Re: dell_smbios KASAN bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tom Zanussi <tzanussi@gmail.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: "Pali Rohár" <pali.rohar@gmail.com>,
	"Mario Limonciello" <mario.limonciello@dell.com>,
	linux-kernel@vger.kernel.org
Subject: Re: dell_smbios KASAN bug
Date: Wed, 20 Mar 2019 14:30:21 -0500	[thread overview]
Message-ID: <1553110221.2034.1.camel@gmail.com> (raw)
In-Reply-To: <20190320151353.1a223c0e@gandalf.local.home>

On Wed, 2019-03-20 at 15:13 -0400, Steven Rostedt wrote:
> On Wed, 20 Mar 2019 14:05:49 -0500
> Tom Zanussi <tzanussi@gmail.com> wrote:
> 
> > On Wed, 2019-03-20 at 14:41 -0400, Steven Rostedt wrote:
> > > On Wed, 20 Mar 2019 13:29:20 -0500
> > > Tom Zanussi <tzanussi@gmail.com> wrote:
> > >   
> > > > Hi,
> > > > 
> > > > While looking into an unrelated problem, I hit this KASAN use-
> > > > after-
> > > > free warning, so thought I'd let you know.
> > > > 
> > > > I have no idea how to fix it, but let me know if you need more
> > > > info.
> > > >   
> > > 
> > > Could you run with debug in the kernel command line, and see if
> > > you
> > > hit
> > > any failed messages from the dell_smbios_init() call?
> > >   
> > 
> > Not much, but this looks relevant:
> > 
> > [   26.783749] dell_smbios: No SMBIOS backends available (wmi: -19,
> > smm: -19)
> > [   26.963648] dell_smbios: No dell-smbios drivers are loaded
> > 
> 
> And does this fix you problem?
> 
> -- Steve
> 
> diff --git a/drivers/platform/x86/dell-smbios-base.c
> b/drivers/platform/x86/dell-smbios-base.c
> index 9dc282ed5a9e..c3825c674522 100644
> --- a/drivers/platform/x86/dell-smbios-base.c
> +++ b/drivers/platform/x86/dell-smbios-base.c
> @@ -619,6 +619,7 @@ static int __init dell_smbios_init(void)
>  
>  fail_platform_driver:
>  	kfree(da_tokens);
> +	da_num_tokens = 0;
>  	return ret;
>  }
>  


Unfortunately, no.

[   26.125995] dell_smbios: No SMBIOS backends available (wmi: -19, smm: -19)
[   26.232716] systemd-journald[407]: Successfully sent stream file descriptor to service manager.
[   26.242860] dell_smbios: No dell-smbios drivers are loaded
[   26.243142] ==================================================================
[   26.243241] BUG: KASAN: use-after-free in dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243254] Read of size 2 at addr ffff8883bdf941a8 by task systemd-udevd/458

[   26.243277] CPU: 1 PID: 458 Comm: systemd-udevd Not tainted 5.1.0-rc1+ #10
[   26.243283] Hardware name: Dell Inc. XPS 13 9360/02PG84, BIOS 2.3.1 10/03/2017
[   26.243288] Call Trace:
[   26.243303]  dump_stack+0x7c/0xbb
[   26.243317]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243327]  print_address_description+0xc7/0x280
[   26.243339]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243350]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243359]  kasan_report+0x14e/0x192
[   26.243379]  ? dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243399]  dell_smbios_find_token+0x2e/0x80 [dell_smbios]
[   26.243421]  kbd_led_init+0x2e7/0x473 [dell_laptop]
[   26.243440]  ? dmi_matched+0x2a/0x2a [dell_laptop]
[   26.243451]  ? get_device_parent.isra.28+0x2a0/0x2a0
[   26.243466]  ? lockdep_init_map+0x98/0x2c0
[   26.243494]  ? platform_device_add+0x1b5/0x3a0
[   26.243525]  dell_init+0x4ad/0xb63 [dell_laptop]
[   26.243542]  ? kbd_led_init+0x473/0x473 [dell_laptop]
[   26.243563]  ? ___slab_alloc+0x61f/0x700
[   26.243572]  ? ___slab_alloc+0x61f/0x700
[   26.243594]  ? preempt_count_sub+0x15/0x100
[   26.243616]  ? kbd_led_init+0x473/0x473 [dell_laptop]
[   26.243626]  do_one_initcall+0xbd/0x3fd
[   26.243638]  ? perf_trace_initcall_level+0x280/0x280
[   26.243650]  ? kasan_unpoison_shadow+0x30/0x40
[   26.243662]  ? __kasan_kmalloc.constprop.8+0xa0/0xd0
[   26.243681]  ? kmem_cache_alloc_trace+0x163/0x390
[   26.243691]  ? kasan_unpoison_shadow+0x30/0x40
[   26.243716]  do_init_module+0xe3/0x341
[   26.243736]  load_module+0x2fc5/0x3ad0
[   26.243824]  ? layout_and_allocate+0x1170/0x1170
[   26.243837]  ? vfs_read+0xd4/0x1b0
[   26.243855]  ? kernel_read+0x74/0xa0
[   26.243877]  ? kernel_read_file+0x148/0x320
[   26.243917]  ? seccomp_notify_release+0x110/0x110
[   26.243958]  ? __do_sys_finit_module+0x192/0x1c0
[   26.243964]  __do_sys_finit_module+0x192/0x1c0
[   26.243975]  ? __ia32_sys_init_module+0x40/0x40
[   26.244000]  ? syscall_trace_enter+0x184/0x5e0
[   26.244046]  ? mark_held_locks+0x1a/0x90
[   26.244068]  do_syscall_64+0x72/0x220
[   26.244083]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   26.244091] RIP: 0033:0x7f7ceda3aa49
[   26.244100] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0f b4 2c 00 f7 d8 64 89 01 48
[   26.244105] RSP: 002b:00007ffe6ca1cbf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   26.244114] RAX: ffffffffffffffda RBX: 00005635100838f0 RCX: 00007f7ceda3aa49
[   26.244121] RDX: 0000000000000000 RSI: 00007f7ced7261c5 RDI: 0000000000000010
[   26.244127] RBP: 00007f7ced7261c5 R08: 0000000000000000 R09: 00005635100838f0
[   26.244133] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000000
[   26.244139] R13: 0000563510089e90 R14: 0000000000020000 R15: 00005635100838f0

[   26.244193] Allocated by task 458:
[   26.244206]  __kasan_kmalloc.constprop.8+0xa0/0xd0
[   26.244214]  krealloc+0xa0/0xc0
[   26.244220]  0xffffffffc0d60075
[   26.244228]  dmi_decode_table+0xf6/0x140
[   26.244235]  dmi_walk+0x46/0x70
[   26.244241]  0xffffffffc0d60109
[   26.244248]  do_one_initcall+0xbd/0x3fd
[   26.244255]  do_init_module+0xe3/0x341
[   26.244261]  load_module+0x2fc5/0x3ad0
[   26.244269]  __do_sys_finit_module+0x192/0x1c0
[   26.244276]  do_syscall_64+0x72/0x220
[   26.244283]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[   26.244297] Freed by task 458:
[   26.244309]  __kasan_slab_free+0x111/0x150
[   26.244316]  kfree+0xf5/0x350
[   26.244323]  0xffffffffc0d601d4
[   26.244330]  do_one_initcall+0xbd/0x3fd
[   26.244337]  do_init_module+0xe3/0x341
[   26.244344]  load_module+0x2fc5/0x3ad0
[   26.244352]  __do_sys_finit_module+0x192/0x1c0
[   26.244358]  do_syscall_64+0x72/0x220
[   26.244366]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[   26.244381] The buggy address belongs to the object at ffff8883bdf941a8
                which belongs to the cache kmalloc-2k of size 2048
[   26.244393] The buggy address is located 0 bytes inside of
                2048-byte region [ffff8883bdf941a8, ffff8883bdf949a8)
[   26.244402] The buggy address belongs to the page:
[   26.244413] page:ffffea000ef7e400 count:1 mapcount:0 mapping:ffff88841c0113c0 index:0xffff8883bdf90968 compound_mapcount: 0
[   26.244423] flags: 0x17ffffc0010200(slab|head)
[   26.244433] raw: 0017ffffc0010200 ffffea000eff8208 ffff88841c003200 ffff88841c0113c0
[   26.244442] raw: ffff8883bdf90968 00000000000d0009 00000001ffffffff 0000000000000000
[   26.244447] page dumped because: kasan: bad access detected

[   26.244460] Memory state around the buggy address:
[   26.244472]  ffff8883bdf94080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.244483]  ffff8883bdf94100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   26.244494] >ffff8883bdf94180: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb
[   26.244504]                                   ^
[   26.244515]  ffff8883bdf94200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.244526]  ffff8883bdf94280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.244535] ==================================================================

next prev parent reply	other threads:[~2019-03-20 19:30 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-20 18:29 dell_smbios KASAN bug Tom Zanussi
2019-03-20 18:41 ` Steven Rostedt
2019-03-20 19:05   ` Tom Zanussi
2019-03-20 19:13     ` Steven Rostedt
2019-03-20 19:30       ` Tom Zanussi [this message]
2019-03-20 19:45         ` Steven Rostedt
2019-03-20 20:28           ` Tom Zanussi
2019-03-20 20:32             ` Steven Rostedt
2019-03-20 20:44               ` Tom Zanussi
2019-03-25 13:22       ` Mario.Limonciello
2019-03-25 14:17         ` Steven Rostedt
2019-03-25 16:20           ` Tom Zanussi
2019-04-03 17:16             ` Steven Rostedt
2019-04-03 19:14               ` Tom Zanussi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1553110221.2034.1.camel@gmail.com \
    --to=tzanussi@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mario.limonciello@dell.com \
    --cc=pali.rohar@gmail.com \
    --cc=rostedt@goodmis.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.