KASAN: out-of-bounds Read in kvm_arch_hardware_setup
11 views
Skip to first unread message
syzbot
Jun 27, 2020, 4:01:14 PM6/27/20
to b...@alien8.de, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, mi...@redhat.com, pbon...@redhat.com, sean.j.chr...@intel.com, syzkall...@googlegroups.com, tg...@linutronix.de, vkuz...@redhat.com, wanp...@tencent.com, x...@kernel.org
Hello,
syzbot found the following crash on:
HEAD commit: 7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1654e385100000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4578b3f1083656
dashboard link: https://syzkaller.appspot.com/bug?extid=e0240f9c36530bda7130
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f3abc9100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131b7bb5100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e0240f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
BUG: KASAN: out-of-bounds in kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
BUG: KASAN: out-of-bounds in kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
BUG: KASAN: out-of-bounds in kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
Read of size 4 at addr ffffffff896c3134 by task syz-executor614/6786
CPU: 1 PID: 6786 Comm: syz-executor614 Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
</IRQ>
The buggy address belongs to the variable:
kvm_cpu_caps+0x24/0x50
Memory state around the buggy address:
ffffffff896c3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff896c3080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff896c3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff896c3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff896c3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1654e385100000
kernel config: https://syzkaller.appspot.com/x/.config?x=be4578b3f1083656
dashboard link: https://syzkaller.appspot.com/bug?extid=e0240f9c36530bda7130
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f3abc9100000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131b7bb5100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+e0240f...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: out-of-bounds in kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
BUG: KASAN: out-of-bounds in kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
BUG: KASAN: out-of-bounds in kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
BUG: KASAN: out-of-bounds in kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
Read of size 4 at addr ffffffff896c3134 by task syz-executor614/6786
CPU: 1 PID: 6786 Comm: syz-executor614 Not tainted 5.7.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
print_address_description+0x66/0x5a0 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report+0x132/0x1d0 mm/kasan/report.c:530
kvm_cpu_cap_get arch/x86/kvm/cpuid.h:292 [inline]
kvm_cpu_cap_has arch/x86/kvm/cpuid.h:297 [inline]
kvm_init_msr_list arch/x86/kvm/x86.c:5362 [inline]
kvm_arch_hardware_setup+0xb05/0xf40 arch/x86/kvm/x86.c:9802
</IRQ>
The buggy address belongs to the variable:
kvm_cpu_caps+0x24/0x50
Memory state around the buggy address:
ffffffff896c3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff896c3080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff896c3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff896c3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff896c3200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Paolo Bonzini
Jun 29, 2020, 11:25:38 AM6/29/20
to syzbot, b...@alien8.de, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, mi...@redhat.com, sean.j.chr...@intel.com, syzkall...@googlegroups.com, tg...@linutronix.de, vkuz...@redhat.com, wanp...@tencent.com, x...@kernel.org
The reproducer has nothing to do with KVM:
# https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
but the stack trace does. On the other hand, the address seems okay:
kvm_cpu_caps+0x24/0x50
and there are tons of other kvm_cpu_cap_get calls that aren't causing
KASAN to complain. The variable is initialized from
kvm_arch_hardware_setup
hardware_setup (in arch/x86/kvm/vmx/vmx.c)
vmx_set_cpu_caps
kvm_set_cpu_caps
with a simple memcpy that writes the entire array. Does anyone understand
what is going on here?
Paolo
# https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
# See https://goo.gl/kgGztJ for information about syzkaller reproducers.
#{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
but the stack trace does. On the other hand, the address seems okay:
kvm_cpu_caps+0x24/0x50
and there are tons of other kvm_cpu_cap_get calls that aren't causing
KASAN to complain. The variable is initialized from
kvm_arch_hardware_setup
hardware_setup (in arch/x86/kvm/vmx/vmx.c)
vmx_set_cpu_caps
kvm_set_cpu_caps
with a simple memcpy that writes the entire array. Does anyone understand
what is going on here?
Paolo
Andrey Konovalov
Jun 29, 2020, 11:30:08 AM6/29/20
to Paolo Bonzini, syzbot, Borislav Petkov, H. Peter Anvin, Jim Mattson, jo...@8bytes.org, KVM list, LKML, Ingo Molnar, sean.j.chr...@intel.com, syzkaller-bugs, Thomas Gleixner, vkuz...@redhat.com, wanp...@tencent.com, the arch/x86 maintainers
On Mon, Jun 29, 2020 at 5:25 PM Paolo Bonzini <pbon...@redhat.com> wrote:
>
> The reproducer has nothing to do with KVM:
>
> # https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
> # See https://goo.gl/kgGztJ for information about syzkaller reproducers.
> #{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
> r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
> ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
>
> but the stack trace does. On the other hand, the address seems okay:
>
> kvm_cpu_caps+0x24/0x50
>
> and there are tons of other kvm_cpu_cap_get calls that aren't causing
> KASAN to complain. The variable is initialized from
>
> kvm_arch_hardware_setup
> hardware_setup (in arch/x86/kvm/vmx/vmx.c)
> vmx_set_cpu_caps
> kvm_set_cpu_caps
>
> with a simple memcpy that writes the entire array. Does anyone understand
> what is going on here?
Most likely a bug in /dev/fb handlers caused a memory corruption in
>
> The reproducer has nothing to do with KVM:
>
> # https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
> # See https://goo.gl/kgGztJ for information about syzkaller reproducers.
> #{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
> r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
> ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
>
> but the stack trace does. On the other hand, the address seems okay:
>
> kvm_cpu_caps+0x24/0x50
>
> and there are tons of other kvm_cpu_cap_get calls that aren't causing
> KASAN to complain. The variable is initialized from
>
> kvm_arch_hardware_setup
> hardware_setup (in arch/x86/kvm/vmx/vmx.c)
> vmx_set_cpu_caps
> kvm_set_cpu_caps
>
> with a simple memcpy that writes the entire array. Does anyone understand
> what is going on here?
kvm related memory.
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/04786ba2-4934-c544-63d1-4d5d36dc5822%40redhat.com.
Sean Christopherson
Jun 29, 2020, 11:35:27 AM6/29/20
to Andrey Konovalov, Paolo Bonzini, syzbot, Borislav Petkov, H. Peter Anvin, Jim Mattson, jo...@8bytes.org, KVM list, LKML, Ingo Molnar, syzkaller-bugs, Thomas Gleixner, vkuz...@redhat.com, wanp...@tencent.com, the arch/x86 maintainers
On Mon, Jun 29, 2020 at 05:29:56PM +0200, Andrey Konovalov wrote:
> On Mon, Jun 29, 2020 at 5:25 PM Paolo Bonzini <pbon...@redhat.com> wrote:
> >
> > The reproducer has nothing to do with KVM:
> >
> > # https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
> > # See https://goo.gl/kgGztJ for information about syzkaller reproducers.
> > #{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
> > r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
> > ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
> >
> > but the stack trace does. On the other hand, the address seems okay:
> >
> > kvm_cpu_caps+0x24/0x50
> >
> > and there are tons of other kvm_cpu_cap_get calls that aren't causing
> > KASAN to complain. The variable is initialized from
> >
> > kvm_arch_hardware_setup
> > hardware_setup (in arch/x86/kvm/vmx/vmx.c)
> > vmx_set_cpu_caps
> > kvm_set_cpu_caps
> >
> > with a simple memcpy that writes the entire array. Does anyone understand
> > what is going on here?
>
> Most likely a bug in /dev/fb handlers caused a memory corruption in
> kvm related memory.
That's my assumption as well. There's another syzbot failure[*] that points
> On Mon, Jun 29, 2020 at 5:25 PM Paolo Bonzini <pbon...@redhat.com> wrote:
> >
> > The reproducer has nothing to do with KVM:
> >
> > # https://syzkaller.appspot.com/bug?id=c356395d480ca736b00443ad89cd76fd7d209013
> > # See https://goo.gl/kgGztJ for information about syzkaller reproducers.
> > #{"repeat":true,"procs":1,"sandbox":"","fault_call":-1,"close_fds":false,"segv":true}
> > r0 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000180)='/dev/fb0\x00', 0x0, 0x0)
> > ioctl$FBIOPUT_VSCREENINFO(r0, 0x4601, &(0x7f0000000000)={0x0, 0x80, 0xc80, 0x0, 0x2, 0x1, 0x4, 0x0, {0x0, 0x0, 0x1}, {0x0, 0x0, 0xfffffffc}, {}, {}, 0x0, 0x40})
> >
> > but the stack trace does. On the other hand, the address seems okay:
> >
> > kvm_cpu_caps+0x24/0x50
> >
> > and there are tons of other kvm_cpu_cap_get calls that aren't causing
> > KASAN to complain. The variable is initialized from
> >
> > kvm_arch_hardware_setup
> > hardware_setup (in arch/x86/kvm/vmx/vmx.c)
> > vmx_set_cpu_caps
> > kvm_set_cpu_caps
> >
> > with a simple memcpy that writes the entire array. Does anyone understand
> > what is going on here?
>
> Most likely a bug in /dev/fb handlers caused a memory corruption in
> kvm related memory.
at KVM but whose reproducer is a single FBIOPUT_VSCREENINFO. In that case,
the pointer from "&cpu_data(smp_processor_id())" is NULL, i.e. highly unlikely
to be a KVM bug.
[*] https://lkml.kernel.org/r/00000000000007...@google.com
Sean Christopherson
Jun 30, 2020, 2:12:55 AM6/30/20
to syzbot, b...@alien8.de, h...@zytor.com, jmat...@google.com, jo...@8bytes.org, k...@vger.kernel.org, linux-...@vger.kernel.org, mi...@redhat.com, pbon...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, vkuz...@redhat.com, wanp...@tencent.com, x...@kernel.org
On Sat, Jun 27, 2020 at 01:01:13PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1654e385100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=be4578b3f1083656
> dashboard link: https://syzkaller.appspot.com/bug?extid=e0240f9c36530bda7130
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f3abc9100000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131b7bb5100000
#syz dup: general protection fault in syscall_return_slowpath
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 7ae77150 Merge tag 'powerpc-5.8-1' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1654e385100000
> kernel config: https://syzkaller.appspot.com/x/.config?x=be4578b3f1083656
> dashboard link: https://syzkaller.appspot.com/bug?extid=e0240f9c36530bda7130
> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f3abc9100000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=131b7bb5100000
Reply all
Reply to author
Forward
0 new messages