What does “BUG: KASAN: user-memory-access on address” means?

[Muni Sekhar]

Hi All,


I hit a “general protection fault” in __kmalloc() with 3.16 kernel for
few specified audio tests.

To debug this , I installed 4.6.3 kernel with KASAN enabled. After
enabling the KASAN, now same tests running very slow, but printing the
below mentioned messages in the kernel log.



BUG: KASAN: user-memory-access on address 00000000020ee442

BUG: KASAN: user-memory-access on address 00000000020ee444

…



What does “BUG: KASAN: user-memory-access on address” means? Will it
lead to #GPF in __kmalloc(), but I am still yet to get #GPF crash.


--
Thanks,
Sekhar

[Dmitry Vyukov]

Hi Sekhar,

The warning message means that kernel code accesses user memory range
(0x000000000000-0x7fffffffffff on x86_64) without using
copy_to/from_user. This is quite bad bug that can lead to security
implications.

As to whether it can lead to GPF in kmalloc later or not, it depends.
If kernel just reads from the user address, then it probably won't
lead to the GPF. However if kernel frees a pointer into user memory
with kfree, then it can well lead to the GPF.

[Muni Sekhar]

Hi Dmitry,

Thanks for the clarification.

Looking at the code, I verified that kernel is not freeing a pointer
into user memory, but now I fixed the user-memory-access warning
messages.

Apart from user-memory-access warning messages, kernel log already had
repeated “BUG: KASAN: stack-out-of-bounds in
mpi_write_to_sgl+0x2ee/0x480 at addr ffff8800a2f57569” and one “BUG:
KASAN: slab-out-of-bounds in read_bh +0x3aa/0xa30 [my_audio_test] at
addr ffff8800af72f608”



[13330.438391] BUG: KASAN: stack-out-of-bounds in
mpi_write_to_sgl+0x2ee/0x480 at addr ffff8800a2f57569
[13330.442040] Read of size 8 by task modprobe/23185
[13330.442040] page:ffffea00028bd5c0 count:0 mapcount:0 mapping:
(null) index:0x0
[13330.442040] flags: 0x1ffff0000000000()
[13330.442040] page dumped because: kasan: bad access detected

…


[10141.902572] ==================================================================
[10141.906518] BUG: KASAN: slab-out-of-bounds in read_bh +0x3aa/0xa30
[my_audio_test] at addr ffff8800af72f608
[10141.906518] Write of size 16 by task python/17946
[10141.936642] =============================================================================
[10141.936642] BUG kmalloc-16 (Tainted: G B W IOE ): kasan: bad
access detected

.....
[10142.306319] traps: python[17932] general protection ip:7fe142b8fbd7
sp:7fe131416460 error:0 in libc-2.19.so[7fe142b10000+1ba000]


What does stack-out-of-bounds\slab-out-of-bounds means? Is
slab-out-of-bounds same as out-of-bounds accesses to global variables?


I understood that use-after-free or kernel freeing a pointer into user
memory can lead to GPF in kmalloc, like this any other conditions can
lead to GPF in kmalloc?


--
Thanks,
Sekhar

[Dmitry Vyukov]

Slab-out-of-bounds is access to a kmalloc-ed object out of bounds.
Stack-out-of-bounds is access to stack variable out of bounds.

> I understood that use-after-free or kernel freeing a pointer into user
> memory can lead to GPF in kmalloc, like this any other conditions can
> lead to GPF in kmalloc?

Out-of-bounds writes can also lead to GPF in kmalloc.
Freeing invalid pointers can also lead to GPF in kmalloc.
Generally any memory corruption can lead to the GPF.

[Muni Sekhar]

Thanks Dmitry – that’s useful to know to debug this kind of faults.



--
Thanks,
Sekhar

[ritesh.a...@gmail.com]

Hi Sekhar,

Could you please help me, how you have freed the user space address in kernel space..?