linux kernel 6.1.82 BUG: KASAN: stack-out-of-bounds in profile_pc

From: cnitlrt pwn
Date: Mon Mar 25 2024 - 05:45:51 EST

Next message: Sasha Levin: "[PATCH 6.1 064/451] rcu/exp: Handle RCU expedited grace period kworker allocation failure"
Previous message: Sasha Levin: "[PATCH 6.1 180/451] ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,Look forward to your favourable reply
I use syzkaller found the following issue on:
Linux 6.1.82
kernel config:https://drive.google.com/file/d/10crxboyUU3LTR2TnLE5Dn8mbpMjf4Mmh/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1BiHzX7sv7IkHWNSxIOd8-lQHqZUpsweo/view?usp=sharing

Downloadable assets:
kernel image:https://drive.google.com/file/d/1IZyKop-cvHeRXGaQbb4OqAAd7_QkY3um/view?usp=sharing

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: cnitlrt@xxxxxxxxx

==================================================================

==================================================================
BUG: KASAN: stack-out-of-bounds in profile_pc+0x120/0x130
arch/x86/kernel/time.c:42
Read of size 8 at addr ffff888108567cc8 by task syz-executor308/360

CPU: 0 PID: 360 Comm: syz-executor308 Not tainted 6.1.82 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x4d/0x66 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x16c/0x4a3 mm/kasan/report.c:395
kasan_report+0xb3/0x130 mm/kasan/report.c:495
profile_pc+0x120/0x130 arch/x86/kernel/time.c:42
profile_tick+0x8f/0xd0 kernel/profile.c:339
tick_sched_timer+0xce/0x100 kernel/time/tick-sched.c:1501
__run_hrtimer kernel/time/hrtimer.c:1686 [inline]
__hrtimer_run_queues+0x2d0/0x6c0 kernel/time/hrtimer.c:1750
hrtimer_interrupt+0x2c9/0x6c0 kernel/time/hrtimer.c:1812
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1095 [inline]
__sysvec_apic_timer_interrupt+0xc5/0x2a0 arch/x86/kernel/apic/apic.c:1112
sysvec_apic_timer_interrupt+0x65/0x90 arch/x86/kernel/apic/apic.c:1106
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:653
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:202 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire
include/linux/atomic/atomic-instrumented.h:543 [inline]
RIP: 0010:queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
RIP: 0010:do_raw_spin_lock include/linux/spinlock.h:187 [inline]
RIP: 0010:__raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline]
RIP: 0010:_raw_spin_lock+0x8a/0xd0 kernel/locking/spinlock.c:154
Code: c7 44 24 20 00 00 00 00 e8 b3 7b bb fd be 04 00 00 00 48 8d 7c
24 20 e8 a4 7b bb fd ba 01 00 00 00 8b 44 24 20 f0 0f b1 55 00 <75> 2d
48 b8 00 00 00 00 00 fc ff df 48 c7 04 03 00 00 00 00 48 8b
RSP: 0000:ffff888108567cc8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110210acf99 RCX: ffffffff83a9b40c
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff888108567ce8
RBP: ffffea00042d07a8 R08: 0000000000000001 R09: ffffed10210acf9e
R10: 0000000000000003 R11: ffffed10210acf9d R12: 0000000000000000
R13: 000000010b41e067 R14: 000000010b41e000 R15: ffff88810b0cbf78
spin_lock include/linux/spinlock.h:351 [inline]
handle_pte_fault mm/memory.c:5023 [inline]
__handle_mm_fault+0xa0b/0x2470 mm/memory.c:5155
handle_mm_fault+0x119/0x440 mm/memory.c:5276
do_user_addr_fault+0x36c/0xcd0 arch/x86/mm/fault.c:1380
handle_page_fault arch/x86/mm/fault.c:1471 [inline]
exc_page_fault+0x78/0x120 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7ffbc6c89c35
Code: b8 47 00 00 00 31 c0 ba 80 00 00 20 f3 a4 b9 02 00 00 00 48 c7
c6 9c ff ff ff bf 01 01 00 00 e8 a1 8d 04 00 48 83 f8 ff 74 07 <48> 89
05 d4 33 0c 00 b8 c0 00 00 20 b9 9a 00 00 00 ba c0 00 00 20
RSP: 002b:00007ffdebd040b0 EFLAGS: 00010213
RAX: 0000000000000003 RBX: 00000000000054a6 RCX: 00007ffbc6cd29ed
RDX: 0000000000000002 RSI: 0000000020000080 RDI: ffffffffffffff9c
RBP: 0000000000000000 R08: 00007ffdebd03b10 R09: 00000000c6c8ba40
R10: 0000000000000047 R11: 0000000000000246 R12: 00007ffdebd040b4
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>

The buggy address belongs to stack of task syz-executor308/360
and is located at offset 0 in frame:
_raw_spin_lock+0x0/0xd0 kernel/locking/spinlock.c:179

This frame has 1 object:
[32, 36) 'val'

The buggy address belongs to the physical page:
page:00000000640c47bc refcount:0 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x108567
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 ffffea00042159c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff888108567b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888108567c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888108567c80: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f3 f3
^
ffff888108567d00: f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1
ffff888108567d80: f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: c7 44 24 20 00 00 00 movl $0x0,0x20(%rsp)
7: 00
8: e8 b3 7b bb fd callq 0xfdbb7bc0
d: be 04 00 00 00 mov $0x4,%esi
12: 48 8d 7c 24 20 lea 0x20(%rsp),%rdi
17: e8 a4 7b bb fd callq 0xfdbb7bc0
1c: ba 01 00 00 00 mov $0x1,%edx
21: 8b 44 24 20 mov 0x20(%rsp),%eax
25: f0 0f b1 55 00 lock cmpxchg %edx,0x0(%rbp)
* 2a: 75 2d jne 0x59 <-- trapping instruction
2c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
33: fc ff df
36: 48 c7 04 03 00 00 00 movq $0x0,(%rbx,%rax,1)
3d: 00
3e: 48 rex.W
3f: 8b .byte 0x8b

Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1
Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false
Fault:false FaultCall:0 FaultNth:0}}
r0 = openat$sysfs(0xffffffffffffff9c,
&(0x7f0000000080)='/sys/kernel/profiling', 0x2, 0x47)
write(r0, &(0x7f00000000c0)="36036f1493deafdf2328cff2f08fa0e04427785d08d3825b73a1000b7e4e42a7561b2bb4786f42b1701bf3f273498f2354cd89ea2f278dc852638fb05a507ce9f729dd4260d23f2d752d5fb9a00c116545d00a0288505f73edc4fbb5f93064470ba6fc63d360db762a1cbd17696484030ce373fad1d8725946056bf0a66f5cda139fba5f9c4e3878a7b33485dfddabae74000000000000000000",
0x9a)

Next message: Sasha Levin: "[PATCH 6.1 064/451] rcu/exp: Handle RCU expedited grace period kworker allocation failure"
Previous message: Sasha Levin: "[PATCH 6.1 180/451] ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]