| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202210052104.561159b8-oliver.sang@intel.com>
Date: Wed, 5 Oct 2022 21:10:46 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
CC: <lkp@...ts.01.org>, <lkp@...el.com>,
<linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Al Viro <viro@...iv.linux.org.uk>,
"David Laight" <David.Laight@...lab.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"Serge E. Hallyn" <serge@...lyn.com>
Subject: [proc] 5336f1902b: BUG:KASAN:global-out-of-bounds_in_memchr
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 5336f1902b4ba8a646f082f32fbb183850a13080 ("[CFT][PATCH] proc: Update /proc/net to point at the accessing threads network namespace")
url: https://github.com/intel-lab-lkp/linux/commits/Eric-W-Biederman/proc-Update-proc-net-to-point-at-the-accessing-threads-network-namespace/20220930-065017
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 987a926c1d8a40e4256953b04771fbdb63bc7938
patch link: https://lore.kernel.org/lkml/87ill53igy.fsf_-_@email.froward.int.ebiederm.org
in testcase: xfstests
version: xfstests-x86_64-5a5e419-1_20220927
with following parameters:
disk: 6HDD
fs: btrfs
test: btrfs-group-21
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (Haswell) with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | 987a926c1d | 5336f1902b |
+------------------------------------------+------------+------------+
| BUG:KASAN:global-out-of-bounds_in_memchr | 0 | 78 |
+------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/r/202210052104.561159b8-oliver.sang@intel.com
[ 71.510417][ T7965] BUG: KASAN: global-out-of-bounds in memchr (lib/string.c:883)
[ 71.517984][ T7965] Read of size 1 at addr ffffffff83b51604 by task killall/7965
[ 71.526948][ T7965]
[ 71.530801][ T7965] CPU: 1 PID: 7965 Comm: killall Tainted: G S 6.0.0-rc7-00133-g5336f1902b4b #1
[ 71.541870][ T7965] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 71.550663][ T7965] Call Trace:
[ 71.554659][ T7965] <TASK>
[ 71.558263][ T7965] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 71.563451][ T7965] print_address_description+0x1f/0x200
[ 71.570717][ T7965] print_report.cold (mm/kasan/report.c:434)
[ 71.576191][ T7965] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 71.582283][ T7965] ? memchr (lib/string.c:883)
[ 71.586903][ T7965] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
[ 71.591946][ T7965] ? memchr (lib/string.c:883)
[ 71.596524][ T7965] memchr (lib/string.c:883)
[ 71.600908][ T7965] verify_dirent_name (include/linux/fortify-string.h:432 fs/readdir.c:114)
[ 71.606310][ T7965] filldir64 (fs/readdir.c:320)
[ 71.611049][ T7965] ? folio_add_lru (arch/x86/include/asm/preempt.h:85 mm/swap.c:491)
[ 71.616173][ T7965] proc_pid_readdir (fs/proc/base.c:3509)
[ 71.621607][ T7965] ? proc_pid_lookup (fs/proc/base.c:3486)
[ 71.627090][ T7965] ? proc_readdir_de (arch/x86/include/asm/atomic.h:165 arch/x86/include/asm/atomic.h:178 include/linux/atomic/atomic-instrumented.h:147 include/asm-generic/qrwlock.h:113 include/linux/rwlock_api_smp.h:232 fs/proc/generic.c:321 fs/proc/generic.c:284)
[ 71.632617][ T7965] iterate_dir (fs/readdir.c:65)
[ 71.637581][ T7965] __x64_sys_getdents64 (fs/readdir.c:370 fs/readdir.c:354 fs/readdir.c:354)
[ 71.643287][ T7965] ? __ia32_sys_getdents (fs/readdir.c:354)
[ 71.649053][ T7965] ? handle_mm_fault (mm/memory.c:5157)
[ 71.654497][ T7965] ? __x64_sys_getdents (fs/readdir.c:312)
[ 71.660169][ T7965] ? do_user_addr_fault (arch/x86/mm/fault.c:1426)
[ 71.665863][ T7965] ? exit_to_user_mode_loop (include/linux/sched.h:2305 include/linux/resume_user_mode.h:61 kernel/entry/common.c:169)
[ 71.671798][ T7965] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 71.676678][ T7965] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 71.682981][ T7965] RIP: 0033:0x7f7f3cbe5387
[ 71.687826][ T7965] Code: 0f 1f 00 48 8b 47 20 c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 81 fa ff ff ff 7f b8 ff ff ff 7f 48 0f 47 d0 b8 d9 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 d9 aa 10 00 f7 d8 64 89 02 48
All code
========
0: 0f 1f 00 nopl (%rax)
3: 48 8b 47 20 mov 0x20(%rdi),%rax
7: c3 retq
8: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
f: 00 00 00
12: 90 nop
13: 48 81 fa ff ff ff 7f cmp $0x7fffffff,%rdx
1a: b8 ff ff ff 7f mov $0x7fffffff,%eax
1f: 48 0f 47 d0 cmova %rax,%rdx
23: b8 d9 00 00 00 mov $0xd9,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 01 ja 0x33
32: c3 retq
33: 48 8b 15 d9 aa 10 00 mov 0x10aad9(%rip),%rdx # 0x10ab13
3a: f7 d8 neg %eax
3c: 64 89 02 mov %eax,%fs:(%rdx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 01 ja 0x9
8: c3 retq
9: 48 8b 15 d9 aa 10 00 mov 0x10aad9(%rip),%rdx # 0x10aae9
10: f7 d8 neg %eax
12: 64 89 02 mov %eax,%fs:(%rdx)
15: 48 rex.W
[ 71.708650][ T7965] RSP: 002b:00007ffe0194edd8 EFLAGS: 00000293 ORIG_RAX: 00000000000000d9
[ 71.717564][ T7965] RAX: ffffffffffffffda RBX: 00005566e677e3a0 RCX: 00007f7f3cbe5387
[ 71.726016][ T7965] RDX: 0000000000008000 RSI: 00005566e677e3d0 RDI: 0000000000000004
[ 71.734485][ T7965] RBP: 00005566e677e3d0 R08: 0000000000000030 R09: 00007f7f3ccf0be0
[ 71.742941][ T7965] R10: fffffffffffffd18 R11: 0000000000000293 R12: ffffffffffffff80
[ 71.751511][ T7965] R13: 00005566e677e3a4 R14: 0000000000000000 R15: 00005566e67863e0
[ 71.759971][ T7965] </TASK>
[ 71.763468][ T7965]
[ 71.766290][ T7965] The buggy address belongs to the variable:
[ 71.772827][ T7965] proc_fs_parameters+0xcc4/0xd60
[ 71.778272][ T7965]
[ 71.780980][ T7965] Memory state around the buggy address:
[ 71.787003][ T7965] ffffffff83b51500: 03 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
[ 71.795510][ T7965] ffffffff83b51580: 05 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
[ 71.803973][ T7965] >ffffffff83b51600: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
[ 71.812459][ T7965] ^
[ 71.816899][ T7965] ffffffff83b51680: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
[ 71.825394][ T7965] ffffffff83b51700: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
[ 71.833858][ T7965] ==================================================================
[ 71.842353][ T7965] Disabling lock debugging due to kernel taint
[ 73.113893][ T7993] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 73.122970][ T7993] BTRFS info (device sdb2): disk space caching is enabled
[ 73.249734][ T353] btrfs/212 _check_dmesg: something found in dmesg (see /lkp/benchmarks/xfstests/results//btrfs/212.dmesg)
[ 73.249753][ T353]
[ 73.265812][ T353]
[ 73.265821][ T353]
[ 73.290165][ T1650] run fstests btrfs/213 at 2022-10-02 03:09:04
[ 73.975400][ T8186] BTRFS info (device sdb1): using crc32c (crc32c-intel) checksum algorithm
[ 73.984538][ T8186] BTRFS info (device sdb1): disk space caching is enabled
[ 74.305018][ T8250] BTRFS: device fsid 7b1643d2-a0ef-4a60-a3a1-7dfaa39dabb2 devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8250)
[ 74.338350][ T8261] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 74.347523][ T8261] BTRFS info (device sdb2): disk space caching is enabled
[ 74.359821][ T8261] BTRFS info (device sdb2): checking UUID tree
[ 78.669924][ T8302] BTRFS info (device sdb2): balance: start -d
[ 78.676960][ T8302] BTRFS info (device sdb2): relocating block group 2177892352 flags data
[ 80.486450][ T8302] BTRFS info (device sdb2): balance: canceled
[ 80.569587][ T8311] BTRFS info (device sdb2): balance: start -m -s
[ 80.578570][ T8311] BTRFS info (device sdb2): relocating block group 30408704 flags metadata|dup
[ 80.728132][ T8311] BTRFS info (device sdb2): found 74 extents, stage: move data extents
[ 80.845157][ T8311] BTRFS info (device sdb2): relocating block group 22020096 flags system|dup
[ 81.002861][ T8311] BTRFS info (device sdb2): found 1 extents, stage: move data extents
[ 81.161533][ T8311] BTRFS info (device sdb2): balance: ended with status: 0
[ 83.031379][ T8342] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 83.040869][ T8342] BTRFS info (device sdb2): disk space caching is enabled
[ 83.140497][ T353] btrfs/213 10s
[ 83.140507][ T353]
[ 83.177038][ T1650] run fstests btrfs/214 at 2022-10-02 03:09:14
[ 83.520920][ T8539] BTRFS info (device sdb1): using crc32c (crc32c-intel) checksum algorithm
[ 83.530034][ T8539] BTRFS info (device sdb1): disk space caching is enabled
[ 83.795491][ T8591] BTRFS: device fsid 047db66e-9c5a-43b9-a0ed-a59a5a54c01a devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8591)
[ 83.828333][ T8602] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 83.837501][ T8602] BTRFS info (device sdb2): disk space caching is enabled
[ 83.849771][ T8602] BTRFS info (device sdb2): checking UUID tree
[ 84.553095][ T8643] BTRFS: device fsid 2b3475c1-7363-46bb-b5be-3b7de42f32b5 devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8643)
[ 84.587062][ T8657] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 84.596436][ T8657] BTRFS info (device sdb2): disk space caching is enabled
[ 84.609434][ T8657] BTRFS info (device sdb2): checking UUID tree
[ 85.519592][ T8718] BTRFS: device fsid 1489ff22-2c49-4e57-9c0b-ec0e45befbb1 devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8718)
[ 85.552817][ T8732] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 85.562090][ T8732] BTRFS info (device sdb2): disk space caching is enabled
[ 85.574899][ T8732] BTRFS info (device sdb2): checking UUID tree
[ 86.469477][ T8795] BTRFS: device fsid e3efb665-e701-41d2-a531-ffb2423afdc9 devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8795)
[ 86.503705][ T8809] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 86.513013][ T8809] BTRFS info (device sdb2): disk space caching is enabled
[ 86.525302][ T8809] BTRFS info (device sdb2): checking UUID tree
[ 87.419276][ T8872] BTRFS: device fsid 2e2cffbe-0236-4737-889d-f93e6a2de77b devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (8872)
[ 87.452360][ T8886] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 87.461728][ T8886] BTRFS info (device sdb2): disk space caching is enabled
[ 87.474447][ T8886] BTRFS info (device sdb2): checking UUID tree
[ 88.348072][ T353] btrfs/214 5s
[ 88.348082][ T353]
[ 88.384248][ T1650] run fstests btrfs/215 at 2022-10-02 03:09:19
[ 88.728498][ T9138] BTRFS info (device sdb1): using crc32c (crc32c-intel) checksum algorithm
[ 88.737813][ T9138] BTRFS info (device sdb1): disk space caching is enabled
[ 88.994029][ T9188] BTRFS: device fsid c723a7a3-6fd5-4421-bee8-2f5ae485be5d devid 1 transid 5 /dev/sdb2 scanned by mkfs.btrfs (9188)
[ 89.035307][ T9202] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 89.044653][ T9202] BTRFS info (device sdb2): disabling disk space caching
[ 89.057213][ T9202] BTRFS info (device sdb2): cleaning free space cache v1
[ 89.093093][ T9202] BTRFS info (device sdb2): checking UUID tree
[ 89.231074][ T9248] BTRFS info (device sdb2): using crc32c (crc32c-intel) checksum algorithm
[ 89.251683][ T59] BTRFS warning (device sdb2): csum failed root 5 ino 257 off 0 csum 0x656bd64e expected csum 0x4ef41b07 mirror 1
[ 89.265224][ T59] BTRFS error (device sdb2): bdev /dev/sdb2 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0
[ 89.275939][ T59] BTRFS warning (device sdb2): csum failed root 5 ino 257 off 0 csum 0x656bd64e expected csum 0x4ef41b07 mirror 1
[ 89.289527][ T59] BTRFS error (device sdb2): bdev /dev/sdb2 errs: wr 0, rd 0, flush 0, corrupt 2, gen 0
[ 89.312524][ T59] BTRFS warning (device sdb2): csum failed root 5 ino 257 off 0 csum 0x656bd64e expected csum 0x4ef41b07 mirror 1
[ 89.326147][ T59] BTRFS error (device sdb2): bdev /dev/sdb2 errs: wr 0, rd 0, flush 0, corrupt 3, gen 0
[ 89.336731][ T59] BTRFS warning (device sdb2): csum failed root 5 ino 257 off 4096 csum 0x656bd64e expected csum 0x4ef41b07 mirror 1
[ 89.350710][ T59] BTRFS error (device sdb2): bdev /dev/sdb2 errs: wr 0, rd 0, flush 0, corrupt 4, gen 0
[ 89.361254][ T59] BTRFS warning (device sdb2): csum failed root 5 ino 257 off 8192 csum 0x656bd64e expected csum 0x4ef41b07 mirror 1
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-6.0.0-rc7-00133-g5336f1902b4b" of type "text/plain" (168357 bytes)
View attachment "job-script" of type "text/plain" (6001 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (29932 bytes)
View attachment "xfstests" of type "text/plain" (2506 bytes)
View attachment "job.yaml" of type "text/plain" (4761 bytes)
View attachment "reproduce" of type "text/plain" (1015 bytes)
Powered by blists - more mailing lists