From: syzbot <syzbot+a65b3f8eec6b27650a25@syzkaller.appspotmail.com>
To: christoffer.dall@arm.com, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, maz@kernel.org,
pbonzini@redhat.com, peterx@redhat.com,
sean.j.christopherson@intel.com, syzkaller-bugs@googlegroups.com
Subject: KASAN: slab-out-of-bounds Read in kvm_read_guest_page
Date: Tue, 07 Apr 2020 13:06:11 -0700 [thread overview]
Message-ID: <0000000000003e2e5905a2b8ea2c@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: bef7b2a7 Merge tag 'devicetree-for-5.7' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e40efbe00000
kernel config: https://syzkaller.appspot.com/x/.config?x=91b674b8f0368e69
dashboard link: https://syzkaller.appspot.com/bug?extid=a65b3f8eec6b27650a25
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
userspace arch: i386
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14869db7e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10d2731fe00000
The bug was bisected to:
commit 36947254e5f981aeeedab1c7dfa35fc34d330e80
Author: Sean Christopherson <sean.j.christopherson@intel.com>
Date: Tue Feb 18 21:07:32 2020 +0000
KVM: Dynamically size memslot array based on number of used slots
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10a24a5de00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=12a24a5de00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14a24a5de00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a65b3f8eec6b27650a25@syzkaller.appspotmail.com
Fixes: 36947254e5f9 ("KVM: Dynamically size memslot array based on number of used slots")
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
==================================================================
BUG: KASAN: slab-out-of-bounds in search_memslots include/linux/kvm_host.h:1051 [inline]
BUG: KASAN: slab-out-of-bounds in __gfn_to_memslot include/linux/kvm_host.h:1063 [inline]
BUG: KASAN: slab-out-of-bounds in gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1597 [inline]
BUG: KASAN: slab-out-of-bounds in kvm_read_guest_page+0x4b5/0x4d0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2261
Read of size 8 at addr ffff8880953fd468 by task syz-executor431/6995
CPU: 1 PID: 6995 Comm: syz-executor431 Not tainted 5.6.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:374
__kasan_report.cold+0x35/0x4d mm/kasan/report.c:503
kasan_report+0x33/0x50 mm/kasan/common.c:648
search_memslots include/linux/kvm_host.h:1051 [inline]
__gfn_to_memslot include/linux/kvm_host.h:1063 [inline]
gfn_to_memslot arch/x86/kvm/../../../virt/kvm/kvm_main.c:1597 [inline]
kvm_read_guest_page+0x4b5/0x4d0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2261
kvm_read_guest+0x51/0xd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2284
kvm_write_wall_clock arch/x86/kvm/x86.c:1721 [inline]
kvm_set_msr_common+0xdf3/0x27c0 arch/x86/kvm/x86.c:2851
vmx_set_msr+0xa83/0x26a0 arch/x86/kvm/vmx/vmx.c:2183
__kvm_set_msr+0x15f/0x2d0 arch/x86/kvm/x86.c:1504
__msr_io arch/x86/kvm/x86.c:3262 [inline]
msr_io+0x173/0x290 arch/x86/kvm/x86.c:3298
kvm_arch_vcpu_ioctl+0x1004/0x2c20 arch/x86/kvm/x86.c:4355
kvm_vcpu_ioctl+0x866/0xe60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3291
kvm_vcpu_compat_ioctl+0x1ab/0x350 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3334
__do_compat_sys_ioctl fs/ioctl.c:857 [inline]
__se_compat_sys_ioctl fs/ioctl.c:808 [inline]
__ia32_compat_sys_ioctl+0x23d/0x2b0 fs/ioctl.c:808
do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
do_fast_syscall_32+0x270/0xe90 arch/x86/entry/common.c:396
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Allocated by task 6995:
save_stack+0x1b/0x80 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:518 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:491
kmalloc_node include/linux/slab.h:578 [inline]
kvmalloc_node+0x61/0xf0 mm/util.c:574
kvmalloc include/linux/mm.h:733 [inline]
kvzalloc include/linux/mm.h:741 [inline]
kvm_dup_memslots arch/x86/kvm/../../../virt/kvm/kvm_main.c:1101 [inline]
kvm_set_memslot+0x115/0x1530 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1118
__kvm_set_memory_region+0xcf7/0x1320 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1300
kvm_set_memory_region+0x29/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1321
kvm_vm_ioctl_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1333 [inline]
kvm_vm_ioctl+0x678/0x23e0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3604
kvm_vm_compat_ioctl+0x125/0x240 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3798
__do_compat_sys_ioctl fs/ioctl.c:857 [inline]
__se_compat_sys_ioctl fs/ioctl.c:808 [inline]
__ia32_compat_sys_ioctl+0x23d/0x2b0 fs/ioctl.c:808
do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
do_fast_syscall_32+0x270/0xe90 arch/x86/entry/common.c:396
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8880953fd000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1128 bytes inside of
2048-byte region [ffff8880953fd000, ffff8880953fd800)
The buggy address belongs to the page:
page:ffffea000254ff40 refcount:1 mapcount:0 mapping:00000000f2d13e61 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000290dd48 ffffea00029c98c8 ffff8880aa000e00
raw: 0000000000000000 ffff8880953fd000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880953fd300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8880953fd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880953fd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
^
ffff8880953fd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880953fd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2020-04-07 20:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 20:06 syzbot [this message]
2020-04-08 1:08 ` KASAN: slab-out-of-bounds Read in kvm_read_guest_page Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000003e2e5905a2b8ea2c@google.com \
--to=syzbot+a65b3f8eec6b27650a25@syzkaller.appspotmail.com \
--cc=christoffer.dall@arm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.