ASan: Unauthorized Access in __asan_load8 (2)
4 views
Skip to first unread message
syzbot
Apr 19, 2020, 2:31:12 AM4/19/20
to syzkaller-...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d0186023 Add KASAN instrumentation on strcat/strchr/strrchr.
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6d9d7e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e4d6bd2b8e377a2
dashboard link: https://syzkaller.appspot.com/bug?extid=a79ca51fe0f2f36a665b
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de1610100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a79ca5...@syzkaller.appspotmail.com
[ 165.5719563] panic: ASan: Unauthorized Access In 0xffffffff81190b65: Addr 0xffffa58012ad7018 [8 bytes, read, PoolUseAfterFree]
[ 165.5857681] cpu1: Begin traceback...
[ 165.6273301] vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:336
[ 165.7335349] snprintf() at netbsd:snprintf
[ 165.8443576] kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 165.8443576] kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:197
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1214
[ 166.0613724] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline]
[ 166.0613724] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406
[ 166.1721936] mutex_enter() at netbsd:mutex_enter+0x1a4 sys/kern/kern_mutex.c:550
[ 166.2737772] pool_get() at netbsd:pool_get+0xcc sys/kern/subr_pool.c:1050
[ 166.3845963] pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c sys/kern/subr_pool.c:2498
[ 166.4954169] pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x535 sys/kern/subr_pool.c:2590
[ 166.5970014] pmap_enter_ma() at netbsd:pmap_enter_ma+0x16b8 pmap_enter_pv sys/arch/x86/x86/pmap.c:2132 [inline]
[ 166.5970014] pmap_enter_ma() at netbsd:pmap_enter_ma+0x16b8 sys/arch/x86/x86/pmap.c:4809
[ 166.6985865] pmap_enter_default() at netbsd:pmap_enter_default+0x60 sys/arch/x86/x86/pmap.c:4692
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e uvm_fault_lower_lookup sys/uvm/uvm_fault.c:2023 [inline]
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e uvm_fault_lower sys/uvm/uvm_fault.c:1872 [inline]
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e sys/uvm/uvm_fault.c:939
[ 166.9017560] trap() at netbsd:trap+0x975 sys/arch/amd64/amd64/trap.c:520
[ 166.9202245] --- trap (number 6) ---
[ 166.9663985] 7f7e68a05089:
[ 166.9663985] cpu1: End traceback...
[ 166.9710139] fatal breakpoint trap in supervisor mode
[ 166.9756313] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x7b965263ae78 ilevel 0 rsp 0xffffa5817f6970a0
[ 166.9894841] curlwp 0xffffa58012ad7800 pid 914.1 lowest kstack 0xffffa5817f6902c0
Stopped in pid 914.1 (syz-executor.5) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:336
snprintf() at netbsd:snprintf
kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:187 [inline]
kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:197
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1214
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: d0186023 Add KASAN instrumentation on strcat/strchr/strrchr.
git tree: netbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=13f6d9d7e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=6e4d6bd2b8e377a2
dashboard link: https://syzkaller.appspot.com/bug?extid=a79ca51fe0f2f36a665b
compiler: g++ (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de1610100000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a79ca5...@syzkaller.appspotmail.com
[ 165.5719563] panic: ASan: Unauthorized Access In 0xffffffff81190b65: Addr 0xffffa58012ad7018 [8 bytes, read, PoolUseAfterFree]
[ 165.5857681] cpu1: Begin traceback...
[ 165.6273301] vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:336
[ 165.7335349] snprintf() at netbsd:snprintf
[ 165.8443576] kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:187 [inline]
[ 165.8443576] kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:197
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
[ 165.9505529] __asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1214
[ 166.0613724] mutex_oncpu() at netbsd:mutex_oncpu+0x38 mutex_oncpu sys/kern/kern_mutex.c:422 [inline]
[ 166.0613724] mutex_oncpu() at netbsd:mutex_oncpu+0x38 sys/kern/kern_mutex.c:406
[ 166.1721936] mutex_enter() at netbsd:mutex_enter+0x1a4 sys/kern/kern_mutex.c:550
[ 166.2737772] pool_get() at netbsd:pool_get+0xcc sys/kern/subr_pool.c:1050
[ 166.3845963] pool_cache_get_slow() at netbsd:pool_cache_get_slow+0x30c sys/kern/subr_pool.c:2498
[ 166.4954169] pool_cache_get_paddr() at netbsd:pool_cache_get_paddr+0x535 sys/kern/subr_pool.c:2590
[ 166.5970014] pmap_enter_ma() at netbsd:pmap_enter_ma+0x16b8 pmap_enter_pv sys/arch/x86/x86/pmap.c:2132 [inline]
[ 166.5970014] pmap_enter_ma() at netbsd:pmap_enter_ma+0x16b8 sys/arch/x86/x86/pmap.c:4809
[ 166.6985865] pmap_enter_default() at netbsd:pmap_enter_default+0x60 sys/arch/x86/x86/pmap.c:4692
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e uvm_fault_lower_lookup sys/uvm/uvm_fault.c:2023 [inline]
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e uvm_fault_lower sys/uvm/uvm_fault.c:1872 [inline]
[ 166.8001713] uvm_fault_internal() at netbsd:uvm_fault_internal+0x222e sys/uvm/uvm_fault.c:939
[ 166.9017560] trap() at netbsd:trap+0x975 sys/arch/amd64/amd64/trap.c:520
[ 166.9202245] --- trap (number 6) ---
[ 166.9663985] 7f7e68a05089:
[ 166.9663985] cpu1: End traceback...
[ 166.9710139] fatal breakpoint trap in supervisor mode
[ 166.9756313] trap type 1 code 0 rip 0xffffffff8021e4b5 cs 0x8 rflags 0x246 cr2 0x7b965263ae78 ilevel 0 rsp 0xffffa5817f6970a0
[ 166.9894841] curlwp 0xffffa58012ad7800 pid 914.1 lowest kstack 0xffffa5817f6902c0
Stopped in pid 914.1 (syz-executor.5) at netbsd:breakpoint+0x5: leave
?
breakpoint() at netbsd:breakpoint+0x5
db_panic() at netbsd:db_panic+0xe9 sys/ddb/db_panic.c:67
vpanic() at netbsd:vpanic+0x244 sys/kern/subr_prf.c:336
snprintf() at netbsd:snprintf
kasan_report() at netbsd:kasan_report+0x98 kasan_code_name sys/kern/subr_asan.c:187 [inline]
kasan_report() at netbsd:kasan_report+0x98 sys/kern/subr_asan.c:197
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_4byte_isvalid sys/kern/subr_asan.c:347 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_8byte_isvalid sys/kern/subr_asan.c:361 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 kasan_shadow_check sys/kern/subr_asan.c:413 [inline]
__asan_load8() at netbsd:__asan_load8+0x294 sys/kern/subr_asan.c:1214
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages