| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Mar 2021 16:29:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: ishaangandhi <ishaangandhi@...il.com>
Cc: lkp@...ts.01.org, lkp@...el.com, davem@...emloft.net,
ishaangandhi@...il.com, netdev@...r.kernel.org, willemb@...gle.com
Subject: [icmp] 42e5e7501e: BUG:KASAN:slab-out-of-bounds_in_pskb_expand_head
Greeting,
FYI, we noticed the following commit (built with clang-13):
commit: 42e5e7501eafeda575f91db23d34172d720316ab ("[PATCH] icmp: support rfc 5837")
url: https://github.com/0day-ci/linux/commits/ishaangandhi/icmp-support-rfc-5837/20210312-084955
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 1520929e26d54bc3c9e024ee91eee5a19c56b95b
in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:
group: group-04
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+--------------------------------------------------+------------+------------+
| | 1520929e26 | 42e5e7501e |
+--------------------------------------------------+------------+------------+
| boot_successes | 6 | 0 |
| boot_failures | 0 | 6 |
| BUG:KASAN:slab-out-of-bounds_in_pskb_expand_head | 0 | 6 |
+--------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 67.536517] BUG: KASAN: slab-out-of-bounds in pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685)
[ 67.537354] Write of size 2584 at addr ffff88811e938000 by task trinity-c7/2584
[ 67.538234]
[ 67.538431] CPU: 1 PID: 2584 Comm: trinity-c7 Not tainted 5.12.0-rc2-00495-g42e5e7501eaf #1
[ 67.539389] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 67.540353] Call Trace:
[ 67.540651] <IRQ>
[ 67.540901] dump_stack (kbuild/src/consumer/include/linux/instrumented.h:86 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:45 kbuild/src/consumer/lib/dump_stack.c:123)
[ 67.541325] print_address_description (kbuild/src/consumer/mm/kasan/report.c:233)
[ 67.541884] kasan_report (kbuild/src/consumer/mm/kasan/report.c:400 kbuild/src/consumer/mm/kasan/report.c:416)
[ 67.542337] ? pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685)
[ 67.542837] kasan_check_range (kbuild/src/consumer/mm/kasan/generic.c:135 kbuild/src/consumer/mm/kasan/generic.c:186)
[ 67.543320] ? pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685)
[ 67.543815] memcpy (kbuild/src/consumer/mm/kasan/shadow.c:65)
[ 67.544172] pskb_expand_head (kbuild/src/consumer/net/core/skbuff.c:1685)
[ 67.544654] icmp_identify_arrival_interface (kbuild/src/consumer/net/ipv4/icmp.c:657)
[ 67.545284] __icmp_send (kbuild/src/consumer/net/ipv4/icmp.c:894)
[ 67.545725] __udp4_lib_rcv (kbuild/src/consumer/net/ipv4/udp.c:2418)
[ 67.546213] ? ip_sublist_rcv (kbuild/src/consumer/include/linux/rcupdate.h:267)
[ 67.546689] ip_protocol_deliver_rcu (kbuild/src/consumer/net/ipv4/ip_input.c:206)
[ 67.547232] ip_local_deliver_finish (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/include/linux/rcupdate.h:73 kbuild/src/consumer/include/linux/rcupdate.h:709 kbuild/src/consumer/net/ipv4/ip_input.c:232)
[ 67.547773] ip_local_deliver (kbuild/src/consumer/include/linux/netfilter.h:301 kbuild/src/consumer/net/ipv4/ip_input.c:252)
[ 67.548240] ip_rcv (kbuild/src/consumer/include/net/dst.h:458 kbuild/src/consumer/net/ipv4/ip_input.c:429 kbuild/src/consumer/include/linux/netfilter.h:301 kbuild/src/consumer/net/ipv4/ip_input.c:540)
[ 67.548609] ? ip_local_deliver_finish (kbuild/src/consumer/net/ipv4/ip_input.c:533)
[ 67.549173] __netif_receive_skb (kbuild/src/consumer/net/core/dev.c:5366 kbuild/src/consumer/net/core/dev.c:5480)
[ 67.549683] process_backlog (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/include/linux/rcupdate.h:73 kbuild/src/consumer/include/linux/rcupdate.h:709 kbuild/src/consumer/net/core/dev.c:6348)
[ 67.550168] __napi_poll (kbuild/src/consumer/net/core/dev.c:6893)
[ 67.550593] net_rx_action (kbuild/src/consumer/net/core/dev.c:6960 kbuild/src/consumer/net/core/dev.c:7037)
[ 67.551048] __do_softirq (kbuild/src/consumer/arch/x86/include/asm/preempt.h:27 kbuild/src/consumer/kernel/softirq.c:347)
[ 67.551495] do_softirq (kbuild/src/consumer/kernel/softirq.c:248)
[ 67.551906] </IRQ>
[ 67.552166] __local_bh_enable_ip (kbuild/src/consumer/arch/x86/include/asm/preempt.h:85 kbuild/src/consumer/kernel/softirq.c:201)
[ 67.552658] ip_finish_output2 (kbuild/src/consumer/include/linux/rcupdate.h:745 kbuild/src/consumer/net/ipv4/ip_output.c:231)
[ 67.553149] ip_output (kbuild/src/consumer/include/linux/netfilter.h:290 kbuild/src/consumer/net/ipv4/ip_output.c:432)
[ 67.553559] ip_send_skb (kbuild/src/consumer/include/net/dst.h:448)
[ 67.553989] udp_send_skb (kbuild/src/consumer/net/ipv4/udp.c:954)
[ 67.554435] ? ip_make_skb (kbuild/src/consumer/net/ipv4/ip_output.c:1642)
[ 67.554889] udp_sendmsg (kbuild/src/consumer/net/ipv4/udp.c:1240)
[ 67.555337] ? ip_skb_dst_mtu (kbuild/src/consumer/net/ipv4/ip_output.c:933)
[ 67.555827] ? inet_send_prepare (kbuild/src/consumer/net/ipv4/af_inet.c:815)
[ 67.556329] __sys_sendto (kbuild/src/consumer/net/socket.c:654 kbuild/src/consumer/net/socket.c:674 kbuild/src/consumer/net/socket.c:1977)
[ 67.556776] __x64_sys_sendto (kbuild/src/consumer/net/socket.c:1989 kbuild/src/consumer/net/socket.c:1985 kbuild/src/consumer/net/socket.c:1985)
[ 67.557242] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 67.557669] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:112)
[ 67.558274] RIP: 0033:0x453b29
[ 67.558642] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 00 f3 add %dh,%bl
2: c3 retq
3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 0f 83 3b 84 00 00 jae 0x8471
36: c3 retq
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 0f 83 3b 84 00 00 jae 0x8447
c: c3 retq
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
...
[ 67.560761] RSP: 002b:00007ffc76056588 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 67.561635] RAX: ffffffffffffffda RBX: 000000000000002c RCX: 0000000000453b29
[ 67.562468] RDX: 00000000000009ec RSI: 0000000001372cf0 RDI: 000000000000015d
[ 67.563311] RBP: 00007ffc76056630 R08: 000000000124b740 R09: 0000000000000010
[ 67.564151] R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000002
[ 67.564988] R13: 00007f2c9d81e058 R14: 00000000010a2830 R15: 00007f2c9d81e000
[ 67.565837]
[ 67.566043] Allocated by task 1491:
[ 67.566458] ____kasan_kmalloc (kbuild/src/consumer/mm/kasan/common.c:39 kbuild/src/consumer/mm/kasan/common.c:46 kbuild/src/consumer/mm/kasan/common.c:427 kbuild/src/consumer/mm/kasan/common.c:506)
[ 67.566947] __fsnotify_alloc_group (kbuild/src/consumer/fs/notify/group.c:120)
[ 67.567485] do_inotify_init (kbuild/src/consumer/fs/notify/inotify/inotify_user.c:635 kbuild/src/consumer/fs/notify/inotify/inotify_user.c:683)
[ 67.567949] __x64_sys_inotify_init (kbuild/src/consumer/fs/notify/inotify/inotify_user.c:702)
[ 67.568463] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 67.568898] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:112)
[ 67.569501]
[ 67.569694] The buggy address belongs to the object at ffff88811e938000
[ 67.569694] which belongs to the cache kmalloc-1k of size 1024
[ 67.571178] The buggy address is located 0 bytes inside of
[ 67.571178] 1024-byte region [ffff88811e938000, ffff88811e938400)
[ 67.572538] The buggy address belongs to the page:
[ 67.573110] page:0000000026cf54db refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e938
[ 67.574201] head:0000000026cf54db order:3 compound_mapcount:0 compound_pincount:0
[ 67.575089] flags: 0x4000000000010200(slab|head)
[ 67.575649] raw: 4000000000010200 ffffea00040b9200 0000000200000002 ffff888100041dc0
[ 67.576565] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 67.577479] page dumped because: kasan: bad access detected
[ 67.578148]
[ 67.578339] Memory state around the buggy address:
[ 67.578903] ffff88811e938300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.579736] ffff88811e938380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.580572] >ffff88811e938400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 67.581405] ^
[ 67.581792] ffff88811e938480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 67.582631] ffff88811e938500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 67.583460] ==================================================================
[ 67.584281] Disabling lock debugging due to kernel taint
[ 75.150601] init: tty4 main process (2572) terminated with status 1
[ 75.152005] init: tty4 main process ended, respawning
[ 75.198479] init: tty5 main process (2574) terminated with status 1
[ 75.199883] init: tty5 main process ended, respawning
[ 75.266493] init: tty3 main process (2575) terminated with status 1
[ 75.267875] init: tty3 main process ended, respawning
[ 75.282532] init: tty2 main process (2576) terminated with status 1
[ 75.284493] init: tty2 main process ended, respawning
[ 75.295533] init: tty6 main process (2577) terminated with status 1
[ 75.296904] init: tty6 main process ended, respawning
[ 75.978884] rsync: link_stat "/tmp/lkp/stdout" failed: No such file or directory (2)
[ 75.978908]
[ 75.988160] rsync: link_stat "/tmp/lkp/stderr" failed: No such file or directory (2)
[ 75.988182]
[ 75.995025] rsync: link_stat "/tmp/lkp/output" failed: No such file or directory (2)
[ 75.995048]
[ 76.016278] rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1070) [sender=3.0.9]
[ 76.016301]
[ 77.712959] sysrq: Emergency Sync
[ 77.713553] Emergency Sync complete
[ 77.714121] sysrq: Resetting
Kboot worker: lkp-worker02
Elapsed time: 120
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-121.cgz
To reproduce:
# build kernel
cd linux
cp config-5.12.0-rc2-00495-g42e5e7501eaf .config
make HOSTCC=clang-13 CC=clang-13 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.12.0-rc2-00495-g42e5e7501eaf" of type "text/plain" (139820 bytes)
View attachment "job-script" of type "text/plain" (4300 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (15788 bytes)
View attachment "trinity" of type "text/plain" (3086 bytes)
Powered by blists - more mailing lists