Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)

From: Andrey Konovalov
Date: Tue Jul 02 2024 - 10:29:37 EST

Next message: Florian Westphal: "[PATCH nf] netfilter: nf_tables: unconditionally flush pending work before notifier"
Previous message: Leone Fernando: "[PATCH net-next v2 4/4] net: route: replace route hints with input_dst_cache"
In reply to: Tetsuo Handa: "Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)"
Next in thread: Tetsuo Handa: "Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 2, 2024 at 8:11 AM Tetsuo Handa
<penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Well, KASAN says "out-of-bounds". But the reported address
>
> BUG: KASAN: stack-out-of-bounds in __show_regs+0x172/0x610
> Read of size 8 at addr ffffc90003c4f798 by task kworker/u8:5/234
>
> is within the kernel stack memory mapping
>
> The buggy address belongs to the virtual mapping at
> [ffffc90003c48000, ffffc90003c51000) created by:
> copy_process+0x5d1/0x3d7
>
> . Why is this "out-of-bounds" ? What boundary did KASAN compare with?
> Is this just a race of KASAN detecting a problem and KASAN reporting
> that problem? (But as I explained above, it is unlikely that the thread
> to be reported can die while processing report_rtnl_holders()...)

KASAN creates the bug title based on the memory state byte, it doesn't
compare any boundaries. So if the memory state got
corrupted/out-of-sync, the title can end up arbitrary. In this case,
the bad access likely touched a redzone between stack variables, so
KASAN reported out-of-bounds.

Since syzbot managed to find a reproducer for this bug, you can ask it
to run the reproducer with additional testing patches to check various
hypotheses [1]. Perhaps, you can write a magic value into task_struct
(or into pt_regs of the task?) in get_rtnl_holder() before saving the
task_struct reference, and then check that marker value in
report_rtnl_holders() before doing sched_show_task(). Depending of
whether the check succeeds, this will give additional information.

One other thing that comes to mind with regards to your patch: if the
task is still executing, the location of things on its stack might
change due to CONFIG_RANDOMIZE_KSTACK_OFFSET while you're printing the
task info. However, if the task is sleeping on a lock, this shouldn't
happen... But maybe a task can wake up during sched_show_task() and
start handling a new syscall? Just some guesses.

[1] https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Next message: Florian Westphal: "[PATCH nf] netfilter: nf_tables: unconditionally flush pending work before notifier"
Previous message: Leone Fernando: "[PATCH net-next v2 4/4] net: route: replace route hints with input_dst_cache"
In reply to: Tetsuo Handa: "Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)"
Next in thread: Tetsuo Handa: "Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]