linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Josh Poimboeuf <jpoimboe@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Lee Jones <lee.jones@linaro.org>, Andi Kleen <ak@linux.intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	syzbot <syzbot+84fe685c02cd112a2ac3@syzkaller.appspotmail.com>,
	bp@alien8.de, hpa@zytor.com, inglorion@google.com,
	linux-kernel@vger.kernel.org, mingo@redhat.com,
	syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
	x86@kernel.org, Andy Lutomirski <luto@kernel.org>,
	tkjos@google.com
Subject: Re: [syzbot] KASAN: stack-out-of-bounds Read in profile_pc
Date: Mon, 11 Oct 2021 10:30:07 -0700	[thread overview]
Message-ID: <20211011173007.ejj2zamtdsjljnds@treble> (raw)
In-Reply-To: <20211011104319.7c6125cb@gandalf.local.home>

On Mon, Oct 11, 2021 at 10:43:19AM -0400, Steven Rostedt wrote:
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> Read of size 8 at addr ffffc90001c0f7a0 by task systemd-udevd/12323
> 
> CPU: 1 PID: 12323 Comm: systemd-udevd Not tainted 5.13.0-rc3-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:79 [inline]
>  dump_stack+0x202/0x31e lib/dump_stack.c:120
>  print_address_description+0x5f/0x3b0 mm/kasan/report.c:233
>  __kasan_report mm/kasan/report.c:419 [inline]
>  kasan_report+0x15c/0x200 mm/kasan/report.c:436
>  profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
>  profile_tick+0xcd/0x120 kernel/profile.c:408
>  tick_sched_handle kernel/time/tick-sched.c:227 [inline]
>  tick_sched_timer+0x287/0x420 kernel/time/tick-sched.c:1373
>  __run_hrtimer kernel/time/hrtimer.c:1537 [inline]
>  __hrtimer_run_queues+0x4cb/0xa60 kernel/time/hrtimer.c:1601
>  hrtimer_interrupt+0x3b3/0x1040 kernel/time/hrtimer.c:1663
>  local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1089 [inline]
>  __sysvec_apic_timer_interrupt+0xf9/0x270 arch/x86/kernel/apic/apic.c:1106
>  sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1100
> 
> And the code has:
> 
>  profile_pc+0xa4/0xe0 arch/x86/kernel/time.c:42
> 
> unsigned long profile_pc(struct pt_regs *regs)
> {
> 	unsigned long pc = instruction_pointer(regs);
> 
> 	if (!user_mode(regs) && in_lock_functions(pc)) {
> #ifdef CONFIG_FRAME_POINTER
> 		return *(unsigned long *)(regs->bp + sizeof(long));
> #else
> 		unsigned long *sp = (unsigned long *)regs->sp;
> 		/*
> 		 * Return address is either directly at stack pointer
> 		 * or above a saved flags. Eflags has bits 22-31 zero,
> 		 * kernel addresses don't.
> 		 */
> 		if (sp[0] >> 22)
> 			return sp[0];  <== line 42
> 		if (sp[1] >> 22)
> 			return sp[1];
> #endif
> 	}
> 	return pc;
> }
> EXPORT_SYMBOL(profile_pc);
> 
> 
> It looks to me that the profiler is doing a trick to read the contents of
> the stack when the interrupt went off, but this triggers the KASAN
> instrumentation to think it's a mistake when it's not. aka "false positive".
> 
> How does one tell KASAN that it wants to go outside the stack, because it
> knows what its doing?

*If* the code knew what it were doing, it could use READ_ONCE_NOCHECK()
to skip KASAN checking.  But this code is horribly broken and dangerous.

-- 
Josh


  parent reply	other threads:[~2021-10-11 17:30 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-31  7:15 [syzbot] KASAN: stack-out-of-bounds Read in profile_pc syzbot
2021-06-02 23:00 ` Josh Poimboeuf
2021-06-02 23:35   ` Andi Kleen
2021-06-03 13:29     ` Josh Poimboeuf
2021-06-03 13:30     ` Peter Zijlstra
2021-06-03 13:39       ` Josh Poimboeuf
2021-06-03 13:52         ` Andi Kleen
2021-10-11 13:07           ` Lee Jones
2021-10-11 14:43             ` Steven Rostedt
2021-10-11 17:10               ` Dmitry Vyukov
2021-10-11 17:30               ` Josh Poimboeuf [this message]
2021-06-03  8:02 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211011173007.ejj2zamtdsjljnds@treble \
    --to=jpoimboe@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=bp@alien8.de \
    --cc=hpa@zytor.com \
    --cc=inglorion@google.com \
    --cc=lee.jones@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=syzbot+84fe685c02cd112a2ac3@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=tkjos@google.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).