KASAN: slab-out-of-bounds Write in __unwind_start (2)
15 views
Skip to first unread message
syzbot
Dec 10, 2017, 10:26:06 PM12/10/17
to syzkaller-upst...@googlegroups.com
Hello,
syzkaller hit the following crash on
e56d565d67ae7dd6b25ce6a331c43e691ff1d247
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [h...@zytor.com jpoi...@redhat.com linux-...@vger.kernel.org
mi...@redhat.com tg...@linutronix.de x...@kernel.org]
attempt to access beyond end of device
unknown-block(7,0): rw=0, want=0, limit=256
attempt to access beyond end of device
unknown-block(7,0): rw=0, want=0, limit=256
==================================================================
BUG: KASAN: slab-out-of-bounds in memset include/linux/string.h:326 [inline]
BUG: KASAN: slab-out-of-bounds in __unwind_start+0x2d/0x330
arch/x86/kernel/unwind_frame.c:389
Write of size 88 at addr ffff8801d250fe98 by task loop0/3865
CPU: 1 PID: 3865 Comm: loop0 Not tainted 4.15.0-rc2+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Allocated by task 2169817619:
(stack is not available)
Freed by task 2278480280:
(stack is not available)
The buggy address belongs to the object at ffff8801d250e800
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 1688 bytes to the right of
4096-byte region [ffff8801d250e800, ffff8801d250f800)
The buggy address belongs to the page:
page:00000000c9ed0821 count:1 mapcount:0 mapping:00000000514eb3e6 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d250e800 0000000000000000 0000000100000001
raw: ffffea000762e420 ffffea0007466820 ffff8801db000dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d250fd80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d250fe00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> ffff8801d250fe80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff8801d250ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d250ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3865 Comm: loop0 Tainted: G B 4.15.0-rc2+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
syzkaller hit the following crash on
e56d565d67ae7dd6b25ce6a331c43e691ff1d247
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
CC: [h...@zytor.com jpoi...@redhat.com linux-...@vger.kernel.org
mi...@redhat.com tg...@linutronix.de x...@kernel.org]
attempt to access beyond end of device
unknown-block(7,0): rw=0, want=0, limit=256
attempt to access beyond end of device
unknown-block(7,0): rw=0, want=0, limit=256
==================================================================
BUG: KASAN: slab-out-of-bounds in memset include/linux/string.h:326 [inline]
BUG: KASAN: slab-out-of-bounds in __unwind_start+0x2d/0x330
arch/x86/kernel/unwind_frame.c:389
Write of size 88 at addr ffff8801d250fe98 by task loop0/3865
CPU: 1 PID: 3865 Comm: loop0 Not tainted 4.15.0-rc2+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Allocated by task 2169817619:
(stack is not available)
Freed by task 2278480280:
(stack is not available)
The buggy address belongs to the object at ffff8801d250e800
which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 1688 bytes to the right of
4096-byte region [ffff8801d250e800, ffff8801d250f800)
The buggy address belongs to the page:
page:00000000c9ed0821 count:1 mapcount:0 mapping:00000000514eb3e6 index:0x0
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801d250e800 0000000000000000 0000000100000001
raw: ffffea000762e420 ffffea0007466820 ffff8801db000dc0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801d250fd80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d250fe00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
> ffff8801d250fe80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
^
ffff8801d250ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801d250ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3865 Comm: loop0 Tainted: G B 4.15.0-rc2+ #210
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
To upstream this report, please reply with:
#syz upstream
Dmitry Vyukov
Dec 19, 2017, 7:34:09 AM12/19/17
to syzbot, 'Dmitry Vyukov' via syzkaller-upstream-moderation
does not look actionable/legit
#syz invalid
On Mon, Dec 11, 2017 at 4:26 AM, syzbot
<bot+5ad464715445efda92...@syzkaller.appspotmail.com>
wrote:
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113f2964f35e2d056008178e%40google.com.
> For more options, visit https://groups.google.com/d/optout.
#syz invalid
On Mon, Dec 11, 2017 at 4:26 AM, syzbot
<bot+5ad464715445efda92...@syzkaller.appspotmail.com>
wrote:
> You received this message because you are subscribed to the Google Groups
> "syzkaller-upstream-moderation" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-upstream-m...@googlegroups.com.
> To post to this group, send email to
> syzkaller-upst...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-upstream-moderation/001a113f2964f35e2d056008178e%40google.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages