lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210315082912.GC837@xsang-OptiPlex-9020>
Date:   Mon, 15 Mar 2021 16:29:12 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     ishaangandhi <ishaangandhi@...il.com>
Cc:     lkp@...ts.01.org, lkp@...el.com, davem@...emloft.net,
        ishaangandhi@...il.com, netdev@...r.kernel.org, willemb@...gle.com
Subject: [icmp]  42e5e7501e: BUG:KASAN:slab-out-of-bounds_in_pskb_expand_head



Greeting,

FYI, we noticed the following commit (built with clang-13):

commit: 42e5e7501eafeda575f91db23d34172d720316ab ("[PATCH] icmp: support rfc 5837")
url: https://github.com/0day-ci/linux/commits/ishaangandhi/icmp-support-rfc-5837/20210312-084955
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 1520929e26d54bc3c9e024ee91eee5a19c56b95b

in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:

	group: group-04

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+--------------------------------------------------+------------+------------+
|                                                  | 1520929e26 | 42e5e7501e |
+--------------------------------------------------+------------+------------+
| boot_successes                                   | 6          | 0          |
| boot_failures                                    | 0          | 6          |
| BUG:KASAN:slab-out-of-bounds_in_pskb_expand_head | 0          | 6          |
+--------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   67.536517] BUG: KASAN: slab-out-of-bounds in pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685) 
[   67.537354] Write of size 2584 at addr ffff88811e938000 by task trinity-c7/2584
[   67.538234]
[   67.538431] CPU: 1 PID: 2584 Comm: trinity-c7 Not tainted 5.12.0-rc2-00495-g42e5e7501eaf #1
[   67.539389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   67.540353] Call Trace:
[   67.540651]  <IRQ>
[   67.540901] dump_stack (kbuild/src/consumer/include/linux/instrumented.h:86 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:45 kbuild/src/consumer/lib/dump_stack.c:123) 
[   67.541325] print_address_description (kbuild/src/consumer/mm/kasan/report.c:233) 
[   67.541884] kasan_report (kbuild/src/consumer/mm/kasan/report.c:400 kbuild/src/consumer/mm/kasan/report.c:416) 
[   67.542337] ? pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685) 
[   67.542837] kasan_check_range (kbuild/src/consumer/mm/kasan/generic.c:135 kbuild/src/consumer/mm/kasan/generic.c:186) 
[   67.543320] ? pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685) 
[   67.543815] memcpy (kbuild/src/consumer/mm/kasan/shadow.c:65) 
[   67.544172] pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685) 
[   67.544654] icmp_identify_arrival_interface (kbuild/src/consumer/net/ipv4/icmp.c:657) 
[   67.545284] __icmp_send (kbuild/src/consumer/net/ipv4/icmp.c:894) 
[   67.545725] __udp4_lib_rcv (kbuild/src/consumer/net/ipv4/udp.c:2418) 
[   67.546213] ? ip_sublist_rcv (kbuild/src/consumer/include/linux/rcupdate.h:267) 
[   67.546689] ip_protocol_deliver_rcu (kbuild/src/consumer/net/ipv4/ip_input.c:206) 
[   67.547232] ip_local_deliver_finish (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/include/linux/rcupdate.h:73 kbuild/src/consumer/include/linux/rcupdate.h:709 kbuild/src/consumer/net/ipv4/ip_input.c:232) 
[   67.547773] ip_local_deliver (kbuild/src/consumer/include/linux/netfilter.h:301 kbuild/src/consumer/net/ipv4/ip_input.c:252) 
[   67.548240] ip_rcv (kbuild/src/consumer/include/net/dst.h:458 kbuild/src/consumer/net/ipv4/ip_input.c:429 kbuild/src/consumer/include/linux/netfilter.h:301 kbuild/src/consumer/net/ipv4/ip_input.c:540) 
[   67.548609] ? ip_local_deliver_finish (kbuild/src/consumer/net/ipv4/ip_input.c:533) 
[   67.549173] __netif_receive_skb (kbuild/src/consumer/net/core/dev.c:5366 kbuild/src/consumer/net/core/dev.c:5480) 
[   67.549683] process_backlog (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/include/linux/rcupdate.h:73 kbuild/src/consumer/include/linux/rcupdate.h:709 kbuild/src/consumer/net/core/dev.c:6348) 
[   67.550168] __napi_poll (kbuild/src/consumer/net/core/dev.c:6893) 
[   67.550593] net_rx_action (kbuild/src/consumer/net/core/dev.c:6960 kbuild/src/consumer/net/core/dev.c:7037) 
[   67.551048] __do_softirq (kbuild/src/consumer/arch/x86/include/asm/preempt.h:27 kbuild/src/consumer/kernel/softirq.c:347) 
[   67.551495] do_softirq (kbuild/src/consumer/kernel/softirq.c:248) 
[   67.551906]  </IRQ>
[   67.552166] __local_bh_enable_ip (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/kernel/softirq.c:201) 
[   67.552658] ip_finish_output2 (kbuild/src/consumer/include/linux/rcupdate.h:745 kbuild/src/consumer/net/ipv4/ip_output.c:231) 
[   67.553149] ip_output (kbuild/src/consumer/include/linux/netfilter.h:290 kbuild/src/consumer/net/ipv4/ip_output.c:432) 
[   67.553559] ip_send_skb (kbuild/src/consumer/include/net/dst.h:448) 
[   67.553989] udp_send_skb (kbuild/src/consumer/net/ipv4/udp.c:954) 
[   67.554435] ? ip_make_skb (kbuild/src/consumer/net/ipv4/ip_output.c:1642) 
[   67.554889] udp_sendmsg (kbuild/src/consumer/net/ipv4/udp.c:1240) 
[   67.555337] ? ip_skb_dst_mtu (kbuild/src/consumer/net/ipv4/ip_output.c:933) 
[   67.555827] ? inet_send_prepare (kbuild/src/consumer/net/ipv4/af_inet.c:815) 
[   67.556329] __sys_sendto (kbuild/src/consumer/net/socket.c:654 kbuild/src/consumer/net/socket.c:674 kbuild/src/consumer/net/socket.c:1977) 
[   67.556776] __x64_sys_sendto (kbuild/src/consumer/net/socket.c:1989 kbuild/src/consumer/net/socket.c:1985 kbuild/src/consumer/net/socket.c:1985) 
[   67.557242] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[   67.557669] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:112) 
[   67.558274] RIP: 0033:0x453b29
[ 67.558642] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
   0:	00 f3                	add    %dh,%bl
   2:	c3                   	retq   
   3:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   a:	00 00 00 
   d:	0f 1f 40 00          	nopl   0x0(%rax)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	0f 83 3b 84 00 00    	jae    0x8471
  36:	c3                   	retq   
  37:	66                   	data16
  38:	2e                   	cs
  39:	0f                   	.byte 0xf
  3a:	1f                   	(bad)  
  3b:	84 00                	test   %al,(%rax)
  3d:	00 00                	add    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	0f 83 3b 84 00 00    	jae    0x8447
   c:	c3                   	retq   
   d:	66                   	data16
   e:	2e                   	cs
   f:	0f                   	.byte 0xf
  10:	1f                   	(bad)  
  11:	84 00                	test   %al,(%rax)
  13:	00 00                	add    %al,(%rax)
	...
[   67.560761] RSP: 002b:00007ffc76056588 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   67.561635] RAX: ffffffffffffffda RBX: 000000000000002c RCX: 0000000000453b29
[   67.562468] RDX: 00000000000009ec RSI: 0000000001372cf0 RDI: 000000000000015d
[   67.563311] RBP: 00007ffc76056630 R08: 000000000124b740 R09: 0000000000000010
[   67.564151] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000002
[   67.564988] R13: 00007f2c9d81e058 R14: 00000000010a2830 R15: 00007f2c9d81e000
[   67.565837]
[   67.566043] Allocated by task 1491:
[   67.566458] ____kasan_kmalloc (kbuild/src/consumer/mm/kasan/common.c:39 kbuild/src/consumer/mm/kasan/common.c:46 kbuild/src/consumer/mm/kasan/common.c:427 kbuild/src/consumer/mm/kasan/common.c:506) 
[   67.566947] __fsnotify_alloc_group (kbuild/src/consumer/fs/notify/group.c:120) 
[   67.567485] do_inotify_init (kbuild/src/consumer/fs/notify/inotify/inotify_user.c:635 kbuild/src/consumer/fs/notify/inotify/inotify_user.c:683) 
[   67.567949] __x64_sys_inotify_init (kbuild/src/consumer/fs/notify/inotify/inotify_user.c:702) 
[   67.568463] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[   67.568898] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:112) 
[   67.569501]
[   67.569694] The buggy address belongs to the object at ffff88811e938000
[   67.569694]  which belongs to the cache kmalloc-1k of size 1024
[   67.571178] The buggy address is located 0 bytes inside of
[   67.571178]  1024-byte region [ffff88811e938000, ffff88811e938400)
[   67.572538] The buggy address belongs to the page:
[   67.573110] page:0000000026cf54db refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e938
[   67.574201] head:0000000026cf54db order:3 compound_mapcount:0 compound_pincount:0
[   67.575089] flags: 0x4000000000010200(slab|head)
[   67.575649] raw: 4000000000010200 ffffea00040b9200 0000000200000002 ffff888100041dc0
[   67.576565] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   67.577479] page dumped because: kasan: bad access detected
[   67.578148]
[   67.578339] Memory state around the buggy address:
[   67.578903]  ffff88811e938300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.579736]  ffff88811e938380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.580572] >ffff88811e938400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.581405]                    ^
[   67.581792]  ffff88811e938480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.582631]  ffff88811e938500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.583460] ==================================================================
[   67.584281] Disabling lock debugging due to kernel taint
[   75.150601] init: tty4 main process (2572) terminated with status 1
[   75.152005] init: tty4 main process ended, respawning
[   75.198479] init: tty5 main process (2574) terminated with status 1
[   75.199883] init: tty5 main process ended, respawning
[   75.266493] init: tty3 main process (2575) terminated with status 1
[   75.267875] init: tty3 main process ended, respawning
[   75.282532] init: tty2 main process (2576) terminated with status 1
[   75.284493] init: tty2 main process ended, respawning
[   75.295533] init: tty6 main process (2577) terminated with status 1
[   75.296904] init: tty6 main process ended, respawning
[   75.978884] rsync: link_stat "/tmp/lkp/stdout" failed: No such file or directory (2)
[   75.978908]
[   75.988160] rsync: link_stat "/tmp/lkp/stderr" failed: No such file or directory (2)
[   75.988182]
[   75.995025] rsync: link_stat "/tmp/lkp/output" failed: No such file or directory (2)
[   75.995048]
[   76.016278] rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.9]
[   76.016301]
[   77.712959] sysrq: Emergency Sync
[   77.713553] Emergency Sync complete
[   77.714121] sysrq: Resetting

Kboot worker: lkp-worker02
Elapsed time: 120

kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-121.cgz


To reproduce:

        # build kernel
	cd linux
	cp config-5.12.0-rc2-00495-g42e5e7501eaf .config
	make HOSTCC=clang-13 CC=clang-13 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.12.0-rc2-00495-g42e5e7501eaf" of type "text/plain" (139820 bytes)

View attachment "job-script" of type "text/plain" (4300 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (15788 bytes)

View attachment "trinity" of type "text/plain" (3086 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ