linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* global-out-of-bounds in move_module
@ 2021-05-10 20:26 Marc Kleine-Budde
  2021-05-27  9:01 ` Jessica Yu
  0 siblings, 1 reply; 2+ messages in thread
From: Marc Kleine-Budde @ 2021-05-10 20:26 UTC (permalink / raw)
  To: Jessica Yu, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 3949 bytes --]

Hello,

I just noticed on current net-next/master b741596468b0 ("Merge tag
'riscv-for-linus-5.13-mw1' of
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux") on 32 bit
arm, that modprobe of a module triggers the following KASAN bug:

| [  110.241783] ==================================================================
| [  110.249600] BUG: KASAN: global-out-of-bounds in move_module+0x58/0x208
| [  110.256253] Write of size 69632 at addr bf030000 by task modprobe/290
| [  110.262789] 
| [  110.264361] CPU: 0 PID: 290 Comm: modprobe Tainted: G        W         5.12.0-perf+ #7
| [  110.272373] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
| [  110.278977] Backtrace: 
| [  110.281537] [<c150df20>] (dump_backtrace) from [<c150e430>] (show_stack+0x20/0x24)
| [  110.289245]  r7:00000080 r6:80010093 r5:00000000 r4:c24c20a0
| [  110.294981] [<c150e410>] (show_stack) from [<c151e794>] (dump_stack+0xf0/0x118)
| [  110.302407] [<c151e6a4>] (dump_stack) from [<c1515770>] (print_address_description.constprop.0+0x58/0x210)
| [  110.312205]  r9:b6e0720e r8:b6e08200 r7:c0273980 r6:00000001 r5:00000000 r4:bf030000
| [  110.320023] [<c1515718>] (print_address_description.constprop.0) from [<c03da2b4>] (kasan_report+0x11c/0x140)
| [  110.330088]  r7:c0273980 r6:00000001 r5:00011000 r4:bf030000
| [  110.335820] [<c03da198>] (kasan_report) from [<c03dae54>] (kasan_check_range+0xcc/0x1a4)
| [  110.344039]  r7:000001ff r6:b6e081ff r5:bf040fff r4:b6e07210
| [  110.349772] [<c03dad88>] (kasan_check_range) from [<c03db6e0>] (memset+0x28/0x44)
| [  110.357386]  r10:cc6a3ef4 r9:f0f1ef18 r8:f0de8740 r7:cc6a3ee0 r6:00000000 r5:bf030000
| [  110.365296]  r4:00011000 r3:c0273980
| [  110.368943] [<c03db6b8>] (memset) from [<c0273980>] (move_module+0x58/0x208)
| [  110.376116]  r7:cc6a3ee0 r6:f0de8880 r5:f0de8884 r4:bf030000
| [  110.381850] [<c0273928>] (move_module) from [<c0274314>] (layout_and_allocate+0x1bc/0x290)
| [  110.390233]  r10:cc6a3ef4 r9:f0f1ef18 r8:cc6a3ef0 r7:00000039 r6:cc6a3ee4 r5:cc6a3ee0
| [  110.398138]  r4:00000000
| [  110.400743] [<c0274158>] (layout_and_allocate) from [<c0274734>] (load_module+0x34c/0xbe4)
| [  110.409125]  r10:cc6a0000 r9:b88d47b8 r8:c165cb00 r7:f3f3f3f3 r6:cc6a3e40 r5:cc6a3ee0
| [  110.417031]  r4:cc6a0000
| [  110.419634] [<c02743e8>] (load_module) from [<c0275248>] (sys_finit_module+0x110/0x178)
| [  110.427760]  r10:0000017b r9:00000003 r8:cc6a3ee0 r7:004762d0 r6:00000000 r5:cc6a3f80
| [  110.435666]  r4:b88d47d4
| [  110.438273] [<c0275138>] (sys_finit_module) from [<c0100080>] (ret_fast_syscall+0x0/0x2c)
| [  110.446565] Exception stack(0xcc6a3fa8 to 0xcc6a3ff0)
| [  110.451708] 3fa0:                   004780c0 00000000 00000003 004762d0 00000000 00477cd0
| [  110.459983] 3fc0: 004780c0 00000000 98560c00 0000017b 0210a3f8 0048a090 0047544c 0210a360
| [  110.468246] 3fe0: b6c91978 b6c91968 0046eb0d aea934f2
| [  110.473388]  r9:cc6a0000 r8:c0100268 r7:0000017b r6:98560c00 r5:00000000 r4:004780c0
| [  110.481206] 
| [  110.482769] 
| [  110.484329] Memory state around the buggy address:
| [  110.489199]  bf038f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| [  110.495812]  bf038f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| [  110.502419] >bf039000: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
| [  110.509021]                                                   ^
| [  110.515018]  bf039080: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 02 f9 f9
| [  110.521626]  bf039100: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
| [  110.528231] ==================================================================

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: global-out-of-bounds in move_module
  2021-05-10 20:26 global-out-of-bounds in move_module Marc Kleine-Budde
@ 2021-05-27  9:01 ` Jessica Yu
  0 siblings, 0 replies; 2+ messages in thread
From: Jessica Yu @ 2021-05-27  9:01 UTC (permalink / raw)
  To: Marc Kleine-Budde; +Cc: linux-kernel

+++ Marc Kleine-Budde [10/05/21 22:26 +0200]:
>Hello,
>
>I just noticed on current net-next/master b741596468b0 ("Merge tag
>'riscv-for-linus-5.13-mw1' of
>git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux") on 32 bit
>arm, that modprobe of a module triggers the following KASAN bug:

Hi,

Hm, well I just submitted a module loader fix last week (I have no idea
if the fix is related to this report somehow, but it does bring ARM module
loader behavior up to speed with the other arches). I'm wondering if
you can still reproduce this on -rc3?

>| [  110.241783] ==================================================================
>| [  110.249600] BUG: KASAN: global-out-of-bounds in move_module+0x58/0x208
>| [  110.256253] Write of size 69632 at addr bf030000 by task modprobe/290
>| [  110.262789]
>| [  110.264361] CPU: 0 PID: 290 Comm: modprobe Tainted: G        W         5.12.0-perf+ #7
>| [  110.272373] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
>| [  110.278977] Backtrace:
>| [  110.281537] [<c150df20>] (dump_backtrace) from [<c150e430>] (show_stack+0x20/0x24)
>| [  110.289245]  r7:00000080 r6:80010093 r5:00000000 r4:c24c20a0
>| [  110.294981] [<c150e410>] (show_stack) from [<c151e794>] (dump_stack+0xf0/0x118)
>| [  110.302407] [<c151e6a4>] (dump_stack) from [<c1515770>] (print_address_description.constprop.0+0x58/0x210)
>| [  110.312205]  r9:b6e0720e r8:b6e08200 r7:c0273980 r6:00000001 r5:00000000 r4:bf030000
>| [  110.320023] [<c1515718>] (print_address_description.constprop.0) from [<c03da2b4>] (kasan_report+0x11c/0x140)
>| [  110.330088]  r7:c0273980 r6:00000001 r5:00011000 r4:bf030000
>| [  110.335820] [<c03da198>] (kasan_report) from [<c03dae54>] (kasan_check_range+0xcc/0x1a4)
>| [  110.344039]  r7:000001ff r6:b6e081ff r5:bf040fff r4:b6e07210
>| [  110.349772] [<c03dad88>] (kasan_check_range) from [<c03db6e0>] (memset+0x28/0x44)
>| [  110.357386]  r10:cc6a3ef4 r9:f0f1ef18 r8:f0de8740 r7:cc6a3ee0 r6:00000000 r5:bf030000
>| [  110.365296]  r4:00011000 r3:c0273980
>| [  110.368943] [<c03db6b8>] (memset) from [<c0273980>] (move_module+0x58/0x208)
>| [  110.376116]  r7:cc6a3ee0 r6:f0de8880 r5:f0de8884 r4:bf030000
>| [  110.381850] [<c0273928>] (move_module) from [<c0274314>] (layout_and_allocate+0x1bc/0x290)
>| [  110.390233]  r10:cc6a3ef4 r9:f0f1ef18 r8:cc6a3ef0 r7:00000039 r6:cc6a3ee4 r5:cc6a3ee0
>| [  110.398138]  r4:00000000
>| [  110.400743] [<c0274158>] (layout_and_allocate) from [<c0274734>] (load_module+0x34c/0xbe4)
>| [  110.409125]  r10:cc6a0000 r9:b88d47b8 r8:c165cb00 r7:f3f3f3f3 r6:cc6a3e40 r5:cc6a3ee0
>| [  110.417031]  r4:cc6a0000
>| [  110.419634] [<c02743e8>] (load_module) from [<c0275248>] (sys_finit_module+0x110/0x178)
>| [  110.427760]  r10:0000017b r9:00000003 r8:cc6a3ee0 r7:004762d0 r6:00000000 r5:cc6a3f80
>| [  110.435666]  r4:b88d47d4
>| [  110.438273] [<c0275138>] (sys_finit_module) from [<c0100080>] (ret_fast_syscall+0x0/0x2c)
>| [  110.446565] Exception stack(0xcc6a3fa8 to 0xcc6a3ff0)
>| [  110.451708] 3fa0:                   004780c0 00000000 00000003 004762d0 00000000 00477cd0
>| [  110.459983] 3fc0: 004780c0 00000000 98560c00 0000017b 0210a3f8 0048a090 0047544c 0210a360
>| [  110.468246] 3fe0: b6c91978 b6c91968 0046eb0d aea934f2
>| [  110.473388]  r9:cc6a0000 r8:c0100268 r7:0000017b r6:98560c00 r5:00000000 r4:004780c0
>| [  110.481206]
>| [  110.482769]
>| [  110.484329] Memory state around the buggy address:
>| [  110.489199]  bf038f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>| [  110.495812]  bf038f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>| [  110.502419] >bf039000: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
>| [  110.509021]                                                   ^
>| [  110.515018]  bf039080: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 02 f9 f9
>| [  110.521626]  bf039100: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
>| [  110.528231] ==================================================================
>
>regards,
>Marc
>
>-- 
>Pengutronix e.K.                 | Marc Kleine-Budde           |
>Embedded Linux                   | https://www.pengutronix.de  |
>Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
>Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-27  9:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-10 20:26 global-out-of-bounds in move_module Marc Kleine-Budde
2021-05-27  9:01 ` Jessica Yu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).