BUG: KASAN: stack-out-of-bounds in unwind_next_frame

From: Prashant Bhole
Date: Thu Jul 19 2018 - 00:35:31 EST

Next message: Benjamin Herrenschmidt: "Re: [RFC PATCH v2 1/4] dt-bindings: misc: Add bindings for misc. BMC control fields"
Previous message: Kees Cook: "Re: [PATCH] rxrpc: Reuse SKCIPHER_REQUEST_ON_STACK buffer"
Next in thread: Josh Poimboeuf: "Re: BUG: KASAN: stack-out-of-bounds in unwind_next_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Peter, Josh,

Found following bug. This bug can not be seen with this fix: https://lkml.org/lkml/2018/5/10/280.

Here unwind_next_frame+0x463 is pointing at: "*ip = regs->ip;" in deref_stack_iret_regs().

[ 2505.084076] BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x463/0x850
[ 2505.084079] Read of size 8 at addr ffff8803d3d87970 by task vhost-2815/2848

[ 2505.084083] CPU: 3 PID: 2848 Comm: vhost-2815 Not tainted 4.18.0-rc3+ #13
[ 2505.084084] Hardware name: Hewlett-Packard HP Z440 Workstation/212B, BIOS M60 v02.34 05/18/2017
[ 2505.084085] Call Trace:
[ 2505.084087] <NMI>
[ 2505.084091] dump_stack+0x71/0xac
[ 2505.084096] print_address_description+0x65/0x22e
[ 2505.084099] ? unwind_next_frame+0x463/0x850
[ 2505.084101] kasan_report.cold.6+0x241/0x2fd
[ 2505.084104] unwind_next_frame+0x463/0x850
[ 2505.084109] ? native_iret+0x7/0x7
[ 2505.084111] ? deref_stack_reg+0xd0/0xd0
[ 2505.084115] __unwind_start+0x1c0/0x3c0
[ 2505.084117] ? unwind_next_frame+0x850/0x850
[ 2505.084121] ? perf_output_begin_forward+0x2df/0x460
[ 2505.084124] ? native_iret+0x7/0x7
[ 2505.084128] perf_callchain_kernel+0x19b/0x280
[ 2505.084131] ? arch_perf_update_userpage+0x1a0/0x1a0
[ 2505.084134] ? native_iret+0x7/0x7
[ 2505.084137] get_perf_callchain+0x1f7/0x3d0
[ 2505.084140] ? put_callchain_buffers+0x50/0x50
[ 2505.084143] perf_prepare_sample+0x805/0x990
[ 2505.084146] ? perf_output_sample+0xb90/0xb90
[ 2505.084151] ? cyc2ns_read_begin.part.2+0x67/0x90
[ 2505.084154] perf_event_output_forward+0x80/0x100
[ 2505.084157] ? perf_prepare_sample+0x990/0x990
[ 2505.084159] ? sched_clock+0x5/0x10
[ 2505.084161] ? perf_adjust_period+0x117/0x270
[ 2505.084163] ? __perf_event_account_interrupt+0x132/0x190
[ 2505.084166] __perf_event_overflow+0xaa/0x190
[ 2505.084169] __intel_pmu_pebs_event+0x349/0x3e0
[ 2505.084172] ? setup_pebs_sample_data+0x890/0x890
[ 2505.084175] ? stack_access_ok+0x35/0x80
[ 2505.084178] ? native_iret+0x7/0x7
[ 2505.084181] ? native_iret+0x7/0x7
[ 2505.084186] intel_pmu_drain_pebs_nhm+0x3c4/0x590
[ 2505.084189] ? __intel_pmu_pebs_event+0x3e0/0x3e0
[ 2505.084192] ? ktime_get_mono_fast_ns+0xdb/0x120
[ 2505.084194] ? intel_pmu_lbr_read+0x2e/0x7a0
[ 2505.084198] ? watchdog_overflow_callback+0x83/0xb0
[ 2505.084201] ? intel_bts_interrupt+0x7d/0x1a0
[ 2505.084203] intel_pmu_handle_irq+0x200/0x670
[ 2505.084206] ? intel_pmu_save_and_restart+0x80/0x80
[ 2505.084212] ? cyc2ns_read_begin.part.2+0x67/0x90
[ 2505.084214] ? native_sched_clock+0x75/0xf0
[ 2505.084217] ? cyc2ns_read_begin.part.2+0x90/0x90
[ 2505.084220] ? cyc2ns_read_begin.part.2+0x90/0x90
[ 2505.084223] perf_event_nmi_handler+0x40/0x60
[ 2505.084225] nmi_handle+0x73/0x150
[ 2505.084228] default_do_nmi+0x57/0x110
[ 2505.084231] do_nmi+0x141/0x1a0
[ 2505.084233] end_repeat_nmi+0x16/0x50
[ 2505.084236] RIP: 0010:deref_stack_reg+0x76/0xd0
[ 2505.084237] Code: c7 40 04 00 f2 f2 f2 65 48 8b 04 25 28 00 00 00 48 89 44 24 58 31 c0 e8 48 fe ff ff 31 d2 84 c0 74 23 48 89 ef 48 8d 74 24 20 <e8> 75 ff ff ff 48 8b 6c 24 20 4c 89 e7 e8 18 d3 32 00 ba 01 00 00
[ 2505.084263] RSP: 0018:ffff8803d3d87970 EFLAGS: 00000202
[ 2505.084266] RAX: 0000000000000001 RBX: 1ffff1007a7b0f2e RCX: ffffffffa8075985
[ 2505.084267] RDX: 0000000000000000 RSI: ffff8803d3d87990 RDI: ffff8803d3d87e20
[ 2505.084268] RBP: ffff8803d3d87e20 R08: fffffbfff54f23db R09: fffffbfff54f23da
[ 2505.084270] R10: fffffbfff54f23da R11: ffffffffaa791ed1 R12: ffff8803d3d87b10
[ 2505.084271] R13: 0000000000000002 R14: ffff8803d3d87b18 R15: ffff8803d3d87b00
[ 2505.084274] ? stack_access_ok+0x35/0x80
[ 2505.084277] ? deref_stack_reg+0x76/0xd0
[ 2505.084279] ? deref_stack_reg+0x76/0xd0
[ 2505.084280] </NMI>
[ 2505.084281] <IRQ>
[ 2505.084284] ? __read_once_size_nocheck.constprop.7+0x10/0x10
[ 2505.084286] ? deref_stack_reg+0xd0/0xd0
[ 2505.084288] ? __orc_find+0x6f/0xc0
[ 2505.084291] unwind_next_frame+0x514/0x850
[ 2505.084295] ? __kfree_skb_flush+0x3c/0x50
[ 2505.084296] ? __kfree_skb_flush+0x3c/0x50
[ 2505.084299] ? deref_stack_reg+0xd0/0xd0
[ 2505.084305] ? vhost_worker+0x147/0x1e0 [vhost]
[ 2505.084309] ? is_module_text_address+0xa/0x11
[ 2505.084312] ? kernel_text_address+0x4c/0x110
[ 2505.084316] __save_stack_trace+0x82/0x100
[ 2505.084318] ? __kfree_skb_flush+0x3c/0x50
[ 2505.084320] save_stack+0x32/0xb0
[ 2505.084323] ? __kasan_slab_free+0x125/0x170
[ 2505.084326] ? kmem_cache_free_bulk+0x1af/0x3c0
[ 2505.084328] ? __kfree_skb_flush+0x3c/0x50
[ 2505.084331] ? net_rx_action+0x44b/0x630
[ 2505.084333] ? __do_softirq+0x114/0x383
[ 2505.084335] ? irq_exit+0x138/0x140
[ 2505.084337] ? do_IRQ+0x9a/0xe0
[ 2505.084339] ? common_interrupt+0xf/0xf
[ 2505.084345] ? iotlb_access_ok+0x260/0x260 [vhost]
[ 2505.084348] ? handle_rx+0x14a/0xe30 [vhost_net]
[ 2505.084353] ? vhost_worker+0x147/0x1e0 [vhost]
[ 2505.084357] ? kthread+0x1a0/0x1c0
[ 2505.084359] ? ret_from_fork+0x35/0x40
[ 2505.084362] ? skb_release_data+0x1fe/0x2d0
[ 2505.084381] ? ixgbe_update_itr.isra.63+0x170/0x2a0 [ixgbe]
[ 2505.084396] ? ixgbe_write_eitr+0x78/0xb0 [ixgbe]
[ 2505.084411] ? ixgbe_poll+0x26c4/0x2850 [ixgbe]
[ 2505.084414] __kasan_slab_free+0x125/0x170
[ 2505.084417] kmem_cache_free_bulk+0x1af/0x3c0
[ 2505.084419] ? __kfree_skb_flush+0x3c/0x50
[ 2505.084421] __kfree_skb_flush+0x3c/0x50
[ 2505.084424] net_rx_action+0x44b/0x630
[ 2505.084427] ? napi_complete_done+0x190/0x190
[ 2505.084430] __do_softirq+0x114/0x383
[ 2505.084432] irq_exit+0x138/0x140
[ 2505.084435] do_IRQ+0x9a/0xe0
[ 2505.084437] common_interrupt+0xf/0xf
[ 2505.084438] </IRQ>
[ 2505.084444] RIP: 0010:vq_iotlb_prefetch+0x0/0xe0 [vhost]
[ 2505.084444] Code: ff 48 89 dd e9 38 ff ff ff 48 8b 6c 24 10 e9 2e ff ff ff 48 83 c4 30 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 0f 1f 44 00 00 <0f> 1f 44 00 00 41 54 55 31 ed 53 48 89 fb 48 81 c7 30 45 00 00 e8
[ 2505.084470] RSP: 0018:ffff880355137b08 EFLAGS: 00000282 ORIG_RAX: ffffffffffffffdb
[ 2505.084473] RAX: ffff88034fe24f58 RBX: ffff880373b845c8 RCX: ffffffffc11b8fcd
[ 2505.084474] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff880373b800a0
[ 2505.084475] RBP: 0000000000000000 R08: ffffed006aa26f57 R09: ffffed006aa26f56
[ 2505.084477] R10: ffffed006aa26f56 R11: ffff880355137ab7 R12: ffff880373b80000
[ 2505.084478] R13: 0000000000000000 R14: ffff880373b80000 R15: ffff880373b800a0
[ 2505.084482] ? handle_rx+0x12d/0xe30 [vhost_net]
[ 2505.084486] handle_rx+0x14a/0xe30 [vhost_net]
[ 2505.084490] ? __update_load_avg_cfs_rq.isra.36+0x28/0x2a0
[ 2505.084492] ? update_load_avg+0x921/0xa30
[ 2505.084496] ? rb_erase_cached+0x83c/0x8a0
[ 2505.084499] ? peek_head_len+0x390/0x390 [vhost_net]
[ 2505.084502] ? speculative_store_bypass_update+0x210/0x210
[ 2505.084504] ? pick_next_entity+0xf2/0x1e0
[ 2505.084507] ? __list_add_valid+0x2d/0x70
[ 2505.084510] ? __switch_to+0x58f/0x600
[ 2505.084513] ? compat_start_thread+0x60/0x60
[ 2505.084516] ? finish_task_switch+0x101/0x3e0
[ 2505.084520] ? switch_mm_irqs_off+0x2c0/0x6d0
[ 2505.084522] ? __schedule+0x432/0xdf0
[ 2505.084529] vhost_worker+0x147/0x1e0 [vhost]
[ 2505.084534] ? vhost_dev_init+0x4e0/0x4e0 [vhost]
[ 2505.084537] ? __kthread_parkme+0xcc/0x100
[ 2505.084539] ? parse_args.cold.14+0xc4/0xc4
[ 2505.084545] ? vhost_dev_init+0x4e0/0x4e0 [vhost]
[ 2505.084547] kthread+0x1a0/0x1c0
[ 2505.084550] ? kthread_create_worker_on_cpu+0xc0/0xc0
[ 2505.084552] ret_from_fork+0x35/0x40

[ 2505.084555] The buggy address belongs to the page:
[ 2505.084557] page:ffffea000f4f61c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0
[ 2505.084559] flags: 0x17ffffc0000800(reserved)
[ 2505.084563] raw: 0017ffffc0000800 ffffea000f4f61c8 ffffea000f4f61c8 0000000000000000
[ 2505.084565] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 2505.084566] page dumped because: kasan: bad access detected

[ 2505.084567] Memory state around the buggy address:
[ 2505.084569] ffff8803d3d87800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2505.084570] ffff8803d3d87880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2505.084572] >ffff8803d3d87900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[ 2505.084573] ^
[ 2505.084575] ffff8803d3d87980: f1 f1 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
[ 2505.084576] ffff8803d3d87a00: 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00
[ 2505.084577] ==================================================================
[ 2505.084578] Disabling lock debugging due to kernel taint
[ 2508.883975] WARNING: stack going in the wrong direction? ip=pktgen_xmit+0x4a9/0x1e30 [pktgen]

-Prashant

Next message: Benjamin Herrenschmidt: "Re: [RFC PATCH v2 1/4] dt-bindings: misc: Add bindings for misc. BMC control fields"
Previous message: Kees Cook: "Re: [PATCH] rxrpc: Reuse SKCIPHER_REQUEST_ON_STACK buffer"
Next in thread: Josh Poimboeuf: "Re: BUG: KASAN: stack-out-of-bounds in unwind_next_frame"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]