i915/kasan: out of bounds access in i915_cmd_parser_init_ring

From: Dave Jones
Date: Thu Aug 13 2015 - 21:09:21 EST


I finally got around to playing with kasan. It didn't end well.

I added some debugging to validate_cmds_sorted to print out the table
sizes right before the stack traces.

Dave

validate_cmds_sorted: table:ffffffffa1fb4220 cmd_table_count:3
validate_cmds_sorted: table:ffffffffa1fb4220 table->count:12
validate_cmds_sorted: table:ffffffffa1fb4230 table->count:20
validate_cmds_sorted: table:ffffffffa1fb4230 table->count:20
validate_cmds_sorted: table:ffffffffa1fb4240 table->count:18
validate_cmds_sorted: table:ffffffffa1fb41e0 cmd_table_count:2
validate_cmds_sorted: table:ffffffffa1fb41e0 table->count:12
validate_cmds_sorted: table:ffffffffa1fb41f0 table->count:7
validate_cmds_sorted: table:ffffffffa1fb4100 cmd_table_count:3
validate_cmds_sorted: table:ffffffffa1fb4100 table->count:12
validate_cmds_sorted: table:ffffffffa1fb4110 table->count:6
==================================================================
BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x66b/0x760 at addr ffffffffa1fb4374
Read of size 4 by task swapper/0/1
Address belongs to variable hsw_blt_cmds+0xb4/0xe0
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4
0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032
ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f ffff8801d6baf5a8
ffffed003ad75e9b 0000000000000246 ffffffffa1fb4110 0000000010000000
Call Trace:
[<ffffffffa1c0b4fb>] dump_stack+0x4f/0x7b
[<ffffffffa123198f>] kasan_report_error+0x3bf/0x3f0
[<ffffffffa1231a9b>] kasan_report+0x3b/0x40
[<ffffffffa166d7ab>] ? i915_cmd_parser_init_ring+0x66b/0x760
[<ffffffffa1230e06>] __asan_load4+0x66/0xa0
[<ffffffffa166d7ab>] i915_cmd_parser_init_ring+0x66b/0x760
[<ffffffffa16c0459>] intel_init_ring_buffer+0x449/0x680
[<ffffffffa16c61de>] intel_init_blt_ring_buffer+0x38e/0x520
[<ffffffffa1687744>] i915_gem_init_rings+0x74/0x220
[<ffffffffa168c292>] i915_gem_init+0x1e2/0x320
[<ffffffffa1768ff1>] i915_driver_load+0x1571/0x2310
[<ffffffffa11090ee>] ? debug_lockdep_rcu_enabled+0x4e/0x70
[<ffffffffa10e98ce>] ? __lock_acquire+0x97e/0x2710
[<ffffffffa14c8b87>] ? debug_smp_processor_id+0x17/0x20
[<ffffffffa10e8f50>] ? debug_show_all_locks+0x280/0x280
[<ffffffffa1c1279b>] ? __mutex_unlock_slowpath+0x11b/0x1e0
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa1767a80>] ? i915_getparam+0x390/0x390
[<ffffffffa10e69f4>] ? mark_held_locks+0xa4/0xd0
[<ffffffffa1c19538>] ? _raw_spin_unlock_irqrestore+0x58/0x70
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1c19523>] ? _raw_spin_unlock_irqrestore+0x43/0x70
[<ffffffffa1612811>] drm_dev_register+0xd1/0x170
[<ffffffffa16166a1>] drm_get_pci_dev+0xf1/0x350
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa163df43>] i915_pci_probe+0x83/0xb0
[<ffffffffa14f522f>] pci_device_probe+0xcf/0x130
[<ffffffffa17756f1>] driver_probe_device+0x1e1/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa17759f6>] __driver_attach+0xd6/0xe0
[<ffffffffa17725e5>] bus_for_each_dev+0xf5/0x160
[<ffffffffa17724f0>] ? bus_remove_file+0xa0/0xa0
[<ffffffffa10f2ee4>] ? do_raw_spin_unlock+0xa4/0x140
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1775b80>] driver_attach+0x30/0x40
[<ffffffffa17738e1>] bus_add_driver+0x2b1/0x330
[<ffffffffa17763ce>] driver_register+0xde/0x1b0
[<ffffffffa14f579c>] __pci_register_driver+0xbc/0xd0
[<ffffffffa1616ae7>] drm_pci_init+0x1e7/0x210
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa29b732f>] i915_init+0xdb/0xe3
[<ffffffffa29b7254>] ? mipi_dsi_bus_init+0x12/0x12
[<ffffffffa2975384>] do_one_initcall+0x227/0x242
[<ffffffffa297515d>] ? start_kernel+0x4ed/0x4ed
[<ffffffffa10a38db>] ? parse_args+0x5b/0x4f0
[<ffffffffa297562f>] kernel_init_freeable+0x290/0x321
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c03cf4>] kernel_init+0x14/0x100
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c1a3bf>] ret_from_fork+0x3f/0x70
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
Memory state around the buggy address:
ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
>ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
^
ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x67e/0x760 at addr ffffffffa1fb4378
Read of size 4 by task swapper/0/1
Address belongs to variable hsw_blt_cmds+0xb8/0xe0
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4
0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032
ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010
ffffed0000000000 0000000000000246 fffffbfff43f686e 6666662010000000
Call Trace:
[<ffffffffa1c0b4fb>] dump_stack+0x4f/0x7b
[<ffffffffa123198f>] kasan_report_error+0x3bf/0x3f0
[<ffffffffa1231a9b>] kasan_report+0x3b/0x40
[<ffffffffa166d7be>] ? i915_cmd_parser_init_ring+0x67e/0x760
[<ffffffffa1230e06>] __asan_load4+0x66/0xa0
[<ffffffffa166d7be>] i915_cmd_parser_init_ring+0x67e/0x760
[<ffffffffa16c0459>] intel_init_ring_buffer+0x449/0x680
[<ffffffffa16c61de>] intel_init_blt_ring_buffer+0x38e/0x520
[<ffffffffa1687744>] i915_gem_init_rings+0x74/0x220
[<ffffffffa168c292>] i915_gem_init+0x1e2/0x320
[<ffffffffa1768ff1>] i915_driver_load+0x1571/0x2310
[<ffffffffa11090ee>] ? debug_lockdep_rcu_enabled+0x4e/0x70
[<ffffffffa10e98ce>] ? __lock_acquire+0x97e/0x2710
[<ffffffffa14c8b87>] ? debug_smp_processor_id+0x17/0x20
[<ffffffffa10e8f50>] ? debug_show_all_locks+0x280/0x280
[<ffffffffa1c1279b>] ? __mutex_unlock_slowpath+0x11b/0x1e0
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa1767a80>] ? i915_getparam+0x390/0x390
[<ffffffffa10e69f4>] ? mark_held_locks+0xa4/0xd0
[<ffffffffa1c19538>] ? _raw_spin_unlock_irqrestore+0x58/0x70
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1c19523>] ? _raw_spin_unlock_irqrestore+0x43/0x70
[<ffffffffa1612811>] drm_dev_register+0xd1/0x170
[<ffffffffa16166a1>] drm_get_pci_dev+0xf1/0x350
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa163df43>] i915_pci_probe+0x83/0xb0
[<ffffffffa14f522f>] pci_device_probe+0xcf/0x130
[<ffffffffa17756f1>] driver_probe_device+0x1e1/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa17759f6>] __driver_attach+0xd6/0xe0
[<ffffffffa17725e5>] bus_for_each_dev+0xf5/0x160
[<ffffffffa17724f0>] ? bus_remove_file+0xa0/0xa0
[<ffffffffa10f2ee4>] ? do_raw_spin_unlock+0xa4/0x140
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1775b80>] driver_attach+0x30/0x40
[<ffffffffa17738e1>] bus_add_driver+0x2b1/0x330
[<ffffffffa17763ce>] driver_register+0xde/0x1b0
[<ffffffffa14f579c>] __pci_register_driver+0xbc/0xd0
[<ffffffffa1616ae7>] drm_pci_init+0x1e7/0x210
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa29b732f>] i915_init+0xdb/0xe3
[<ffffffffa29b7254>] ? mipi_dsi_bus_init+0x12/0x12
[<ffffffffa2975384>] do_one_initcall+0x227/0x242
[<ffffffffa297515d>] ? start_kernel+0x4ed/0x4ed
[<ffffffffa10a38db>] ? parse_args+0x5b/0x4f0
[<ffffffffa297562f>] kernel_init_freeable+0x290/0x321
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c03cf4>] kernel_init+0x14/0x100
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c1a3bf>] ret_from_fork+0x3f/0x70
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
Memory state around the buggy address:
ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
>ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
^
ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
validate_cmds_sorted: table:ffffffffa1fb4120 table->count:2
==================================================================
BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x6eb/0x760 at addr ffffffffa1fb4374
Read of size 4 by task swapper/0/1
Address belongs to variable hsw_blt_cmds+0xb4/0xe0
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4
0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032
ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010
ffffed003ad75e9b 0000000000000246 ffffffffa1fb4120 0000000000000003
Call Trace:
[<ffffffffa1c0b4fb>] dump_stack+0x4f/0x7b
[<ffffffffa123198f>] kasan_report_error+0x3bf/0x3f0
[<ffffffffa1231a9b>] kasan_report+0x3b/0x40
[<ffffffffa166d82b>] ? i915_cmd_parser_init_ring+0x6eb/0x760
[<ffffffffa1230e06>] __asan_load4+0x66/0xa0
[<ffffffffa166d82b>] i915_cmd_parser_init_ring+0x6eb/0x760
[<ffffffffa16c0459>] intel_init_ring_buffer+0x449/0x680
[<ffffffffa16c61de>] intel_init_blt_ring_buffer+0x38e/0x520
[<ffffffffa1687744>] i915_gem_init_rings+0x74/0x220
[<ffffffffa168c292>] i915_gem_init+0x1e2/0x320
[<ffffffffa1768ff1>] i915_driver_load+0x1571/0x2310
[<ffffffffa11090ee>] ? debug_lockdep_rcu_enabled+0x4e/0x70
[<ffffffffa10e98ce>] ? __lock_acquire+0x97e/0x2710
[<ffffffffa14c8b87>] ? debug_smp_processor_id+0x17/0x20
[<ffffffffa10e8f50>] ? debug_show_all_locks+0x280/0x280
[<ffffffffa1c1279b>] ? __mutex_unlock_slowpath+0x11b/0x1e0
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa1767a80>] ? i915_getparam+0x390/0x390
[<ffffffffa10e69f4>] ? mark_held_locks+0xa4/0xd0
[<ffffffffa1c19538>] ? _raw_spin_unlock_irqrestore+0x58/0x70
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1c19523>] ? _raw_spin_unlock_irqrestore+0x43/0x70
[<ffffffffa1612811>] drm_dev_register+0xd1/0x170
[<ffffffffa16166a1>] drm_get_pci_dev+0xf1/0x350
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa163df43>] i915_pci_probe+0x83/0xb0
[<ffffffffa14f522f>] pci_device_probe+0xcf/0x130
[<ffffffffa17756f1>] driver_probe_device+0x1e1/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa17759f6>] __driver_attach+0xd6/0xe0
[<ffffffffa17725e5>] bus_for_each_dev+0xf5/0x160
[<ffffffffa17724f0>] ? bus_remove_file+0xa0/0xa0
[<ffffffffa10f2ee4>] ? do_raw_spin_unlock+0xa4/0x140
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1775b80>] driver_attach+0x30/0x40
[<ffffffffa17738e1>] bus_add_driver+0x2b1/0x330
[<ffffffffa17763ce>] driver_register+0xde/0x1b0
[<ffffffffa14f579c>] __pci_register_driver+0xbc/0xd0
[<ffffffffa1616ae7>] drm_pci_init+0x1e7/0x210
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa29b732f>] i915_init+0xdb/0xe3
[<ffffffffa29b7254>] ? mipi_dsi_bus_init+0x12/0x12
[<ffffffffa2975384>] do_one_initcall+0x227/0x242
[<ffffffffa297515d>] ? start_kernel+0x4ed/0x4ed
[<ffffffffa10a38db>] ? parse_args+0x5b/0x4f0
[<ffffffffa297562f>] kernel_init_freeable+0x290/0x321
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c03cf4>] kernel_init+0x14/0x100
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c1a3bf>] ret_from_fork+0x3f/0x70
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
Memory state around the buggy address:
ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
>ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
^
ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASan: out of bounds access in i915_cmd_parser_init_ring+0x6fb/0x760 at addr ffffffffa1fb4378
Read of size 4 by task swapper/0/1
Address belongs to variable hsw_blt_cmds+0xb8/0xe0
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.2.0-rc6-firewall+ #4
0000000000000002 ffff8801d6baf478 ffffffffa1c0b4fb 0000000000000032
ffff8801d6baf510 ffff8801d6baf4f8 ffffffffa123198f 0000000000000010
ffffed0000000000 0000000000000246 fffffbfff43f686e 6666662000000003
Call Trace:
[<ffffffffa1c0b4fb>] dump_stack+0x4f/0x7b
[<ffffffffa123198f>] kasan_report_error+0x3bf/0x3f0
[<ffffffffa1231a9b>] kasan_report+0x3b/0x40
[<ffffffffa166d83b>] ? i915_cmd_parser_init_ring+0x6fb/0x760
[<ffffffffa1230e06>] __asan_load4+0x66/0xa0
[<ffffffffa166d83b>] i915_cmd_parser_init_ring+0x6fb/0x760
[<ffffffffa16c0459>] intel_init_ring_buffer+0x449/0x680
[<ffffffffa16c61de>] intel_init_blt_ring_buffer+0x38e/0x520
[<ffffffffa1687744>] i915_gem_init_rings+0x74/0x220
[<ffffffffa168c292>] i915_gem_init+0x1e2/0x320
[<ffffffffa1768ff1>] i915_driver_load+0x1571/0x2310
[<ffffffffa11090ee>] ? debug_lockdep_rcu_enabled+0x4e/0x70
[<ffffffffa10e98ce>] ? __lock_acquire+0x97e/0x2710
[<ffffffffa14c8b87>] ? debug_smp_processor_id+0x17/0x20
[<ffffffffa10e8f50>] ? debug_show_all_locks+0x280/0x280
[<ffffffffa1c1279b>] ? __mutex_unlock_slowpath+0x11b/0x1e0
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa1767a80>] ? i915_getparam+0x390/0x390
[<ffffffffa10e69f4>] ? mark_held_locks+0xa4/0xd0
[<ffffffffa1c19538>] ? _raw_spin_unlock_irqrestore+0x58/0x70
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1c19523>] ? _raw_spin_unlock_irqrestore+0x43/0x70
[<ffffffffa1612811>] drm_dev_register+0xd1/0x170
[<ffffffffa16166a1>] drm_get_pci_dev+0xf1/0x350
[<ffffffffa10e6bb2>] ? trace_hardirqs_on_caller+0x192/0x2a0
[<ffffffffa163df43>] i915_pci_probe+0x83/0xb0
[<ffffffffa14f522f>] pci_device_probe+0xcf/0x130
[<ffffffffa17756f1>] driver_probe_device+0x1e1/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa1775920>] ? driver_probe_device+0x410/0x410
[<ffffffffa17759f6>] __driver_attach+0xd6/0xe0
[<ffffffffa17725e5>] bus_for_each_dev+0xf5/0x160
[<ffffffffa17724f0>] ? bus_remove_file+0xa0/0xa0
[<ffffffffa10f2ee4>] ? do_raw_spin_unlock+0xa4/0x140
[<ffffffffa10b8431>] ? preempt_count_sub+0xc1/0x130
[<ffffffffa1775b80>] driver_attach+0x30/0x40
[<ffffffffa17738e1>] bus_add_driver+0x2b1/0x330
[<ffffffffa17763ce>] driver_register+0xde/0x1b0
[<ffffffffa14f579c>] __pci_register_driver+0xbc/0xd0
[<ffffffffa1616ae7>] drm_pci_init+0x1e7/0x210
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa2975265>] ? do_one_initcall+0x108/0x242
[<ffffffffa29b732f>] i915_init+0xdb/0xe3
[<ffffffffa29b7254>] ? mipi_dsi_bus_init+0x12/0x12
[<ffffffffa2975384>] do_one_initcall+0x227/0x242
[<ffffffffa297515d>] ? start_kernel+0x4ed/0x4ed
[<ffffffffa10a38db>] ? parse_args+0x5b/0x4f0
[<ffffffffa297562f>] kernel_init_freeable+0x290/0x321
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c03cf4>] kernel_init+0x14/0x100
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
[<ffffffffa1c1a3bf>] ret_from_fork+0x3f/0x70
[<ffffffffa1c03ce0>] ? rest_init+0x150/0x150
Memory state around the buggy address:
ffffffffa1fb4200: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa
ffffffffa1fb4280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
>ffffffffa1fb4300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
^
ffffffffa1fb4380: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
ffffffffa1fb4400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/