syzbot


KASAN: stack-out-of-bounds Read in update_stack_state

Status: upstream: reported C repro on 2019/08/27 12:47
Reported-by: syzbot+13330e78888c1d1255c6@syzkaller.appspotmail.com
First crash: 1932d, last: 1639d
Fix bisection the fix commit could be any of (bisect log):
  c1141b3aab36 Linux 4.14.166
  56dfe6252c68 Linux 4.14.188
  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: stack-out-of-bounds Read in update_stack_state 2 1763d 1771d 0/2 auto-closed as invalid on 2020/06/10 22:34
upstream KASAN: stack-out-of-bounds Read in update_stack_state kernel C unreliable done 388 1789d 2483d 15/28 fixed on 2020/08/18 12:30
android-5-10 KASAN: stack-out-of-bounds Read in update_stack_state 1 312d 312d 0/2 auto-obsoleted due to no activity on 2024/05/02 04:08
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/26 08:32 10m retest repro linux-4.14.y report log
2022/09/08 05:27 10m retest repro linux-4.14.y report log
Fix bisection attempts (5)
Created Duration User Patch Repo Result
2020/07/15 11:26 33m bisect fix linux-4.14.y OK (2) job log
2020/06/15 11:02 24m bisect fix linux-4.14.y OK (0) job log log
2020/05/16 10:36 26m bisect fix linux-4.14.y OK (0) job log log
2020/04/16 10:11 24m bisect fix linux-4.14.y OK (0) job log log
2020/03/17 09:45 26m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
audit: type=1400 audit(1579294528.541:36): avc:  denied  { map } for  pid=7324 comm="syz-executor374" path="/root/syz-executor374653520" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: stack-out-of-bounds in update_stack_state+0x522/0x590 arch/x86/kernel/unwind_frame.c:270
Read of size 8 at addr ffff88808e487380 by task syz-executor374/7329

CPU: 0 PID: 7329 Comm: syz-executor374 Not tainted 4.14.166-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 __read_once_size include/linux/compiler.h:183 [inline]
 update_stack_state+0x522/0x590 arch/x86/kernel/unwind_frame.c:270
 __unwind_start+0x189/0x3d0 arch/x86/kernel/unwind_frame.c:423
 unwind_start arch/x86/include/asm/unwind.h:60 [inline]
 perf_callchain_kernel+0x26e/0x510 arch/x86/events/core.c:2342
 get_perf_callchain+0x30a/0x7c0 kernel/events/callchain.c:217
 perf_callchain+0x14e/0x1a0 kernel/events/callchain.c:190
 perf_prepare_sample+0x77c/0x1350 kernel/events/core.c:6143
 __perf_event_output kernel/events/core.c:6259 [inline]
 perf_event_output_forward+0xe7/0x200 kernel/events/core.c:6277
 __perf_event_overflow+0x11e/0x330 kernel/events/core.c:7515
 perf_swevent_overflow+0x17c/0x210 kernel/events/core.c:7591
 perf_swevent_event+0x1ac/0x280 kernel/events/core.c:7624
 do_perf_sw_event kernel/events/core.c:7732 [inline]
 ___perf_sw_event+0x295/0x470 kernel/events/core.c:7763
 perf_sw_event_sched include/linux/perf_event.h:1063 [inline]
 perf_event_task_sched_out include/linux/perf_event.h:1101 [inline]
 prepare_task_switch kernel/sched/core.c:2601 [inline]
 context_switch kernel/sched/core.c:2773 [inline]
 __schedule+0xcc0/0x1cd0 kernel/sched/core.c:3384
 schedule+0x92/0x1c0 kernel/sched/core.c:3428
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x2ec/0x5a0 kernel/futex.c:2705
 futex_wait+0x1f9/0x580 kernel/futex.c:2820
 do_futex+0x14a/0x19e0 kernel/futex.c:3903
 SYSC_futex kernel/futex.c:3963 [inline]
 SyS_futex+0x215/0x310 kernel/futex.c:3931
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x446849
RSP: 002b:00007f7db89fadb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446849
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc28
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 00007ffd4d4a0cdf R14: 00007f7db89fb9c0 R15: 20c49ba5e353f7cf

The buggy address belongs to the page:
page:ffffea00023921c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0xfffe0000000000()
raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808e487280: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
 ffff88808e487300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3
>ffff88808e487380: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
                   ^
 ffff88808e487400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 ffff88808e487480: 00 f3 f3 f3 00 00 00 00 00 00 00 00 f1 f1 f1 f1
==================================================================

Crashes (11):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/17 20:58 linux-4.14.y c1141b3aab36 3de7aabb .config console log report syz C ci2-linux-4-14
2020/02/16 09:44 linux-4.14.y 98db2bf27b9e 5d7b90f1 .config console log report ci2-linux-4-14
2020/02/06 08:50 linux-4.14.y e0f8b8a65a47 662cf49a .config console log report ci2-linux-4-14
2020/01/21 18:16 linux-4.14.y c1141b3aab36 8eda0b95 .config console log report ci2-linux-4-14
2020/01/20 20:35 linux-4.14.y c1141b3aab36 c40da18c .config console log report ci2-linux-4-14
2020/01/17 19:49 linux-4.14.y c1141b3aab36 3de7aabb .config console log report ci2-linux-4-14
2019/11/18 21:35 linux-4.14.y 775d01b65b5d d5696d51 .config console log report ci2-linux-4-14
2019/10/10 05:01 linux-4.14.y 42327896f194 c4b9981b .config console log report ci2-linux-4-14
2019/10/02 03:37 linux-4.14.y f6e27dbb1afa b7a87a83 .config console log report ci2-linux-4-14
2019/09/30 05:13 linux-4.14.y f6e27dbb1afa c1ad5441 .config console log report ci2-linux-4-14
2019/08/27 11:46 linux-4.14.y b5260801526c d21c5d9d .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.