On Wed, Nov 1, 2023 at 1:58 PM Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote: > > On Tue, Oct 31 2023 at 22:36, syzbot wrote: > > general protection fault, probably for non-canonical address 0xdffffc003ffff113: 0000 [#1] PREEMPT SMP KASAN > > KASAN: probably user-memory-access in range [0x00000001ffff8898-0x00000001ffff889f] > > CPU: 1 PID: 5308 Comm: syz-executor.4 Not tainted 6.6.0-rc7-syzkaller-00142-g888cf78c29e2 #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 > > RIP: 0010:lookup_object lib/debugobjects.c:195 [inline] > > RIP: 0010:lookup_object_or_alloc lib/debugobjects.c:564 [inline] > > RIP: 0010:__debug_object_init+0xf3/0x2b0 lib/debugobjects.c:634 > > Code: d8 48 c1 e8 03 42 80 3c 20 00 0f 85 85 01 00 00 48 8b 1b 48 85 db 0f 84 9f 00 00 00 48 8d 7b 18 83 c5 01 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 4c 01 00 00 4c 3b 73 18 75 c3 48 8d 7b 10 48 > > RSP: 0018:ffffc900050e7d08 EFLAGS: 00010012 > > RAX: 000000003ffff113 RBX: 00000001ffff8880 RCX: ffffffff8169123e > > RDX: 1ffffffff249b149 RSI: 0000000000000004 RDI: 00000001ffff8898 > > RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000216 > > R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000 > > R13: ffffffff924d8a48 R14: ffffc900050e7d90 R15: ffffffff924d8a50 > > FS: 0000555556eec480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 00007fa23ab065ee CR3: 000000007e5c1000 CR4: 0000000000350ee0 > > So this dies in debugobjects::lookup_object() > > hlist_for_each_entry() > > > 10: 48 8b 1b mov (%rbx),%rbx > > Gets the next entry > > > 13: 48 85 db test %rbx,%rbx > > 16: 0f 84 9f 00 00 00 je 0xbb > > Checks for the termination condition (NULL pointer) > > > 1c: 48 8d 7b 18 lea 0x18(%rbx),%rdi > > Calculates the address of obj->object > > > 20: 83 c5 01 add $0x1,%ebp > > cnt++; > > > 23: 48 89 f8 mov %rdi,%rax > > 26: 48 c1 e8 03 shr $0x3,%rax > > KASAN shadow address calculation > > > * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction > > Kasan accesses 0xdffffc003ffff113 and dies. > > RBX contains the pointer to the next object: 0x00000001ffff8880 which is > clearly a user space address, but I have no idea where that might come > from. It's obviously data corruption of unknown provenience. > > Unfortunately repro.syz does not hold up to its name and refuses to > reproduce. For me, on a locally built kernel (gcc 13.2.0) it didn't work either. But, interestingly, it does reproduce using the syzbot-built kernel shared via the "Downloadable assets" [1] in the original report. The repro crashed the kernel in ~1 minute. [1] https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md [ 125.919060][ C0] BUG: KASAN: stack-out-of-bounds in rb_next+0x10a/0x130 [ 125.921169][ C0] Read of size 8 at addr ffffc900048e7c60 by task kworker/0:1/9 [ 125.923235][ C0] [ 125.923243][ C0] CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.6.0-rc7-syzkaller-00142-g888cf78c29e2 #0 [ 125.924546][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 125.926915][ C0] Workqueue: events nsim_dev_trap_report_work [ 125.929333][ C0] [ 125.929341][ C0] Call Trace: [ 125.929350][ C0] <IRQ> [ 125.929356][ C0] dump_stack_lvl+0xd9/0x1b0 [ 125.931302][ C0] print_report+0xc4/0x620 [ 125.932115][ C0] ? __virt_addr_valid+0x5e/0x2d0 [ 125.933194][ C0] kasan_report+0xda/0x110 [ 125.934814][ C0] ? rb_next+0x10a/0x130 [ 125.936521][ C0] ? rb_next+0x10a/0x130 [ 125.936544][ C0] rb_next+0x10a/0x130 [ 125.936565][ C0] timerqueue_del+0xd4/0x140 [ 125.936590][ C0] __remove_hrtimer+0x99/0x290 [ 125.936613][ C0] __hrtimer_run_queues+0x55b/0xc10 [ 125.936638][ C0] ? enqueue_hrtimer+0x310/0x310 [ 125.936659][ C0] ? ktime_get_update_offsets_now+0x3bc/0x610 [ 125.936688][ C0] hrtimer_interrupt+0x31b/0x800 [ 125.936715][ C0] __sysvec_apic_timer_interrupt+0x105/0x3f0 [ 125.936737][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 125.936755][ C0] </IRQ> [ 125.936759][ C0] <TASK> > > Thanks, > > tglx > > -- > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx. > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/875y2lmxys.ffs%40tglx.
