[syzbot] [mm?] KASAN: out-of-bounds Read in copy_from_kernel_nofault

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] KASAN: out-of-bounds Read in copy_from_kernel_nofault
Date: Mon, 30 Sep 2024 06:40:30 -0700	[thread overview]
Message-ID: <66faaa4e.050a0220.aab67.0032.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    cea5425829f7 Add linux-next specific files for 20240930
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14eccea9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=41a28720ed564c6a
dashboard link: https://syzkaller.appspot.com/bug?extid=61123a5daeb9f7454599
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/566995596f19/disk-cea54258.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e7c506c1c71d/vmlinux-cea54258.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7fcb4468b8c0/bzImage-cea54258.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: out-of-bounds in instrument_memcpy_before include/linux/instrumented.h:163 [inline]
BUG: KASAN: out-of-bounds in copy_from_kernel_nofault+0x7a/0x2f0 mm/maccess.c:35
Read of size 6 at addr fffffffffffffffd by task syz.1.54/5558

CPU: 1 UID: 0 PID: 5558 Comm: syz.1.54 Not tainted 6.12.0-rc1-next-20240930-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_memcpy_before include/linux/instrumented.h:163 [inline]
 copy_from_kernel_nofault+0x7a/0x2f0 mm/maccess.c:35
 bpf_probe_read_kernel_common include/linux/bpf.h:2960 [inline]
 ____bpf_probe_read_kernel kernel/trace/bpf_trace.c:239 [inline]
 bpf_probe_read_kernel+0x2a/0x70 kernel/trace/bpf_trace.c:236
 bpf_prog_fe7b69aea4fa28bf+0x43/0x45
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x4b1/0xa90 net/bpf/test_run.c:431
 bpf_prog_test_run_xdp+0x7da/0x11e0 net/bpf/test_run.c:1319
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4247
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5e6c17dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5e6d02a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f5e6c335f80 RCX: 00007f5e6c17dff9
RDX: 000000000000003b RSI: 0000000020000240 RDI: 000000000000000a
RBP: 00007f5e6c1f0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5e6c335f80 R15: 00007ffdc493ae58
 </TASK>

Memory state around the buggy address:
 fffffffffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffffffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffffffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 5558 Comm: syz.1.54 Not tainted 6.12.0-rc1-next-20240930-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f c3 cc cc cc cc 66
RSP: 0018:ffffc900049976d8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 78f03800465e2000
RDX: ffffc900045d9000 RSI: 0000000000000000 RDI: ffffc90004997710
RBP: ffffc90004997758 R08: ffffffff8bc0f2d3 R09: 0000000000000020
R10: dffffc0000000000 R11: fffff52000932ee1 R12: ffffc90004997710
R13: 0000000000000080 R14: ffffffffffffff80 R15: ffffc900049976f0
FS:  00007f5e6d02a6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055558b7a5808 CR3: 000000003075e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 print_memory_metadata mm/kasan/report.c:464 [inline]
 print_report+0x4df/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_memcpy_before include/linux/instrumented.h:163 [inline]
 copy_from_kernel_nofault+0x7a/0x2f0 mm/maccess.c:35
 bpf_probe_read_kernel_common include/linux/bpf.h:2960 [inline]
 ____bpf_probe_read_kernel kernel/trace/bpf_trace.c:239 [inline]
 bpf_probe_read_kernel+0x2a/0x70 kernel/trace/bpf_trace.c:236
 bpf_prog_fe7b69aea4fa28bf+0x43/0x45
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run_xdp include/net/xdp.h:514 [inline]
 bpf_test_run+0x4b1/0xa90 net/bpf/test_run.c:431
 bpf_prog_test_run_xdp+0x7da/0x11e0 net/bpf/test_run.c:1319
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4247
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5e6c17dff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5e6d02a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f5e6c335f80 RCX: 00007f5e6c17dff9
RDX: 000000000000003b RSI: 0000000020000240 RDI: 000000000000000a
RBP: 00007f5e6c1f0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f5e6c335f80 R15: 00007ffdc493ae58
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_metadata_fetch_row+0x12/0x30 mm/kasan/report_generic.c:186
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 c1 ee 03 48 b8 00 00 00 00 00 fc ff df <48> 8b 0c 06 48 8b 44 06 08 48 89 47 08 48 89 0f c3 cc cc cc cc 66
RSP: 0018:ffffc900049976d8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 78f03800465e2000
RDX: ffffc900045d9000 RSI: 0000000000000000 RDI: ffffc90004997710
RBP: ffffc90004997758 R08: ffffffff8bc0f2d3 R09: 0000000000000020
R10: dffffc0000000000 R11: fffff52000932ee1 R12: ffffc90004997710
R13: 0000000000000080 R14: ffffffffffffff80 R15: ffffc900049976f0
FS:  00007f5e6d02a6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055558b7a5808 CR3: 000000003075e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	0f 1f 84 00 00 00 00 	nopl   0x0(%rax,%rax,1)
   7:	00
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	66 0f 1f 00          	nopw   (%rax)
  1c:	48 c1 ee 03          	shr    $0x3,%rsi
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	48 8b 0c 06          	mov    (%rsi,%rax,1),%rcx <-- trapping instruction
  2e:	48 8b 44 06 08       	mov    0x8(%rsi,%rax,1),%rax
  33:	48 89 47 08          	mov    %rax,0x8(%rdi)
  37:	48 89 0f             	mov    %rcx,(%rdi)
  3a:	c3                   	ret
  3b:	cc                   	int3
  3c:	cc                   	int3
  3d:	cc                   	int3
  3e:	cc                   	int3
  3f:	66                   	data16


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2024-09-30 13:40 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-30 13:40 syzbot [this message]
2024-09-30 13:53 ` [syzbot] [mm?] KASAN: out-of-bounds Read in copy_from_kernel_nofault Sabyrzhan Tasbolatov
2024-10-01  4:22 ` syzbot
2024-10-01 23:25 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=66faaa4e.050a0220.aab67.0032.GAE@google.com \
    --to=syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.