26:24 pureos kernel: [ 23.401328]
sdio_register_driver+0x50/0x60
Mar 19 11:26:24 pureos kernel: [ 23.401377] rsi_module_init+0x24/0x50
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.401399] do_one_initcall+0xa4/0x3d8
Mar 19 11:26:24 pureos kernel: [ 23.401424] do_init_module+0xe8/0x360
Mar 19 11:26:24 pureos kernel: [ 23.401445] load_module+0x2efc/0x3390
Mar 19 11:26:24 pureos kernel: [ 23.401468]
__do_sys_finit_module+0x11c/0x1a0
Mar 19 11:26:24 pureos kernel: [ 23.401491]
__arm64_sys_finit_module+0x48/0x58
Mar 19 11:26:24 pureos kernel: [ 23.401518]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [ 23.401541] do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [ 23.401563] el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [ 23.401581] el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [ 23.401592]
Mar 19 11:26:24 pureos kernel: [ 23.403105] Allocated by task 338:
Mar 19 11:26:24 pureos kernel: [ 23.406536] save_stack+0x24/0xb0
Mar 19 11:26:24 pureos kernel: [ 23.406559]
__kasan_kmalloc.isra.10+0xc4/0xe0
Mar 19 11:26:24 pureos kernel: [ 23.406579] kasan_kmalloc+0xc/0x18
Mar 19 11:26:24 pureos kernel: [ 23.406600]
kmem_cache_alloc_trace+0x170/0x328
Mar 19 11:26:24 pureos kernel: [ 23.406652]
rsi_sdio_master_reg_write+0x4c/0x140 [rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.406744]
rsi_hal_prepare_fwload+0x1a8/0x250 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [ 23.406831]
rsi_hal_device_init+0xd4/0x1110 [rsi_91x]
Mar 19 11:26:24 pureos kernel: [ 23.406880] rsi_probe+0x3d0/0x5a0
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.406900] sdio_bus_probe+0x13c/0x288
Mar 19 11:26:24 pureos kernel: [ 23.406923] really_probe+0x1bc/0x5e0
Mar 19 11:26:24 pureos kernel: [ 23.406946]
driver_probe_device+0xdc/0x1a8
Mar 19 11:26:24 pureos kernel: [ 23.406968]
device_driver_attach+0x9c/0xa8
Mar 19 11:26:24 pureos kernel: [ 23.406989] __driver_attach+0x110/0x1a0
Mar 19 11:26:24 pureos kernel: [ 23.407010] bus_for_each_dev+0xf0/0x158
Mar 19 11:26:24 pureos kernel: [ 23.407031] driver_attach+0x38/0x48
Mar 19 11:26:24 pureos kernel: [ 23.407052] bus_add_driver+0x280/0x2e8
Mar 19 11:26:24 pureos kernel: [ 23.407074] driver_register+0xc4/0x1d8
Mar 19 11:26:24 pureos kernel: [ 23.407100]
sdio_register_driver+0x50/0x60
Mar 19 11:26:24 pureos kernel: [ 23.407149] rsi_module_init+0x24/0x50
[rsi_sdio]
Mar 19 11:26:24 pureos kernel: [ 23.407168] do_one_initcall+0xa4/0x3d8
Mar 19 11:26:24 pureos kernel: [ 23.407191] do_init_module+0xe8/0x360
Mar 19 11:26:24 pureos kernel: [ 23.407212] load_module+0x2efc/0x3390
Mar 19 11:26:24 pureos kernel: [ 23.407234]
__do_sys_finit_module+0x11c/0x1a0
Mar 19 11:26:24 pureos kernel: [ 23.407257]
__arm64_sys_finit_module+0x48/0x58
Mar 19 11:26:24 pureos kernel: [ 23.407282]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [ 23.407304] do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [ 23.407326] el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [ 23.407343] el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [ 23.407352]
Mar 19 11:26:24 pureos kernel: [ 23.408863] Freed by task 338:
Mar 19 11:26:24 pureos kernel: [ 23.411947] save_stack+0x24/0xb0
Mar 19 11:26:24 pureos kernel: [ 23.411969] __kasan_slab_free+0x10c/0x188
Mar 19 11:26:24 pureos kernel: [ 23.411991] kasan_slab_free+0x10/0x18
Mar 19 11:26:24 pureos kernel: [ 23.412009] kfree+0x88/0x378
Mar 19 11:26:24 pureos kernel: [ 23.412032]
ext4_ext_map_blocks+0x518/0x14c0
Mar 19 11:26:24 pureos kernel: [ 23.412059] ext4_map_blocks+0x53c/0x888
Mar 19 11:26:24 pureos kernel: [ 23.412082] ext4_getblk+0xa0/0x298
Mar 19 11:26:24 pureos kernel: [ 23.412105] ext4_bread_batch+0x70/0x228
Mar 19 11:26:24 pureos kernel: [ 23.412129] __ext4_find_entry+0x25c/0x5f8
Mar 19 11:26:24 pureos kernel: [ 23.412149] ext4_lookup+0x120/0x350
Mar 19 11:26:24 pureos kernel: [ 23.412168] __lookup_slow+0x100/0x200
Mar 19 11:26:24 pureos kernel: [ 23.412187] walk_component+0x384/0x538
Mar 19 11:26:24 pureos kernel: [ 23.412206]
path_lookupat.isra.47+0xac/0x1b0
Mar 19 11:26:24 pureos kernel: [ 23.412226]
filename_lookup.part.64+0xec/0x1e8
Mar 19 11:26:24 pureos kernel: [ 23.412245] user_path_at_empty+0x54/0x68
Mar 19 11:26:24 pureos kernel: [ 23.412266] vfs_statx+0xe0/0x160
Mar 19 11:26:24 pureos kernel: [ 23.412287] __do_sys_newfstatat+0x84/0xd0
Mar 19 11:26:24 pureos kernel: [ 23.412308]
__arm64_sys_newfstatat+0x58/0x68
Mar 19 11:26:24 pureos kernel: [ 23.412335]
el0_svc_common.constprop.1+0xcc/0x1e0
Mar 19 11:26:24 pureos kernel: [ 23.412357] do_el0_svc+0x34/0x40
Mar 19 11:26:24 pureos kernel: [ 23.412378] el0_sync_handler+0x134/0x1a8
Mar 19 11:26:24 pureos kernel: [ 23.412395] el0_sync+0x140/0x180
Mar 19 11:26:24 pureos kernel: [ 23.412404]
Mar 19 11:26:24 pureos kernel: [ 23.413922] The buggy address belongs
to the object at ffff0000bf1ed400
Mar 19 11:26:24 pureos kernel: [ 23.413922] which belongs to the
cache kmalloc-128 of size 128
Mar 19 11:26:24 pureos kernel: [ 23.426475] The buggy address is
located 0 bytes inside of
Mar 19 11:26:24 pureos kernel: [ 23.426475] 128-byte region
[ffff0000bf1ed400, ffff0000bf1ed480)
Mar 19 11:26:24 pureos kernel: [ 23.438063] The buggy address belongs
to the page:
Mar 19 11:26:24 pureos kernel: [ 23.442889] page:fffffe0002dc7b40
refcount:1 mapcount:0 mapping:ffff00008ec03c00 index:0x0
Mar 19 11:26:24 pureos kernel: [ 23.442909] flags:
0x4000000000000200(slab)
Mar 19 11:26:24 pureos kernel: [ 23.442943] raw: 4000000000000200
fffffe0001f50a40 0000000e00000002 ffff00008ec03c00
Mar 19 11:26:24 pureos kernel: [ 23.442969] raw: 0000000000000000
0000000080100010 00000001ffffffff 0000000000000000
Mar 19 11:26:24 pureos kernel: [ 23.442981] page dumped because:
kasan: bad access detected
Mar 19 11:26:24 pureos kernel: [ 23.442991]
Mar 19 11:26:24 pureos kernel: [ 23.444499] Memory state around the
buggy address:
Mar 19 11:26:24 pureos kernel: [ 23.449321] ffff0000bf1ed300: 00 00
00 00 fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [ 23.456576] ffff0000bf1ed380: fc fc
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [ 23.463827] >ffff0000bf1ed400: 00 04
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [ 23.471068] ^
Mar 19 11:26:24 pureos kernel: [ 23.474586] ffff0000bf1ed480: fc fc
fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Mar 19 11:26:24 pureos kernel: [ 23.481838] ffff0000bf1ed500: 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00
Mar 19 11:26:24 pureos kernel: [ 23.489080]
==================================================================
Powered by blists - more mailing lists