* [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
@ 2020-02-13 20:07 bugzilla-daemon
2020-02-13 20:12 ` [Bug 206525] " bugzilla-daemon
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-13 20:07 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
Bug ID: 206525
Summary: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44
(kernel 5.6-rc1)
Product: Platform Specific/Hardware
Version: 2.5
Kernel Version: 5.6.0-rc1
Hardware: PPC-32
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: PPC-32
Assignee: platform_ppc-32@kernel-bugs.osdl.org
Reporter: erhard_f@mailbox.org
Regression: No
Created attachment 287357
--> https://bugzilla.kernel.org/attachment.cgi?id=287357&action=edit
dmesg (5.6.0-rc1 + v2 Fix DSI and ISI... patch, PowerMac G4 DP)
[...]
Feb 13 20:18:53 T600 kernel:
==================================================================
Feb 13 20:18:53 T600 kernel: BUG: KASAN: stack-out-of-bounds in
test_bit+0x30/0x44
Feb 13 20:18:53 T600 kernel: Read of size 4 at addr ee8bddac by task systemd/1
Feb 13 20:18:53 T600 kernel:
Feb 13 20:18:53 T600 kernel: CPU: 0 PID: 1 Comm: systemd Tainted: G W
5.6.0-rc1-PowerMacG4+ #20
Feb 13 20:18:53 T600 kernel: Call Trace:
Feb 13 20:18:53 T600 kernel: [ee8bdc38] [c078cf18] dump_stack+0xbc/0x118
(unreliable)
Feb 13 20:18:53 T600 kernel: [ee8bdc68] [c0249f94]
print_address_description.isra.0+0x3c/0x420
Feb 13 20:18:53 T600 kernel: [ee8bdcf8] [c024a554] __kasan_report+0x138/0x180
Feb 13 20:18:53 T600 kernel: [ee8bdd38] [c0249718] kasan_report+0x7c/0x104
Feb 13 20:18:53 T600 kernel: [ee8bdd58] [c06526b4] test_bit+0x30/0x44
Feb 13 20:18:53 T600 kernel: [ee8bdd78] [c0657c6c] netlink_bind+0x24c/0x33c
Feb 13 20:18:53 T600 kernel: [ee8bde18] [c05c0c3c] __sys_bind+0xd4/0x120
Feb 13 20:18:53 T600 kernel: [ee8bdf38] [c001a278] ret_from_syscall+0x0/0x34
Feb 13 20:18:53 T600 kernel: --- interrupt: c01 at 0x4f3ea8
LR = 0x8f5b80
Feb 13 20:18:53 T600 kernel:
Feb 13 20:18:53 T600 kernel: The buggy address belongs to the page:
Feb 13 20:18:53 T600 kernel: page:ef460a94 refcount:0 mapcount:0
mapping:00000000 index:0x0
Feb 13 20:18:53 T600 kernel: flags: 0x0()
Feb 13 20:18:53 T600 kernel: raw: 00000000 ef460a98 ef460a98 00000000 00000000
00000000 ffffffff 00000000
Feb 13 20:18:53 T600 kernel: raw: 00000000
Feb 13 20:18:53 T600 kernel: page dumped because: kasan: bad access detected
Feb 13 20:18:53 T600 kernel:
Feb 13 20:18:53 T600 kernel: addr ee8bddac is located in stack of task
systemd/1 at offset 36 in frame:
Feb 13 20:18:53 T600 kernel: netlink_bind+0x0/0x33c
Feb 13 20:18:53 T600 kernel:
Feb 13 20:18:53 T600 kernel: this frame has 1 object:
Feb 13 20:18:53 T600 kernel: [32, 36) 'groups'
Feb 13 20:18:53 T600 kernel:
Feb 13 20:18:53 T600 kernel: Memory state around the buggy address:
Feb 13 20:18:53 T600 kernel: ee8bdc80: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Feb 13 20:18:53 T600 kernel: ee8bdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
Feb 13 20:18:53 T600 kernel: >ee8bdd80: 00 f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00
00 00 00
Feb 13 20:18:53 T600 kernel: ^
Feb 13 20:18:53 T600 kernel: ee8bde00: 00 00 00 00 00 f1 f1 f1 f1 04 f2 04 f2
00 00 00
Feb 13 20:18:53 T600 kernel: ee8bde80: 00 00 00 00 00 00 00 00 00 00 00 00 00
f3 f3 f3
Feb 13 20:18:53 T600 kernel:
==================================================================
Happens on my G4 DP with kernel 5.6.0-rc1 and KASAN enabled (outline) during
boot. kernel is patched with Christophe's '[v2] powerpc/32s: Fix DSI and ISI
exceptions for CONFIG_VMAP_STACK' (https://patchwork.ozlabs.org/patch/1237387/)
but CONFIG_VMAP_STACK was not used here.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
@ 2020-02-13 20:12 ` bugzilla-daemon
2020-02-14 10:04 ` bugzilla-daemon
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-13 20:12 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
--- Comment #1 from Erhard F. (erhard_f@mailbox.org) ---
Created attachment 287359
--> https://bugzilla.kernel.org/attachment.cgi?id=287359&action=edit
kernel .config (5.6.0-rc1, PowerMac G4 DP)
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
2020-02-13 20:12 ` [Bug 206525] " bugzilla-daemon
@ 2020-02-14 10:04 ` bugzilla-daemon
2020-02-15 17:52 ` bugzilla-daemon
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-14 10:04 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
Christophe Leroy (christophe.leroy@c-s.fr) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |christophe.leroy@c-s.fr
--- Comment #2 from Christophe Leroy (christophe.leroy@c-s.fr) ---
Probably a bug in or around netlink_bind() in net/netlink/af_netlink.c
https://elixir.bootlin.com/linux/v5.6-rc1/source/net/netlink/af_netlink.c#L1017
Could you print the value of nlk->ngroups just before the loop which does the
test_bit() ? It shall be 32 or less.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
2020-02-13 20:12 ` [Bug 206525] " bugzilla-daemon
2020-02-14 10:04 ` bugzilla-daemon
@ 2020-02-15 17:52 ` bugzilla-daemon
2020-02-16 8:26 ` bugzilla-daemon
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-15 17:52 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
--- Comment #3 from Christophe Leroy (christophe.leroy@c-s.fr) ---
Bug introduced by commit ("cf5bddb95cbe net: bridge: vlan: add rtnetlink group
and notify support")
RTNLGRP_MAX is now 33.
'unsigned long groups' is 32 bits long on PPC32
Following loop in netlink_bind() overflows.
for (group = 0; group < nlk->ngroups; group++) {
if (!test_bit(group, &groups))
continue;
err = nlk->netlink_bind(net, group + 1);
if (!err)
continue;
netlink_undo_bind(group, groups, sk);
goto unlock;
}
Should 'groups' be changes to 'unsigned long long' ?
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
` (2 preceding siblings ...)
2020-02-15 17:52 ` bugzilla-daemon
@ 2020-02-16 8:26 ` bugzilla-daemon
2020-02-17 10:53 ` bugzilla-daemon
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-16 8:26 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
--- Comment #4 from Christophe Leroy (christophe.leroy@c-s.fr) ---
Feedback from Nikolay:
I think we can just cap these at min(BITS_PER_TYPE(u32), nlk->ngroups) since
"groups" is coming from sockaddr_nl's "nl_groups" which is a u32, for any
groups beyond u32 one has to use setsockopt().
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
` (3 preceding siblings ...)
2020-02-16 8:26 ` bugzilla-daemon
@ 2020-02-17 10:53 ` bugzilla-daemon
2020-02-17 11:52 ` bugzilla-daemon
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-17 10:53 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
--- Comment #5 from Christophe Leroy (christophe.leroy@c-s.fr) ---
That's not a PPC32 bug but a Network bug affecting all 32 bits architectures.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
` (4 preceding siblings ...)
2020-02-17 10:53 ` bugzilla-daemon
@ 2020-02-17 11:52 ` bugzilla-daemon
2020-02-20 12:19 ` bugzilla-daemon
2020-02-26 21:44 ` bugzilla-daemon
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-17 11:52 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
Erhard F. (erhard_f@mailbox.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|PPC-32 |Other
Hardware|PPC-32 |All
Product|Platform Specific/Hardware |Networking
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
` (5 preceding siblings ...)
2020-02-17 11:52 ` bugzilla-daemon
@ 2020-02-20 12:19 ` bugzilla-daemon
2020-02-26 21:44 ` bugzilla-daemon
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-20 12:19 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
--- Comment #6 from Nikolay Aleksandrov (nikolay@cumulusnetworks.com) ---
Note that the bug wasn't introduced by my commit, but instead has been there
since:
commit 4f520900522f
Author: Richard Guy Briggs <rgb@redhat.com>
Date: Tue Apr 22 21:31:54 2014 -0400
netlink: have netlink per-protocol bind function return an error code.
which moved the ngroups test_bit() to a local variable. My commit only exposed
the bug since it added the 33rd group. I'm currently preparing a fix and will
post it to netdev after verifying and testing it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
` (6 preceding siblings ...)
2020-02-20 12:19 ` bugzilla-daemon
@ 2020-02-26 21:44 ` bugzilla-daemon
7 siblings, 0 replies; 9+ messages in thread
From: bugzilla-daemon @ 2020-02-26 21:44 UTC (permalink / raw)
To: linuxppc-dev
https://bugzilla.kernel.org/show_bug.cgi?id=206525
Erhard F. (erhard_f@mailbox.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |CODE_FIX
--- Comment #7 from Erhard F. (erhard_f@mailbox.org) ---
Fix landed in 5.6-rc3, works now as expected. Thanks!
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-02-26 21:46 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-13 20:07 [Bug 206525] New: BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1) bugzilla-daemon
2020-02-13 20:12 ` [Bug 206525] " bugzilla-daemon
2020-02-14 10:04 ` bugzilla-daemon
2020-02-15 17:52 ` bugzilla-daemon
2020-02-16 8:26 ` bugzilla-daemon
2020-02-17 10:53 ` bugzilla-daemon
2020-02-17 11:52 ` bugzilla-daemon
2020-02-20 12:19 ` bugzilla-daemon
2020-02-26 21:44 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).