From: Nick Desaulniers <ndesaulniers@google.com>
To: Jeffrin Thalakkottoor <jeffrin@rajagiritech.edu.in>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
tobin@kernel.org, lkml <linux-kernel@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Dmitry Vyukov <dvyukov@google.com>,
Alexander Potapenko <glider@google.com>
Subject: Re: BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70
Date: Tue, 16 Jul 2019 11:28:29 -0700 [thread overview]
Message-ID: <CAKwvOdmg2b2PMzuzNmutacFArBNagjtwG=_VZvKhb4okzSkdiA@mail.gmail.com> (raw)
In-Reply-To: <CAG=yYw=S197+2TzdPaiEaz-9MRuVtd+Q_L9W8GOf4jKwyppNjQ@mail.gmail.com>
On Wed, Jul 10, 2019 at 10:44 AM Jeffrin Thalakkottoor
<jeffrin@rajagiritech.edu.in> wrote:
>
> hello all ,
>
> i encountered a KASAN bug related . here are some related information...
>
>
> -------------------x-----------------------------x------------------
> [ 30.037312] BUG: KASAN: global-out-of-bounds in
> ata_exec_internal_sg+0x50f/0xc70
> [ 30.037447] Read of size 16 at addr ffffffff91f41f80 by task scsi_eh_1/149
>
>
> [ 30.039935] The buggy address belongs to the variable:
> [ 30.040059] cdb.48319+0x0/0x40
>
> [ 30.040241] Memory state around the buggy address:
> [ 30.040362] ffffffff91f41e80: fa fa fa fa 00 00 fa fa fa fa fa fa
> 00 00 07 fa
> [ 30.040498] ffffffff91f41f00: fa fa fa fa 00 00 00 00 00 00 00 03
> fa fa fa fa
> [ 30.040628] >ffffffff91f41f80: 00 04 fa fa fa fa fa fa 00 00 fa fa
> fa fa fa fa
> [ 30.040755] ^
> [ 30.040868] ffffffff91f42000: 00 00 00 04 fa fa fa fa 00 fa fa fa
> fa fa fa fa
> [ 30.041003] ffffffff91f42080: 04 fa fa fa fa fa fa fa 00 04 fa fa
> fa fa fa fa
>
> ---------------------------x--------------------------x----------------
> $uname -a
> Linux debian 5.2.0-rc7+ #4 SMP Tue Jul 9 02:54:07 IST 2019 x86_64 GNU/Linux
> $
>
> --------------------x----------------------------x---------------------------
> (gdb) l *ata_exec_internal_sg+0x50f
> 0xffffffff81c7b59f is in ata_exec_internal_sg (./include/linux/string.h:359).
So looks like ata_exec_internal_sg() is panic'ing when...
> 354 if (q_size < size)
> 355 __read_overflow2();
> 356 }
> 357 if (p_size < size || q_size < size)
> 358 fortify_panic(__func__);
> 359 return __builtin_memcpy(p, q, size);
> 360 }
> 361
> 362 __FORTIFY_INLINE void *memmove(void *p, const void *q, __kernel_size_t size)
...a call to memmove is made? Without having looked at the source of
ata_exec_internal_sg(), it's possible that either through inlining, or
the compiler generating a memmove, that one of the arguments was not
quite right. I suggest spending more time isolating where this is
coming from, if you can reliably reproduce, or CC whoever wrote or
maintains the code and ask them to take a look.
The cited code looks like a check comparing that the pointer distance
is greater than the size of bytes being passed in. I'd wager
someone's calling memmove with overlapping memory regions when they
really wanted memcpy. Maybe a better question, is why was memmove
ever used; if there was some invariant that the memory regions
overlapped, why is that invariant no longer holding.
Anyways, sorry I don't have more time to look into this. Thank you
for the report.
> 363 {
> (gdb)
> --------------------------x--------------------------
> GNU Make 4.2.1
> Binutils 2.31.1
> Util-linux 2.33.1
> Mount 2.33.1
> Linux C Library 2.28
> Dynamic linker (ldd) 2.28
> Procps 3.3.15
> Kbd 2.0.4
> Console-tools 2.0.4
> Sh-utils 8.30
> Udev 241
> ---------------------x--------------------------------x
> Thread model: posix
> gcc version 8.3.0 (Debian 8.3.0-7)
> ---------------------x--------------------------------x
>
> Please ask if more information is needed.
>
> --
> software engineer
> rajagiri school of engineering and technology
--
Thanks,
~Nick Desaulniers
next prev parent reply other threads:[~2019-07-16 18:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-10 17:44 BUG: KASAN: global-out-of-bounds in ata_exec_internal_sg+0x50f/0xc70 Jeffrin Thalakkottoor
2019-07-16 18:28 ` Nick Desaulniers [this message]
2019-07-16 18:57 ` Steven Rostedt
2019-07-16 19:45 ` Nick Desaulniers
2019-07-18 21:35 ` Kees Cook
2019-07-29 19:34 ` Jeffrin Thalakkottoor
2019-07-29 19:55 ` Jens Axboe
2019-07-29 20:13 ` Jeffrin Thalakkottoor
2019-07-25 21:34 ` Jeffrin Thalakkottoor
-- strict thread matches above, loose matches on Subject: below --
2019-06-13 18:36 Jeffrin Thalakkottoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKwvOdmg2b2PMzuzNmutacFArBNagjtwG=_VZvKhb4okzSkdiA@mail.gmail.com' \
--to=ndesaulniers@google.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=jeffrin@rajagiritech.edu.in \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=tobin@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).