From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: kernel test robot <oliver.sang@intel.com>
Cc: Daniel Xu <dxu@dxuuu.xyz>, bpf <bpf@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Kernel Team <kernel-team@fb.com>, 0day robot <lkp@intel.com>,
lkp@lists.01.org
Subject: Re: [lib/strncpy_from_user.c] 00a4ef91e8: BUG:KASAN:slab-out-of-bounds_in_s
Date: Thu, 5 Nov 2020 20:32:30 -0800 [thread overview]
Message-ID: <CAADnVQLcwB8ebbpuqnjvqebGp4293zd4s4nAawJ=EaU-6+wXpA@mail.gmail.com> (raw)
In-Reply-To: <20201106020930.GA18349@xsang-OptiPlex-9020>
Daniel,
the kasan complains about the previous version of your patch,
but your v4 version looks equivalent.
Could you try to repro this issue?
The code looks correct, but kasan complain is concerning.
On Thu, Nov 5, 2020 at 5:56 PM kernel test robot <oliver.sang@intel.com> wrote:
>
> Greeting,
>
> FYI, we noticed the following commit (built with clang-12):
>
> commit: 00a4ef91e8f5af6edceb9bd4bceed2305f038796 ("[PATCH bpf-next] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator")
> url: https://github.com/0day-ci/linux/commits/Daniel-Xu/lib-strncpy_from_user-c-Don-t-overcopy-bytes-after-NUL-terminator/20201104-103306
> base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master
>
> in testcase: trinity
> version: trinity-x86_64-af355e9-1_2019-12-03
> with following parameters:
>
> runtime: 300s
>
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
>
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> +----------------------------------------------------------------------------+------------+------------+
> | | f4c3881edb | 00a4ef91e8 |
> +----------------------------------------------------------------------------+------------+------------+
> | boot_successes | 8 | 4 |
> | boot_failures | 14 | 15 |
> | Initramfs_unpacking_failed | 13 | 7 |
> | Kernel_panic-not_syncing:VFS:Unable_to_mount_root_fs_on_unknown-block(#,#) | 13 | 9 |
> | BUG:kernel_hang_in_boot_stage | 1 | |
> | BUG:KASAN:slab-out-of-bounds_in_s | 0 | 3 |
> | BUG:KASAN:slab-out-of-bounds_in_l | 0 | 3 |
> +----------------------------------------------------------------------------+------------+------------+
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <oliver.sang@intel.com>
>
>
> [ 324.803835] BUG: KASAN: slab-out-of-bounds in strlen+0x53/0x5d
> [ 324.808932] Read of size 1 at addr ffff88813be5f380 by task trinity-c0/7148
> [ 324.809979]
> [ 324.810240] CPU: 1 PID: 7148 Comm: trinity-c0 Not tainted 5.9.0-13430-g00a4ef91e8f5 #1
> [ 324.811397] Call Trace:
> [ 324.811797] dump_stack+0x156/0x194
> [ 324.812387] ? wake_up_klogd+0x49/0x5e
> [ 324.813118] ? vprintk_emit+0x297/0x307
> [ 324.813680] print_address_description+0x25/0x4b7
> [ 324.814354] ? printk+0x54/0x5d
> [ 324.814877] ? kasan_report+0xad/0x187
> [ 324.815531] kasan_report+0x140/0x187
> [ 324.816187] ? strlen+0x53/0x5d
> [ 324.820931] [child7:7142] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
> [ 324.828848] strlen+0x53/0x5d
> [ 324.828864] getname_kernel+0x19/0x257
> [ 324.828874] kern_path+0x19/0x32
> [ 324.828887] lookup_bdev+0x52/0x182
> [ 324.828908] __x64_sys_quotactl+0x1fe/0x4e97
> [ 324.833228] ? kvm_sched_clock_read+0x14/0x28
> [ 324.837181] ? sched_clock+0x5/0x8
> [ 324.837748] ? sched_clock_cpu+0x18/0x151
> [ 324.838396] ? up_write+0xd7/0x399
> [ 324.838944] ? security_file_mprotect+0x93/0xb0
> [ 324.839686] ? __x64_sys_mprotect+0x31a/0x6a9
> [ 324.840405] ? fpregs_assert_state_consistent+0xae/0xd3
> [ 324.841253] do_syscall_64+0x34/0x6c
> [ 324.841808] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 324.842540] RIP: 0033:0x7f77ba3311c9
> [ 324.843079] Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 dc 2c 00 f7 d8 64 89 01 48
> [ 324.845838] RSP: 002b:00007ffe42abbe58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
> [ 324.846978] RAX: ffffffffffffffda RBX: 00000000000000b3 RCX: 00007f77ba3311c9
> [ 324.848039] RDX: 0000000004000000 RSI: 00007f77b8719000 RDI: 0000000012121000
> [ 324.849923] RBP: 00007f77baa1d000 R08: ffffffffffffffff R09: 0000000000000000
> [ 324.850961] R10: 00007f77b8719000 R11: 0000000000000246 R12: 00007f77baa1d058
> [ 324.852032] R13: 00007f77baa246b0 R14: 0000000000000000 R15: 00007f77baa1d000
> [ 324.853117]
> [ 324.853292]
> [ 324.853372] Allocated by task 7148:
> [ 324.854203] kasan_save_stack+0x27/0x47
> [ 324.854779] __kasan_kmalloc+0xed/0x104
> [ 324.855365] kmem_cache_alloc+0xcb/0x135
> [ 324.855971] getname_flags+0x51/0x3a2
> [ 324.856536] __x64_sys_quotactl+0x1c1/0x4e97
> [ 324.857205] do_syscall_64+0x34/0x6c
> [ 324.857749] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 324.858495]
> [ 324.858656] [child2:7150] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
> [ 324.858746] The buggy address belongs to the object at ffff88813be5e380
> [ 324.858746] which belongs to the cache names_cache of size 4096
> [ 324.858764] The buggy address is located 0 bytes to the right of
> [ 324.858764] 4096-byte region [ffff88813be5e380, ffff88813be5f380)
> [ 324.860587]
> [ 324.862729] The buggy address belongs to the page:
> [ 324.862755] page:000000009f9037ac refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813be5ffff pfn:0x13be5e
> [ 324.867328] head:000000009f9037ac order:1 compound_mapcount:0
> [ 324.868165] flags: 0x8000000000010200(slab|head)
> [ 324.868875] raw: 8000000000010200 ffffea0005a88688 ffffea000459f288 ffff888100252300
> [ 324.870009] raw: ffff88813be5ffff ffff88813be5e380 0000000100000001 0000000000000000
> [ 324.871126] page dumped because: kasan: bad access detected
> [ 324.871945]
> [ 324.872192] Memory state around the buggy address:
> [ 324.872947] ffff88813be5f280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 324.873980] ffff88813be5f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 324.875009] >ffff88813be5f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 324.876036] ^
> [ 324.876538] ffff88813be5f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 324.877588] ffff88813be5f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> [ 324.878621] ==================================================================
> [ 324.879657] Disabling lock debugging due to kernel taint
> [ 324.882776] [child2:7152] Tried 16 32-bit syscalls unsuccessfully. Disabling all 32-bit syscalls.
> [ 324.882801]
> [ 324.933069] [main] kernel became tainted! (32/0) Last seed was 2498072066
> [ 324.933099]
> [ 324.969750] trinity: Detected kernel tainting. Last seed was 2498072066
> [ 324.969776]
> [ 324.976192] [main] exit_reason=7, but 7 children still running.
> [ 324.976217]
> [ 326.978916] [main] Bailing main loop because kernel became tainted..
> [ 326.978943]
> [ 327.015587] [main] Ran 32788 syscalls. Successes: 10983 Failures: 20991
> [ 327.015610]
>
> Kboot worker: lkp-worker04
> Elapsed time: 360
>
> kvm=(
> qemu-system-x86_64
> -enable-kvm
> -cpu SandyBridge
> -kernel $kernel
> -initrd initrd-vm-snb-72.cgz
> -m 8192
> -smp 2
> -device e1000,netdev=net0
> -netdev user,id=net0,hostfwd=tcp::32032-:22
> -boot order=nc
> -no-reboot
> -watchdog i6300esb
> -watchdog-action debug
> -rtc base=localtime
>
>
> To reproduce:
>
> # build kernel
> cd linux
> cp config-5.9.0-13430-g00a4ef91e8f5 .config
> make HOSTCC=clang-12 CC=clang-12 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
>
> git clone https://github.com/intel/lkp-tests.git
> cd lkp-tests
> bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
>
>
>
> Thanks,
> Oliver Sang
>
next prev parent reply other threads:[~2020-11-06 4:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-04 2:29 [PATCH bpf-next] lib/strncpy_from_user.c: Don't overcopy bytes after NUL terminator Daniel Xu
2020-11-04 16:24 ` Daniel Borkmann
2020-11-04 20:18 ` Daniel Xu
2020-11-04 22:36 ` Daniel Borkmann
2020-11-05 2:21 ` Daniel Xu
[not found] ` <20201106020930.GA18349@xsang-OptiPlex-9020>
2020-11-06 4:32 ` Alexei Starovoitov [this message]
2020-11-06 18:54 ` [lib/strncpy_from_user.c] 00a4ef91e8: BUG:KASAN:slab-out-of-bounds_in_s Daniel Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAADnVQLcwB8ebbpuqnjvqebGp4293zd4s4nAawJ=EaU-6+wXpA@mail.gmail.com' \
--to=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=dxu@dxuuu.xyz \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=lkp@lists.01.org \
--cc=oliver.sang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).