KASAN: global-out-of-bounds Read in do_page_fault
15 views
Skip to first unread message
syzbot
Sep 3, 2022, 8:02:29 PM9/3/22
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=125798ab080000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=ead02d0e9ff052f001d9
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
CC: [ak...@linux-foundation.org alexand...@canonical.com a...@eecs.berkeley.edu ebie...@xmission.com ge...@linux-m68k.org hanch...@oppo.com han...@cmpxchg.org linux-...@vger.kernel.org linux...@lists.infradead.org pal...@dabbelt.com paul.w...@sifive.com pet...@redhat.com zhengq...@bytedance.com]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ead02d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in do_page_fault+0x36/0xa3c arch/riscv/mm/fault.c:220
Read of size 8 at addr ffffffff858c4c90 by task ksoftirqd/1/19
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff800115bc>] do_page_fault+0x36/0xa3c arch/riscv/mm/fault.c:220
[<ffffffff80005724>] ret_from_exception+0x0/0x10
The buggy address belongs to the variable:
__lockdep_no_validate__+0x30/0x40
Memory state around the buggy address:
ffffffff858c4b80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
ffffffff858c4c00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
>ffffffff858c4c80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff858c4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff858c4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Unable to handle kernel paging request at virtual address 0000000000001ffe
Oops [#1]
Modules linked in:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : 0x1ffe
ra : 0x1fff
epc : 0000000000001ffe ra : 0000000000001fff sp : ffffffff858c4ca0
gp : ffffffff85863ac0 tp : ffffaf8007416100 t0 : 00000000000003e0
t1 : fffff5ef01caf3ca t2 : 0000000000000000 s0 : 49eae69e17928400
s1 : ffffaf800cf49000 a0 : ffffaf800be03080 a1 : ffffaf8007416100
a2 : 1ffff5f000e877fc a3 : ffffaf800be04618 a4 : ffffaf8007417698
a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffaf800e579e53
s2 : ffffaf800cf48000 s3 : ffffaf800cf48a20 s4 : ffffffff866c2920
s5 : ffffaf800cf48c00 s6 : 0000000000001fff s7 : 0000000041b58ab3
s8 : ffffffff8451f630 s9 : ffffffff80110fdc s10: 0000000000000002
s11: 0000000000000014 t3 : fffffffff3f3f300 t4 : fffff5ef01caf3ca
t5 : fffff5ef01caf3cb t6 : 0000000000082bbc
status: 0000000000000100 badaddr: 0000000000001ffe cause: 000000000000000c
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 0966d385830d riscv: Fix auipc+jalr relocation range checks
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=125798ab080000
kernel config: https://syzkaller.appspot.com/x/.config?x=6295d67591064921
dashboard link: https://syzkaller.appspot.com/bug?extid=ead02d0e9ff052f001d9
compiler: riscv64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: riscv64
CC: [ak...@linux-foundation.org alexand...@canonical.com a...@eecs.berkeley.edu ebie...@xmission.com ge...@linux-m68k.org hanch...@oppo.com han...@cmpxchg.org linux-...@vger.kernel.org linux...@lists.infradead.org pal...@dabbelt.com paul.w...@sifive.com pet...@redhat.com zhengq...@bytedance.com]
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ead02d...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: global-out-of-bounds in do_page_fault+0x36/0xa3c arch/riscv/mm/fault.c:220
Read of size 8 at addr ffffffff858c4c90 by task ksoftirqd/1/19
CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff800115bc>] do_page_fault+0x36/0xa3c arch/riscv/mm/fault.c:220
[<ffffffff80005724>] ret_from_exception+0x0/0x10
The buggy address belongs to the variable:
__lockdep_no_validate__+0x30/0x40
Memory state around the buggy address:
ffffffff858c4b80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
ffffffff858c4c00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
>ffffffff858c4c80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
^
ffffffff858c4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff858c4d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Unable to handle kernel paging request at virtual address 0000000000001ffe
Oops [#1]
Modules linked in:
CPU: 1 PID: 19 Comm: ksoftirqd/1 Tainted: G B 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
epc : 0x1ffe
ra : 0x1fff
epc : 0000000000001ffe ra : 0000000000001fff sp : ffffffff858c4ca0
gp : ffffffff85863ac0 tp : ffffaf8007416100 t0 : 00000000000003e0
t1 : fffff5ef01caf3ca t2 : 0000000000000000 s0 : 49eae69e17928400
s1 : ffffaf800cf49000 a0 : ffffaf800be03080 a1 : ffffaf8007416100
a2 : 1ffff5f000e877fc a3 : ffffaf800be04618 a4 : ffffaf8007417698
a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffaf800e579e53
s2 : ffffaf800cf48000 s3 : ffffaf800cf48a20 s4 : ffffffff866c2920
s5 : ffffaf800cf48c00 s6 : 0000000000001fff s7 : 0000000041b58ab3
s8 : ffffffff8451f630 s9 : ffffffff80110fdc s10: 0000000000000002
s11: 0000000000000014 t3 : fffffffff3f3f300 t4 : fffff5ef01caf3ca
t5 : fffff5ef01caf3cb t6 : 0000000000082bbc
status: 0000000000000100 badaddr: 0000000000001ffe cause: 000000000000000c
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Nov 28, 2022, 6:54:38 PM11/28/22
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages