Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access

Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access

[Andrew Morton]

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

Could the KASAN people please help interpret this one?

On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=200095
> 
>             Bug ID: 200095
>            Summary: kasan: GPF could be caused by NULL-ptr deref or user
>                     memory access
>            Product: Alternate Trees
>            Version: 2.5
>     Kernel Version: v4.17
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: mm
>           Assignee: akpm@linux-foundation.org
>           Reporter: icytxw@gmail.com
>         Regression: No
> 
> Created attachment 276605
>   --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
> log0
> 
> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> Call Trace:
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> ---[ end trace 650893cd43a30701 ]---
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> 
> -- 
> You are receiving this mail because:
> You are the assignee for the bug.

Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access

[Dmitry Vyukov]

On Tue, Jun 19, 2018 at 1:25 AM, Andrew Morton
<akpm@linux-foundation.org> wrote:
>
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> Could the KASAN people please help interpret this one?

Most of the time this just means a NULL deref. Under KASAN it happens
on shadow address for NULL rather than on NULL itself, and so it's
diagnosed differently.

icytxw, what kernel commit is this? I see a recent ""mm/vmalloc: keep
track of free blocks for allocation"" that touches this function.
Also, why all frames are questionable? Do you have frame pointers enabled?



> On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
>
>> https://bugzilla.kernel.org/show_bug.cgi?id=200095
>>
>>             Bug ID: 200095
>>            Summary: kasan: GPF could be caused by NULL-ptr deref or user
>>                     memory access
>>            Product: Alternate Trees
>>            Version: 2.5
>>     Kernel Version: v4.17
>>           Hardware: All
>>                 OS: Linux
>>             Status: NEW
>>           Severity: normal
>>           Priority: P1
>>          Component: mm
>>           Assignee: akpm@linux-foundation.org
>>           Reporter: icytxw@gmail.com
>>         Regression: No
>>
>> Created attachment 276605
>>   --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
>> log0
>>
>> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN PTI
>> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>> Call Trace:
>> Modules linked in:
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> ---[ end trace 650893cd43a30701 ]---
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.

Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access

[Andrey Ryabinin]

On 06/19/2018 02:25 AM, Andrew Morton wrote:
> 
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
> Could the KASAN people please help interpret this one?
> 

[  274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[  274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[  274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[  274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[  274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000


All code
========
   0:   76 e8                   jbe    0xffffffffffffffea
   2:   78 3f                   js     0x43
   4:   e5 ff                   in     $0xff,%eax
   6:   4c 89 e0                mov    %r12,%rax
   9:   48 c1 e8 03             shr    $0x3,%rax
   d:   80 3c 28 00             cmpb   $0x0,(%rax,%rbp,1)
  11:   0f 85 c7 02 00 00       jne    0x2de
  17:   4c 8d 6b e8             lea    -0x18(%rbx),%r13
  1b:   4d 8b 3c 24             mov    (%r12),%r15
  1f:   49 8d 7d 08             lea    0x8(%r13),%rdi
  23:   48 89 fa                mov    %rdi,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
  2a:*  80 3c 2a 00             cmpb   $0x0,(%rdx,%rbp,1)               <-- trapping instruction
  2e:   0f 85 a0 02 00 00       jne    0x2d4
  34:   4c 3b 7b f0             cmp    -0x10(%rbx),%r15
  38:   72 9d                   jb     0xffffffffffffffd7
  3a:   e8 3f 3f e5 ff          callq  0xffffffffffe53f7e
  3f:   41                      rex.B


cmpb   $0x0,(%rdx,%rbp,1) is shadow check for  -0x10(%rbx) address (this address is also in %rdi).
So this is attempt to dereference 0x00000416000003f6 address.

%rbx seems contains 'parent' pointer, -0x10(%rbx) is tmp_va->va_end

		tmp_va = rb_entry(parent, struct vmap_area, rb_node);
		if (va->va_start < tmp_va->va_end)