KASAN: stack-out-of-bounds Read in fixup_exception
5 views
Skip to first unread message
syzbot
Jun 24, 2018, 6:49:03 PM6/24/18
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 77072ca59fdd Merge tag 'for-linus-20180623' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1464a490400000
kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
dashboard link: https://syzkaller.appspot.com/bug?extid=fca9eb37032df9db192b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [a...@linux.intel.com ebig...@google.com h...@zytor.com
jgr...@suse.com jpoi...@redhat.com kees...@chromium.org
linux-...@vger.kernel.org lu...@kernel.org mi...@redhat.com
ri...@redhat.com tg...@linutronix.de x...@kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fca9eb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in fixup_exception+0xc6/0xcb
arch/x86/mm/extable.c:192
Read of size 8 at addr ffff8801b36c7328 by task syz-executor2/10886
CPU: 0 PID: 10886 Comm: syz-executor2 Not tainted 4.18.0-rc1+ #115
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
fixup_exception+0xc6/0xcb arch/x86/mm/extable.c:192
no_context+0x9d/0x980 arch/x86/mm/fault.c:720
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:909
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:916
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1335
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1478
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0010:vmx_vcpu_run+0x124a/0x2600 arch/x86/kvm/vmx.c:10022
Code: a9 68 03 00 00 4c 8b b1 70 03 00 00 4c 8b b9 78 03 00 00 48 8b 89 08
03 00 00 75 05 0f 01 c2 eb 03 0f 01 c3 48 89 4c 24 08 59 <0f> 96 81 88 56
00 00 48 89 81 00 03 00 00 48 89 99 18 03 00 00 8f
RSP: 0018:ffff8801b36c7358 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff10039f114e9 RSI: 0000000000000000 RDI: ffffffff88f1b020
RBP: ffff8801b36c73e8 R08: 0000000000000001 R09: 0000000000000001
R10: ffffed003b5c46d6 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8801cf88a748 R14: ffff8801d6922380 R15: 0000000000000002
lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
seqcount_lockdep_reader_access include/linux/seqlock.h:81 [inline]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
set_root+0x198/0x820 fs/namei.c:818
path_init+0xc99/0x2340 fs/namei.c:2164
path_openat+0x1f9/0x4e10 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3574
do_sys_open+0x584/0x760 fs/open.c:1101
__do_sys_openat fs/open.c:1128 [inline]
__se_sys_openat fs/open.c:1122 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1122
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f39e6bd6c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f39e6bd76d4 RCX: 0000000000455a99
RDX: 0000000000000000 RSI: 0000000020000380 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c02b6 R14: 00000000004cfa08 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0006cdb1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 ffffea0006cdb008 ffffea0006cdb188 0000000000000000
raw: 0000000000000000 ffff8801b36c7000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b36c7200: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f2 f2
ffff8801b36c7280: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
> ffff8801b36c7300: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
^
ffff8801b36c7380: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801b36c7400: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot found the following crash on:
HEAD commit: 77072ca59fdd Merge tag 'for-linus-20180623' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1464a490400000
kernel config: https://syzkaller.appspot.com/x/.config?x=befbcd7305e41bb0
dashboard link: https://syzkaller.appspot.com/bug?extid=fca9eb37032df9db192b
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
CC: [a...@linux.intel.com ebig...@google.com h...@zytor.com
jgr...@suse.com jpoi...@redhat.com kees...@chromium.org
linux-...@vger.kernel.org lu...@kernel.org mi...@redhat.com
ri...@redhat.com tg...@linutronix.de x...@kernel.org]
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+fca9eb...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: stack-out-of-bounds in fixup_exception+0xc6/0xcb
arch/x86/mm/extable.c:192
Read of size 8 at addr ffff8801b36c7328 by task syz-executor2/10886
CPU: 0 PID: 10886 Comm: syz-executor2 Not tainted 4.18.0-rc1+ #115
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
fixup_exception+0xc6/0xcb arch/x86/mm/extable.c:192
no_context+0x9d/0x980 arch/x86/mm/fault.c:720
__bad_area_nosemaphore+0x33b/0x3f0 arch/x86/mm/fault.c:909
bad_area_nosemaphore+0x33/0x40 arch/x86/mm/fault.c:916
__do_page_fault+0x1db/0xe50 arch/x86/mm/fault.c:1335
do_page_fault+0xf6/0x8c0 arch/x86/mm/fault.c:1478
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1160
RIP: 0010:vmx_vcpu_run+0x124a/0x2600 arch/x86/kvm/vmx.c:10022
Code: a9 68 03 00 00 4c 8b b1 70 03 00 00 4c 8b b9 78 03 00 00 48 8b 89 08
03 00 00 75 05 0f 01 c2 eb 03 0f 01 c3 48 89 4c 24 08 59 <0f> 96 81 88 56
00 00 48 89 81 00 03 00 00 48 89 99 18 03 00 00 8f
RSP: 0018:ffff8801b36c7358 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffff10039f114e9 RSI: 0000000000000000 RDI: ffffffff88f1b020
RBP: ffff8801b36c73e8 R08: 0000000000000001 R09: 0000000000000001
R10: ffffed003b5c46d6 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8801cf88a748 R14: ffff8801d6922380 R15: 0000000000000002
lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
seqcount_lockdep_reader_access include/linux/seqlock.h:81 [inline]
read_seqcount_begin include/linux/seqlock.h:164 [inline]
set_root+0x198/0x820 fs/namei.c:818
path_init+0xc99/0x2340 fs/namei.c:2164
path_openat+0x1f9/0x4e10 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3574
do_sys_open+0x584/0x760 fs/open.c:1101
__do_sys_openat fs/open.c:1128 [inline]
__se_sys_openat fs/open.c:1122 [inline]
__x64_sys_openat+0x9d/0x100 fs/open.c:1122
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455a99
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f39e6bd6c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f39e6bd76d4 RCX: 0000000000455a99
RDX: 0000000000000000 RSI: 0000000020000380 RDI: ffffffffffffff9c
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004c02b6 R14: 00000000004cfa08 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0006cdb1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 ffffea0006cdb008 ffffea0006cdb188 0000000000000000
raw: 0000000000000000 ffff8801b36c7000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801b36c7200: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f2 f2
ffff8801b36c7280: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
> ffff8801b36c7300: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2
^
ffff8801b36c7380: 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801b36c7400: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot
Feb 22, 2019, 5:26:11 AM2/22/19
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages