Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 5 Feb 2021 10:55:18 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
	lkp@...ts.01.org, io-uring@...r.kernel.org,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christian Brauner <christian.brauner@...ntu.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>
Subject: c632dadc10: BUG:KASAN:null-ptr-deref_in_is_ucounts_overlimit


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: c632dadc104622423c7fa2ad6f0b2135ebe5610c ("Reimplement RLIMIT_NPROC on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210201-222426


in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------------------+------------+------------+
|                                                      | 841f02dc98 | c632dadc10 |
+------------------------------------------------------+------------+------------+
| boot_successes                                       | 3          | 0          |
| boot_failures                                        | 1          | 4          |
| BUG:KASAN:slab-out-of-bounds_in_fq_pie_qdisc_enqueue | 1          |            |
| BUG:KASAN:null-ptr-deref_in_is_ucounts_overlimit     | 0          | 4          |
| canonical_address#:#[##]                             | 0          | 4          |
| RIP:is_ucounts_overlimit                             | 0          | 4          |
| Kernel_panic-not_syncing:Fatal_exception             | 0          | 4          |
+------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   29.404316] BUG: KASAN: null-ptr-deref in is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) 
[   29.405519] Read of size 8 at addr 0000000000000070 by task trinity-main/327
[   29.406769]
[   29.407070] CPU: 0 PID: 327 Comm: trinity-main Not tainted 5.11.0-rc2-00005-gc632dadc1046 #1
[   29.408563] Call Trace:
[   29.409043] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131) 
[   29.409673] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:400 kbuild/src/consumer/mm/kasan/report.c:413) 
[   29.410443] ? is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) 
[   29.411245] check_memory_region (kbuild/src/consumer/mm/kasan/generic.c:179 kbuild/src/consumer/mm/kasan/generic.c:185) 
[   29.411980] __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) 
[   29.412702] is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) 
[   29.413481] copy_process (kbuild/src/consumer/kernel/fork.c:1969) 
[   29.414164] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4)) 
[   29.414882] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138) 
[   29.415744] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853) 
[   29.416514] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465) 
[   29.417177] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101) 
[   29.417990] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425) 
[   29.418683] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24)) 
[   29.419379] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) 
[   29.420107] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606) 
[   29.420858] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) 
[   29.421605] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571) 
[   29.422280] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571) 
[   29.422990] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290) 
[   29.423940] ? syscall_trace_enter+0x78/0x2a0 
[   29.424819] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210) 
[   29.425704] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566) 
[   29.426415] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[   29.427064] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) 
[   29.427930] RIP: 0033:0x44f39b
[ 29.428471] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00
All code
========
   0:	db 45 85             	fildl  -0x7b(%rbp)
   3:	f6                   	(bad)  
   4:	0f 85 95 01 00 00    	jne    0x19f
   a:	64 4c 8b 04 25 10 00 	mov    %fs:0x10,%r8
  11:	00 00 
  13:	31 d2                	xor    %edx,%edx
  15:	4d 8d 90 d0 02 00 00 	lea    0x2d0(%r8),%r10
  1c:	31 f6                	xor    %esi,%esi
  1e:	bf 11 00 20 01       	mov    $0x1200011,%edi
  23:	b8 38 00 00 00       	mov    $0x38,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	0f 87 d6 00 00 00    	ja     0x10c
  36:	85 c0                	test   %eax,%eax
  38:	41 89 c5             	mov    %eax,%r13d
  3b:	0f                   	.byte 0xf
  3c:	85 dd                	test   %ebx,%ebp
	...

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	0f 87 d6 00 00 00    	ja     0xe2
   c:	85 c0                	test   %eax,%eax
   e:	41 89 c5             	mov    %eax,%r13d
  11:	0f                   	.byte 0xf
  12:	85 dd                	test   %ebx,%ebp
	...
[   29.431684] RSP: 002b:00007ffd7e3b30e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
[   29.433032] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044f39b
[   29.434290] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[   29.435563] RBP: 00007ffd7e3b3110 R08: 0000000001e9c880 R09: 0000000001e9c880
[   29.436780] R10: 0000000001e9cb50 R11: 0000000000000246 R12: 0000000000000000
[   29.438033] R13: 0000000000000002 R14: 0000000000000000 R15: 00007ffd7e3b33a0
[   29.439287] ==================================================================
[   29.440532] Disabling lock debugging due to kernel taint
[   29.441442] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] KASAN
[   29.443064] KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
[   29.444393] CPU: 0 PID: 327 Comm: trinity-main Tainted: G    B             5.11.0-rc2-00005-gc632dadc1046 #1
[   29.446018] RIP: 0010:is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) 
[ 29.446909] Code: 20 00 00 00 48 89 45 c0 4c 8d 34 07 be 08 00 00 00 4c 89 f7 e8 29 40 4d 00 4c 89 f2 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 0f 85 38 01 00 00 49 8b 06 49 39 c5 0f 8c ca 00 00 00
All code
========
   0:	20 00                	and    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	48 89 45 c0          	mov    %rax,-0x40(%rbp)
   8:	4c 8d 34 07          	lea    (%rdi,%rax,1),%r14
   c:	be 08 00 00 00       	mov    $0x8,%esi
  11:	4c 89 f7             	mov    %r14,%rdi
  14:	e8 29 40 4d 00       	callq  0x4d4042
  19:	4c 89 f2             	mov    %r14,%rdx
  1c:	48 c1 ea 03          	shr    $0x3,%rdx
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df 
  2a:*	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)		<-- trapping instruction
  2e:	0f 85 38 01 00 00    	jne    0x16c
  34:	49 8b 06             	mov    (%r14),%rax
  37:	49 39 c5             	cmp    %rax,%r13
  3a:	0f 8c ca 00 00 00    	jl     0x10a

Code starting with the faulting instruction
===========================================
   0:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   4:	0f 85 38 01 00 00    	jne    0x142
   a:	49 8b 06             	mov    (%r14),%rax
   d:	49 39 c5             	cmp    %rax,%r13
  10:	0f 8c ca 00 00 00    	jl     0xe0
[   29.450051] RSP: 0018:ffff888106a7fb08 EFLAGS: 00010202
[   29.450984] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   29.452146] RDX: 000000000000000e RSI: 0000000000000000 RDI: ffffffffa33e2ab0
[   29.453271] RBP: ffff888106a7fb48 R08: 1ffffffff4670049 R09: fffffbfff467004a
[   29.454456] R10: ffffffffa338024b R11: fffffbfff4670049 R12: 000000000000000a
[   29.455700] R13: 0000000000003499 R14: 0000000000000070 R15: 1ffff11020d4ff81
[   29.456979] FS:  0000000001e9c880(0000) GS:ffffffffa22ba000(0000) knlGS:0000000000000000
[   29.458325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.459327] CR2: 0000000001e9c830 CR3: 0000000106783000 CR4: 00000000000406f0
[   29.460467] Call Trace:
[   29.460863] copy_process (kbuild/src/consumer/kernel/fork.c:1969) 
[   29.461431] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4)) 
[   29.462023] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138) 
[   29.462800] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853) 
[   29.463450] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465) 
[   29.464120] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101) 
[   29.464897] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425) 
[   29.465572] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24)) 
[   29.466205] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) 
[   29.466957] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606) 
[   29.467704] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) 
[   29.468366] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571) 
[   29.468976] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571) 
[   29.469629] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290) 
[   29.470506] ? syscall_trace_enter+0x78/0x2a0 
[   29.471353] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210) 
[   29.472187] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566) 
[   29.472840] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) 
[   29.473454] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) 
[   29.474313] RIP: 0033:0x44f39b
[ 29.474845] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00
All code
========
   0:	db 45 85             	fildl  -0x7b(%rbp)
   3:	f6                   	(bad)  
   4:	0f 85 95 01 00 00    	jne    0x19f
   a:	64 4c 8b 04 25 10 00 	mov    %fs:0x10,%r8
  11:	00 00 
  13:	31 d2                	xor    %edx,%edx
  15:	4d 8d 90 d0 02 00 00 	lea    0x2d0(%r8),%r10
  1c:	31 f6                	xor    %esi,%esi
  1e:	bf 11 00 20 01       	mov    $0x1200011,%edi
  23:	b8 38 00 00 00       	mov    $0x38,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	0f 87 d6 00 00 00    	ja     0x10c
  36:	85 c0                	test   %eax,%eax
  38:	41 89 c5             	mov    %eax,%r13d
  3b:	0f                   	.byte 0xf
  3c:	85 dd                	test   %ebx,%ebp


To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc2-00005-gc632dadc1046 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc2-00005-gc632dadc1046" of type "text/plain" (144502 bytes)

View attachment "job-script" of type "text/plain" (4319 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (16456 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.