syzbot


UBSAN: shift-out-of-bounds in intel_pmu_refresh

Status: fixed on 2021/03/10 01:48
Subsystems: kvm
[Documentation on labels]
Reported-by: syzbot+ae488dc136a4cc6ba32b@syzkaller.appspotmail.com
Fix commit: e61ab2a320c3 KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh()
First crash: 1406d, last: 1355d
Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

  Linux 5.3

Crash: UBSAN: undefined-behaviour in intel_pmu_refresh (log)
Repro: C syz .config
  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.10 000/142] 5.10.13-rc1 review 154 (154) 2021/02/03 23:03
[PATCH 5.4 00/61] 5.4.95-rc1 review 65 (65) 2021/02/03 20:42
[PATCH v2] KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh() 2 (2) 2021/01/18 17:56
[PATCH] KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh() 3 (3) 2021/01/16 00:16
UBSAN: shift-out-of-bounds in intel_pmu_refresh 0 (1) 2020/12/09 07:33

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in arch/x86/kvm/vmx/pmu_intel.c:348:45
shift exponent 197 is too large for 64-bit type 'long long unsigned int'
CPU: 1 PID: 8490 Comm: syz-executor977 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 intel_pmu_refresh.cold+0x75/0x99 arch/x86/kvm/vmx/pmu_intel.c:348
 kvm_vcpu_after_set_cpuid+0x65a/0xf80 arch/x86/kvm/cpuid.c:178
 kvm_vcpu_ioctl_set_cpuid2+0x160/0x440 arch/x86/kvm/cpuid.c:309
 kvm_arch_vcpu_ioctl+0x1249/0x2d30 arch/x86/kvm/x86.c:4748
 kvm_vcpu_ioctl+0x7b9/0xd90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3434
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4480a9
Code: e8 9c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f0646930d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000006ddc68 RCX: 00000000004480a9
RDX: 0000000020000480 RSI: 000000004008ae90 RDI: 0000000000000008
RBP: 00000000006ddc60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc6c
R13: ddd82e0065000000 R14: 099a300f0078010f R15: 2e320fc0000080b9
================================================================================

Crashes (1237):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/18 05:52 upstream a1339d6355ac fd103621 .config console log report syz C ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2020/12/08 07:13 linux-next 15ac8fdb7440 51a9082e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/01/27 06:30 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 04:56 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 02:23 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 00:07 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 00:00 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 14:26 upstream 13391c60da33 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 13:13 upstream 13391c60da33 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 07:47 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 07:06 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 04:38 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/25 23:54 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/25 20:32 upstream 6ee1d745b7c9 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/25 18:30 upstream 6ee1d745b7c9 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/25 11:37 upstream 6ee1d745b7c9 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/25 03:39 upstream e68061375f79 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 22:01 upstream e68061375f79 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 17:58 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 12:50 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 10:56 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 06:47 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 02:42 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 01:40 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 22:56 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 21:13 upstream fe75a21824e7 52e37319 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 18:56 upstream fe75a21824e7 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 18:32 upstream fe75a21824e7 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 10:04 upstream fe75a21824e7 52e37319 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 06:21 upstream 83d09ad4b950 4080af96 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 02:05 upstream 83d09ad4b950 4080af96 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/22 20:26 upstream 83d09ad4b950 4080af96 .config console log report info ci-upstream-kasan-gce UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 18:39 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 16:55 upstream 13391c60da33 55a7d4df .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 06:04 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 01:06 upstream f8ad8187c3b5 52e37319 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 23:43 upstream e68061375f79 52e37319 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 08:38 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 00:36 upstream e1ae4b0be158 52e37319 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/22 21:29 upstream 83d09ad4b950 4080af96 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/22 14:50 upstream 9f29bd8b2e71 d4f4eca5 .config console log report info ci-upstream-kasan-gce-386 UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/28 04:25 linux-next bc085f8fc88f eefc07f2 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 23:05 linux-next bc085f8fc88f eefc07f2 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 16:17 linux-next bc085f8fc88f a0ebf917 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/27 13:42 linux-next bc085f8fc88f a0ebf917 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 11:28 linux-next bc085f8fc88f 52e37319 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 11:20 linux-next bc085f8fc88f 52e37319 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/26 09:45 linux-next bc085f8fc88f 52e37319 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/24 20:16 linux-next bc085f8fc88f 52e37319 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/23 07:51 linux-next bc085f8fc88f 52e37319 .config console log report info ci-upstream-linux-next-kasan-gce-root UBSAN: shift-out-of-bounds in intel_pmu_refresh
2021/01/17 13:51 upstream 0da0a8a0a0e1 813be542 .config console log report info ci-upstream-kasan-gce-smack-root
2020/12/07 12:15 linux-next 15ac8fdb7440 1190297f .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.