* KASAN: out-of-bounds Read in unwind_next_frame
@ 2019-01-07 10:01 syzbot
2019-01-07 10:04 ` Dmitry Vyukov
2019-01-26 12:07 ` syzbot
0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2019-01-07 10:01 UTC (permalink / raw)
To: bp, hpa, linux-kernel, mingo, syzkaller-bugs, tglx, x86
Hello,
syzbot found the following crash on:
HEAD commit: b5aef86e089a Merge tag 'docs-5.0-fixes' of git://git.lwn.n..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1034c54b400000
kernel config: https://syzkaller.appspot.com/x/.config?x=d55557b516c45456
dashboard link: https://syzkaller.appspot.com/bug?extid=2fdf0ed2b3bc8fc51fc6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2fdf0ed2b3bc8fc51fc6@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in unwind_next_frame.part.0+0x756/0xa90
arch/x86/kernel/unwind_frame.c:324
Read of size 8 at addr ffff88805082fb68 by task syz-executor2/21500
CPU: 0 PID: 21500 Comm: syz-executor2 Not tainted 4.20.0+ #12
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
unwind_next_frame.part.0+0x756/0xa90 arch/x86/kernel/unwind_frame.c:324
unwind_next_frame+0x3b/0x50 arch/x86/kernel/unwind_frame.c:287
__save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44
save_stack_trace_tsk arch/x86/kernel/stacktrace.c:76 [inline]
save_stack_trace_tsk+0x9e/0xd0 arch/x86/kernel/stacktrace.c:69
proc_pid_stack+0x272/0x430 fs/proc/base.c:438
proc_single_show+0xf6/0x180 fs/proc/base.c:739
seq_read+0x4db/0x1130 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:700 [inline]
do_loop_readv_writev fs/read_write.c:687 [inline]
do_iter_read+0x4a9/0x660 fs/read_write.c:921
vfs_readv+0x175/0x1c0 fs/read_write.c:983
do_preadv+0x1c4/0x280 fs/read_write.c:1067
__do_sys_preadv fs/read_write.c:1117 [inline]
__se_sys_preadv fs/read_write.c:1112 [inline]
__x64_sys_preadv+0x9a/0xf0 fs/read_write.c:1112
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8d6c5e5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457ec9
RDX: 00000000000001a1 RSI: 00000000200017c0 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d6c5e66d4
R13: 00000000004c4861 R14: 00000000004d7d20 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea0001420bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff01420101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805082fa00: 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 f8
ffff88805082fa80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88805082fb00: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
^
ffff88805082fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffff88805082fc00: f1 f1 00 f2 f2 f2 00 00 f2 f2 04 f3 f3 f3 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: out-of-bounds Read in unwind_next_frame
2019-01-07 10:01 syzbot
@ 2019-01-07 10:04 ` Dmitry Vyukov
2019-01-26 12:07 ` syzbot
1 sibling, 0 replies; 5+ messages in thread
From: Dmitry Vyukov @ 2019-01-07 10:04 UTC (permalink / raw)
To: syzbot
Cc: Borislav Petkov, H. Peter Anvin, LKML, Ingo Molnar,
syzkaller-bugs, Thomas Gleixner, the arch/x86 maintainers
On Mon, Jan 7, 2019 at 11:01 AM syzbot
<syzbot+2fdf0ed2b3bc8fc51fc6@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: b5aef86e089a Merge tag 'docs-5.0-fixes' of git://git.lwn.n..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1034c54b400000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d55557b516c45456
> dashboard link: https://syzkaller.appspot.com/bug?extid=2fdf0ed2b3bc8fc51fc6
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2fdf0ed2b3bc8fc51fc6@syzkaller.appspotmail.com
This happens on the line that does _not_ use READ_ONCE_TASK_STACK:
/* Get the next frame pointer: */
if (state->regs)
next_bp = (unsigned long *)state->regs->bp;
else
next_bp = (unsigned long *)READ_ONCE_TASK_STACK(state->task,
*state->bp);
Should the first line also use READ_ONCE_TASK_STACK?
Or should we always have state->regs == NULL when unwinding a remote task?
Or is it a true OOB if we are unwinding own stack?
> ==================================================================
> BUG: KASAN: out-of-bounds in unwind_next_frame.part.0+0x756/0xa90
> arch/x86/kernel/unwind_frame.c:324
> Read of size 8 at addr ffff88805082fb68 by task syz-executor2/21500
>
> CPU: 0 PID: 21500 Comm: syz-executor2 Not tainted 4.20.0+ #12
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
> print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
> unwind_next_frame.part.0+0x756/0xa90 arch/x86/kernel/unwind_frame.c:324
> unwind_next_frame+0x3b/0x50 arch/x86/kernel/unwind_frame.c:287
> __save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44
> save_stack_trace_tsk arch/x86/kernel/stacktrace.c:76 [inline]
> save_stack_trace_tsk+0x9e/0xd0 arch/x86/kernel/stacktrace.c:69
> proc_pid_stack+0x272/0x430 fs/proc/base.c:438
> proc_single_show+0xf6/0x180 fs/proc/base.c:739
> seq_read+0x4db/0x1130 fs/seq_file.c:229
> do_loop_readv_writev fs/read_write.c:700 [inline]
> do_loop_readv_writev fs/read_write.c:687 [inline]
> do_iter_read+0x4a9/0x660 fs/read_write.c:921
> vfs_readv+0x175/0x1c0 fs/read_write.c:983
> do_preadv+0x1c4/0x280 fs/read_write.c:1067
> __do_sys_preadv fs/read_write.c:1117 [inline]
> __se_sys_preadv fs/read_write.c:1112 [inline]
> __x64_sys_preadv+0x9a/0xf0 fs/read_write.c:1112
> do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x457ec9
> Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f8d6c5e5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457ec9
> RDX: 00000000000001a1 RSI: 00000000200017c0 RDI: 0000000000000005
> RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8d6c5e66d4
> R13: 00000000004c4861 R14: 00000000004d7d20 R15: 00000000ffffffff
>
> The buggy address belongs to the page:
> page:ffffea0001420bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
> flags: 0x1fffc0000000000()
> raw: 01fffc0000000000 0000000000000000 ffffffff01420101 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88805082fa00: 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 f8
> ffff88805082fa80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> > ffff88805082fb00: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
> ^
> ffff88805082fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
> ffff88805082fc00: f1 f1 00 f2 f2 f2 00 00 f2 f2 04 f3 f3 f3 00 00
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/0000000000007b7cbf057edb4e33%40google.com.
> For more options, visit https://groups.google.com/d/optout.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: out-of-bounds Read in unwind_next_frame
2019-01-07 10:01 syzbot
2019-01-07 10:04 ` Dmitry Vyukov
@ 2019-01-26 12:07 ` syzbot
1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2019-01-26 12:07 UTC (permalink / raw)
To: bp, dvyukov, hpa, linux-kernel, mingo, syzkaller-bugs, tglx, x86
syzbot has found a reproducer for the following crash on:
HEAD commit: ba6069759381 Merge tag 'mmc-v5.0-rc2' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=121e935f400000
kernel config: https://syzkaller.appspot.com/x/.config?x=505743eba4e4f68
dashboard link: https://syzkaller.appspot.com/bug?extid=2fdf0ed2b3bc8fc51fc6
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f6c887400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2fdf0ed2b3bc8fc51fc6@syzkaller.appspotmail.com
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: out-of-bounds in unwind_next_frame.part.0+0x756/0xa90
arch/x86/kernel/unwind_frame.c:324
Read of size 8 at addr ffff88809476fb68 by task syz-executor1/12572
CPU: 1 PID: 12572 Comm: syz-executor1 Not tainted 5.0.0-rc3+ #44
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
unwind_next_frame.part.0+0x756/0xa90 arch/x86/kernel/unwind_frame.c:324
unwind_next_frame+0x3b/0x50 arch/x86/kernel/unwind_frame.c:287
__save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44
save_stack_trace_tsk arch/x86/kernel/stacktrace.c:76 [inline]
save_stack_trace_tsk+0x9e/0xd0 arch/x86/kernel/stacktrace.c:69
proc_pid_stack+0x272/0x430 fs/proc/base.c:438
proc_single_show+0xf6/0x180 fs/proc/base.c:739
seq_read+0x4db/0x1130 fs/seq_file.c:229
do_loop_readv_writev fs/read_write.c:700 [inline]
do_loop_readv_writev fs/read_write.c:687 [inline]
do_iter_read+0x4a9/0x660 fs/read_write.c:921
vfs_readv+0x175/0x1c0 fs/read_write.c:983
do_preadv+0x1c4/0x280 fs/read_write.c:1067
__do_sys_preadv fs/read_write.c:1117 [inline]
__se_sys_preadv fs/read_write.c:1112 [inline]
__x64_sys_preadv+0x9a/0xf0 fs/read_write.c:1112
do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458099
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fedc3d91c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000458099
RDX: 1000000000000156 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedc3d926d4
R13: 00000000004c4b67 R14: 00000000004d82e0 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea000251dbc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff02510101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88809476fa00: 00 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 f8
ffff88809476fa80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff88809476fb00: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
^
ffff88809476fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
ffff88809476fc00: f1 f1 00 f2 f2 f2 00 00 f2 f2 04 f3 f3 f3 00 00
==================================================================
^ permalink raw reply [flat|nested] 5+ messages in thread
* KASAN: out-of-bounds Read in unwind_next_frame
@ 2025-05-21 9:42 huk23
2025-05-21 10:19 ` Huacai Chen
0 siblings, 1 reply; 5+ messages in thread
From: huk23 @ 2025-05-21 9:42 UTC (permalink / raw)
To: Huacai Chen, WANG Xuerui
Cc: Jiaji Qin, Shuoran Bai, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com, loongarch@lists.linux.dev
Dear Maintainers,
When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (100th)was triggered.
HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
git tree: upstream
Output:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100report.txt
Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/config.txt
C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100repro.c
Syzlang reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100repro.txt
The issue might occur in the stack_access_ok function call, which attempts to validate whether an address is within a valid stack range. In theASAN report, we see an out-of-bounds read of size 2, corresponding to the address ffff c90013b67600 Note the on_stack function within the stack_access_ok function, which triggers the out-of-bounds read when checking if an address is within the stack range, and invalid address is calculated when preparing to execute p = (unsigned long *)(state->sp orc->ra_offset); or regs = (struct pt_regsstate->sp;
Most likely, a pointer calculation in the unwind_next_frame function resulted in an invalid address, and KASAN detected the out-of- access when the code tried to read data via that address.
We have reproduced this issue several times on 6.15-rc6 again.
If you fix this issue, please add the following tag to the commit:
Reported-by: Kun Hu <huk23@m.fudan.edu.cn>, Jiaji Qin <jjtan24@m.fudan.edu.cn>, Shuoran Bai <baishuoran@hrbeu.edu.cn>
==================================================================
BUG: KASAN: out-of-bounds in unwind_next_frame+0xd87/0x1c20
Read of size 2 at addr ffffc90013b67600 by task kworker/3:3/14224
CPU: 3 UID: 0 PID: 14224 Comm: kworker/3:3 Not tainted 6.15.0-rc6 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: events console_callback
Call Trace:
<IRQ>
dump_stack_lvl+0x116/0x1b0
print_report+0xc1/0x630
kasan_report+0x96/0xd0
unwind_next_frame+0xd87/0x1c20
show_trace_log_lvl+0x20c/0x380
sched_show_task+0x410/0x660
show_state_filter+0xf7/0x390
k_spec+0xeb/0x140
kbd_event+0xdd9/0x3930
input_handle_events_default+0x10a/0x1a0
input_pass_values+0x68d/0x870
input_event_dispose+0x4db/0x640
input_handle_event+0x122/0xde0
input_event+0x83/0xb0
hidinput_hid_event+0xa7b/0x2040
hid_process_event+0x4a6/0x5d0
hid_input_array_field+0x4dc/0x670
hid_report_raw_event+0xa53/0x1230
__hid_input_report.constprop.0+0x33d/0x440
hid_irq_in+0x35d/0x850
__usb_hcd_giveback_urb+0x2e5/0x6b0
usb_hcd_giveback_urb+0x391/0x450
dummy_timer+0x124b/0x3580
__hrtimer_run_queues+0x1af/0xc60
hrtimer_run_softirq+0x17f/0x2e0
handle_softirqs+0x1be/0x850
irq_exit_rcu+0xfd/0x150
sysvec_apic_timer_interrupt+0xa8/0xc0
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:bit_putcs+0x5f4/0xd80
Code: 41 89 c5 e8 7e 27 9a fc 48 89 ef 48 83 c5 01 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 0f b6 04 08 <38> d0 7f 08 84 c0 0f 85 24 06 00 00 4c 89 e0 4c 89 e1 0f b6 55 ff
RSP: 0018:ffffc9000865f838 EFLAGS: 00000202
RAX: 0000000000000000 RBX: ffff8880430a1822 RCX: dffffc0000000000
RDX: 0000000000000007 RSI: ffff8880774d8000 RDI: ffffffff8bf73a3f
RBP: ffffffff8bf73a40 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff2107af3 R11: ffffffff9083d79f R12: ffff8880430a1fa2
R13: 0000000000000000 R14: ffff888028d06000 R15: 0000000000000000
fbcon_putcs+0x37a/0x4b0
do_update_region+0x2e5/0x3f0
redraw_screen+0x62d/0x750
complete_change_console+0x110/0x3b0
change_console+0x1a5/0x2e0
console_callback+0x1a1/0x4c0
process_scheduled_works+0x5de/0x1bd0
worker_thread+0x5a9/0xd10
kthread+0x447/0x8a0
ret_from_fork+0x48/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
The buggy address belongs to the virtual mapping at
[ffffc90013b60000, ffffc90013b69000) created by:
kernel_clone+0xea/0xee0
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51f4d
memcg:ffff888000901b02
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff888000901b02
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 708, tgid 708 (kworker/u19:2), ts 86243875317, free_ts 0
prep_new_page+0x1b0/0x1e0
get_page_from_freelist+0x1c80/0x3a40
__alloc_frozen_pages_noprof+0x2fd/0x6d0
alloc_pages_mpol+0x209/0x550
alloc_pages_noprof+0x1c/0x250
__vmalloc_node_range_noprof+0xa75/0x13a0
__vmalloc_node_noprof+0x73/0xa0
copy_process+0x439c/0x77f0
kernel_clone+0xea/0xee0
user_mode_thread+0xc5/0x110
call_usermodehelper_exec_work+0xd0/0x180
process_scheduled_works+0x5de/0x1bd0
worker_thread+0x5a9/0xd10
kthread+0x447/0x8a0
ret_from_fork+0x48/0x80
ret_from_fork_asm+0x1a/0x30
page_owner free stack trace missing
Memory state around the buggy address:
ffffc90013b67500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90013b67580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90013b67600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffc90013b67680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffc90013b67700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 41 89 c5 mov %eax,%r13d
3: e8 7e 27 9a fc callq 0xfc9a2786
8: 48 89 ef mov %rbp,%rdi
b: 48 83 c5 01 add $0x1,%rbp
f: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
16: fc ff df
19: 48 89 f8 mov %rdi,%rax
1c: 48 89 fa mov %rdi,%rdx
1f: 48 c1 e8 03 shr $0x3,%rax
23: 83 e2 07 and $0x7,%edx
26: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax
* 2a: 38 d0 cmp %dl,%al <-- trapping instruction
2c: 7f 08 jg 0x36
2e: 84 c0 test %al,%al
30: 0f 85 24 06 00 00 jne 0x65a
36: 4c 89 e0 mov %r12,%rax
39: 4c 89 e1 mov %r12,%rcx
3c: 0f b6 55 ff movzbl -0x1(%rbp),%edx
thanks,
Kun Hu
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: KASAN: out-of-bounds Read in unwind_next_frame
2025-05-21 9:42 KASAN: out-of-bounds Read in unwind_next_frame huk23
@ 2025-05-21 10:19 ` Huacai Chen
0 siblings, 0 replies; 5+ messages in thread
From: Huacai Chen @ 2025-05-21 10:19 UTC (permalink / raw)
To: huk23@m.fudan.edu.cn
Cc: WANG Xuerui, Jiaji Qin, Shuoran Bai, linux-kernel@vger.kernel.org,
syzkaller@googlegroups.com, loongarch@lists.linux.dev
Hi, All,
I found this is a x86-specific bug, why report it to the LoongArch list?
Huacai
On Wed, May 21, 2025 at 5:42 PM huk23@m.fudan.edu.cn
<huk23@m.fudan.edu.cn> wrote:
>
> Dear Maintainers,
>
>
>
> When using our customized Syzkaller to fuzz the latest Linux kernel, the following crash (100th)was triggered.
>
>
> HEAD commit: 6537cfb395f352782918d8ee7b7f10ba2cc3cbf2
> git tree: upstream
> Output:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100report.txt
> Kernel config:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/config.txt
> C reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100repro.c
> Syzlang reproducer:https://github.com/pghk13/Kernel-Bug/blob/main/0520_6.15-rc6/100_KASAN%3A%20out-of-bounds%20Read%20in%20unwind_next_frame/100repro.txt
>
>
> The issue might occur in the stack_access_ok function call, which attempts to validate whether an address is within a valid stack range. In theASAN report, we see an out-of-bounds read of size 2, corresponding to the address ffff c90013b67600 Note the on_stack function within the stack_access_ok function, which triggers the out-of-bounds read when checking if an address is within the stack range, and invalid address is calculated when preparing to execute p = (unsigned long *)(state->sp orc->ra_offset); or regs = (struct pt_regsstate->sp;
> Most likely, a pointer calculation in the unwind_next_frame function resulted in an invalid address, and KASAN detected the out-of- access when the code tried to read data via that address.
> We have reproduced this issue several times on 6.15-rc6 again.
>
>
>
>
>
>
> If you fix this issue, please add the following tag to the commit:
> Reported-by: Kun Hu <huk23@m.fudan.edu.cn>, Jiaji Qin <jjtan24@m.fudan.edu.cn>, Shuoran Bai <baishuoran@hrbeu.edu.cn>
>
>
> ==================================================================
> BUG: KASAN: out-of-bounds in unwind_next_frame+0xd87/0x1c20
> Read of size 2 at addr ffffc90013b67600 by task kworker/3:3/14224
>
> CPU: 3 UID: 0 PID: 14224 Comm: kworker/3:3 Not tainted 6.15.0-rc6 #1 PREEMPT(full)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: events console_callback
> Call Trace:
> <IRQ>
> dump_stack_lvl+0x116/0x1b0
> print_report+0xc1/0x630
> kasan_report+0x96/0xd0
> unwind_next_frame+0xd87/0x1c20
> show_trace_log_lvl+0x20c/0x380
> sched_show_task+0x410/0x660
> show_state_filter+0xf7/0x390
> k_spec+0xeb/0x140
> kbd_event+0xdd9/0x3930
> input_handle_events_default+0x10a/0x1a0
> input_pass_values+0x68d/0x870
> input_event_dispose+0x4db/0x640
> input_handle_event+0x122/0xde0
> input_event+0x83/0xb0
> hidinput_hid_event+0xa7b/0x2040
> hid_process_event+0x4a6/0x5d0
> hid_input_array_field+0x4dc/0x670
> hid_report_raw_event+0xa53/0x1230
> __hid_input_report.constprop.0+0x33d/0x440
> hid_irq_in+0x35d/0x850
> __usb_hcd_giveback_urb+0x2e5/0x6b0
> usb_hcd_giveback_urb+0x391/0x450
> dummy_timer+0x124b/0x3580
> __hrtimer_run_queues+0x1af/0xc60
> hrtimer_run_softirq+0x17f/0x2e0
> handle_softirqs+0x1be/0x850
> irq_exit_rcu+0xfd/0x150
> sysvec_apic_timer_interrupt+0xa8/0xc0
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> RIP: 0010:bit_putcs+0x5f4/0xd80
> Code: 41 89 c5 e8 7e 27 9a fc 48 89 ef 48 83 c5 01 48 b9 00 00 00 00 00 fc ff df 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 0f b6 04 08 <38> d0 7f 08 84 c0 0f 85 24 06 00 00 4c 89 e0 4c 89 e1 0f b6 55 ff
> RSP: 0018:ffffc9000865f838 EFLAGS: 00000202
> RAX: 0000000000000000 RBX: ffff8880430a1822 RCX: dffffc0000000000
> RDX: 0000000000000007 RSI: ffff8880774d8000 RDI: ffffffff8bf73a3f
> RBP: ffffffff8bf73a40 R08: 0000000000000000 R09: 0000000000000000
> R10: fffffbfff2107af3 R11: ffffffff9083d79f R12: ffff8880430a1fa2
> R13: 0000000000000000 R14: ffff888028d06000 R15: 0000000000000000
> fbcon_putcs+0x37a/0x4b0
> do_update_region+0x2e5/0x3f0
> redraw_screen+0x62d/0x750
> complete_change_console+0x110/0x3b0
> change_console+0x1a5/0x2e0
> console_callback+0x1a1/0x4c0
> process_scheduled_works+0x5de/0x1bd0
> worker_thread+0x5a9/0xd10
> kthread+0x447/0x8a0
> ret_from_fork+0x48/0x80
> ret_from_fork_asm+0x1a/0x30
> </TASK>
>
> The buggy address belongs to the virtual mapping at
> [ffffc90013b60000, ffffc90013b69000) created by:
> kernel_clone+0xea/0xee0
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51f4d
> memcg:ffff888000901b02
> flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00000001ffffffff ffff888000901b02
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO|__GFP_NOWARN), pid 708, tgid 708 (kworker/u19:2), ts 86243875317, free_ts 0
> prep_new_page+0x1b0/0x1e0
> get_page_from_freelist+0x1c80/0x3a40
> __alloc_frozen_pages_noprof+0x2fd/0x6d0
> alloc_pages_mpol+0x209/0x550
> alloc_pages_noprof+0x1c/0x250
> __vmalloc_node_range_noprof+0xa75/0x13a0
> __vmalloc_node_noprof+0x73/0xa0
> copy_process+0x439c/0x77f0
> kernel_clone+0xea/0xee0
> user_mode_thread+0xc5/0x110
> call_usermodehelper_exec_work+0xd0/0x180
> process_scheduled_works+0x5de/0x1bd0
> worker_thread+0x5a9/0xd10
> kthread+0x447/0x8a0
> ret_from_fork+0x48/0x80
> ret_from_fork_asm+0x1a/0x30
> page_owner free stack trace missing
>
> Memory state around the buggy address:
> ffffc90013b67500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffc90013b67580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffffc90013b67600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ^
> ffffc90013b67680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffc90013b67700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
> ----------------
> Code disassembly (best guess):
> 0: 41 89 c5 mov %eax,%r13d
> 3: e8 7e 27 9a fc callq 0xfc9a2786
> 8: 48 89 ef mov %rbp,%rdi
> b: 48 83 c5 01 add $0x1,%rbp
> f: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
> 16: fc ff df
> 19: 48 89 f8 mov %rdi,%rax
> 1c: 48 89 fa mov %rdi,%rdx
> 1f: 48 c1 e8 03 shr $0x3,%rax
> 23: 83 e2 07 and $0x7,%edx
> 26: 0f b6 04 08 movzbl (%rax,%rcx,1),%eax
> * 2a: 38 d0 cmp %dl,%al <-- trapping instruction
> 2c: 7f 08 jg 0x36
> 2e: 84 c0 test %al,%al
> 30: 0f 85 24 06 00 00 jne 0x65a
> 36: 4c 89 e0 mov %r12,%rax
> 39: 4c 89 e1 mov %r12,%rcx
> 3c: 0f b6 55 ff movzbl -0x1(%rbp),%edx
>
>
> thanks,
> Kun Hu
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-05-21 10:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-21 9:42 KASAN: out-of-bounds Read in unwind_next_frame huk23
2025-05-21 10:19 ` Huacai Chen
-- strict thread matches above, loose matches on Subject: below --
2019-01-07 10:01 syzbot
2019-01-07 10:04 ` Dmitry Vyukov
2019-01-26 12:07 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).