Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc

From: Marco Elver
Date: Thu Oct 10 2024 - 04:31:47 EST

Next message: Peter Zijlstra: "Re: [PATCH 3/5] sched: Enable PREEMPT_DYNAMIC for PREEMPT_RT"
Previous message: Huang Ying: "[PATCH -V2] tdx, memory hotplug: Check whole hot-adding memory range for TDX"
In reply to: Christoph Hellwig: "Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc"
Next in thread: Christoph Hellwig: "Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 10 Oct 2024 at 08:48, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
>
> [adding the kfence maintainers]
>
> On Tue, Oct 08, 2024 at 04:43:23PM -0700, syzbot wrote:
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8a8170685a482c92e86a
>
> [...]
>
> > XFS (loop2): Quotacheck: Done.
> > ==================================================================
> > BUG: KFENCE: memory corruption in krealloc_noprof+0x160/0x2e0
> >
> > Corrupted memory at 0xffff88823bedafeb [ 0x03 0x00 0xd8 0x62 0x75 0x73 0x01 0x00 0x00 0x11 0x4c 0x00 0x00 0x00 0x00 0x00 ] (in kfence-#108):
> > krealloc_noprof+0x160/0x2e0
> > xfs_idata_realloc+0x116/0x1b0 fs/xfs/libxfs/xfs_inode_fork.c:523
>
> I've tried to make sense of this report and failed.
>
> Documentation/dev-tools/kfence.rst explains these messages as:
>
> KFENCE also uses pattern-based redzones on the other side of an object's guard
> page, to detect out-of-bounds writes on the unprotected side of the object.
> These are reported on frees::
>
> But doesn't explain what "the other side of an object's guard page" is.

Every kfence object has a guard page right next to where it's allocated:

[ GUARD | OBJECT + "wasted space" ]

or

[ "wasted space" + OBJECT | GUARD ]

The GUARD is randomly on the left or right. If an OOB access straddles
into the GUARD, we get a page fault. For objects smaller than
page-size, there'll be some "wasted space" on the object page, which
is on "the other side" vs. where the guard page is. If a OOB write or
other random memory corruption doesn't hit the GUARD, but the "wasted
space" portion next to an object that would be detected as "Corrupted
memory" on free because the redzone pattern was likely stomped on.

> Either way this is in the common krealloc code, which is a bit special
> as it uses ksize to figure out what the actual underlying allocation
> size of an object is to make use of that. Without understanding the
> actual error I wonder if that's something kfence can't cope with?

krealloc + KFENCE broke in next-20241003:
https://lore.kernel.org/all/CANpmjNM5XjwwSc8WrDE9=FGmSScftYrbsvC+db+82GaMPiQqvQ@xxxxxxxxxxxxxx/T/#u
It's been removed from -next since then.

It's safe to ignore.

#syz dup: KFENCE: memory corruption in add_sysfs_param

Next message: Peter Zijlstra: "Re: [PATCH 3/5] sched: Enable PREEMPT_DYNAMIC for PREEMPT_RT"
Previous message: Huang Ying: "[PATCH -V2] tdx, memory hotplug: Check whole hot-adding memory range for TDX"
In reply to: Christoph Hellwig: "Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc"
Next in thread: Christoph Hellwig: "Re: [syzbot] [xfs?] KFENCE: memory corruption in xfs_idata_realloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]