kvm: out-of-bounds write in __rtc_irq_eoi_tracking_restore_one

From: Dmitry Vyukov
Date: Sat Nov 12 2016 - 15:23:07 EST


Hello,

The following program triggers slab-ouf-of-bound write:
https://gist.githubusercontent.com/dvyukov/c4941c67e2eb5be314b902b17dc089df/raw/4f1844d19f6308135ca14c7f28e0898da1b363de/gistfile1.txt

On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).

BUG: KASAN: slab-out-of-bounds in
__rtc_irq_eoi_tracking_restore_one+0x33b/0x350 at addr
ffff88003bd82b7c
Write of size 1 by task syz-executor/5031
CPU: 3 PID: 5031 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff88006d0df6b8 ffffffff81c2e46b ffff88003e80cf40 ffff88003bd82568
ffff88003bd82ea0 0000000000000001 ffff88006d0df6e0 ffffffff8165ab9c
ffffed00077b056f ffffed00077b056f ffff88003e80cf40 ffff88006d0df760
Call Trace:
[<ffffffff8165b257>] __asan_report_store1_noabort+0x17/0x20
mm/kasan/report.c:331
[<ffffffff8112aa3b>] __rtc_irq_eoi_tracking_restore_one+0x33b/0x350
arch/x86/kvm/ioapic.c:128
[<ffffffff8112be26>] kvm_rtc_eoi_tracking_restore_one+0x66/0x90
arch/x86/kvm/ioapic.c:142
[<ffffffff81125325>] kvm_apic_set_state+0x9b5/0xde0 arch/x86/kvm/lapic.c:2091
[< inline >] kvm_vcpu_ioctl_set_lapic arch/x86/kvm/x86.c:2834
[<ffffffff810a8b1d>] kvm_arch_vcpu_ioctl+0x155d/0x3100 arch/x86/kvm/x86.c:3337
[<ffffffff810608b2>] kvm_vcpu_ioctl+0x1e2/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2708
[< inline >] vfs_ioctl fs/ioctl.c:43
[<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[< inline >] SYSC_ioctl fs/ioctl.c:694
[<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Object at ffff88003bd82568, in cache kmalloc-2048 size: 2048
Allocated:
PID = 5018
[ 2761.628607] [<ffffffff811abb36>] save_stack_trace+0x16/0x20
arch/x86/kernel/stacktrace.c:57
[ 2761.628607] [<ffffffff81659ee6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:495
[ 2761.634614] [< inline >] set_track mm/kasan/kasan.c:507
[ 2761.634614] [<ffffffff8165a15d>] kasan_kmalloc+0xad/0xe0
mm/kasan/kasan.c:598
[ 2761.639003] [<ffffffff816557f8>] kmem_cache_alloc_trace+0xf8/0x280
mm/slub.c:2735
[ 2761.639003] [< inline >] kmalloc include/linux/slab.h:490
[ 2761.639003] [< inline >] kzalloc include/linux/slab.h:636
[ 2761.639003] [<ffffffff8112cbc1>] kvm_ioapic_init+0x51/0x5d0
arch/x86/kvm/ioapic.c:611
[ 2761.639003] [<ffffffff810ab9e4>] kvm_arch_vm_ioctl+0xfb4/0x1c10
arch/x86/kvm/x86.c:3914
[ 2761.639003] [<ffffffff81065e93>] kvm_vm_ioctl+0x193/0x1670
arch/x86/kvm/../../../virt/kvm/kvm_main.c:3097
[ 2761.639003] [< inline >] vfs_ioctl fs/ioctl.c:43
[ 2761.639003] [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
[ 2761.639003] [< inline >] SYSC_ioctl fs/ioctl.c:694
[ 2761.639003] [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
[ 2761.639003] [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
ffff88003bd82a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003bd82a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88003bd82b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88003bd82b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88003bd82c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================