Re: perf: fuzzer KASAN unwind_get_return_address

From: Peter Zijlstra
Date: Wed Nov 16 2016 - 09:58:58 EST

On Wed, Nov 16, 2016 at 03:49:43PM +0100, Peter Zijlstra wrote:
> Let me enable those and run again, it didn't insta-trigger like it does
> without.

Tada!

$ objdump -D ivb-dbg/vmlinux | awk '/<[^>]*>:/ { p = 0; } /<unwind_get_return_address>:/ { p = 1; } { if (p) print $0; }'

ffffffff811c70d0 <unwind_get_return_address>:
ffffffff811c70d0: e8 8b 61 0e 02 callq ffffffff832ad260 <__fentry__>
ffffffff811c70d5: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c70dc: fc ff df
ffffffff811c70df: 55 push %rbp
ffffffff811c70e0: 48 89 fa mov %rdi,%rdx
ffffffff811c70e3: 48 89 e5 mov %rsp,%rbp
ffffffff811c70e6: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c70ea: 41 56 push %r14
ffffffff811c70ec: 41 55 push %r13
ffffffff811c70ee: 41 54 push %r12
ffffffff811c70f0: 53 push %rbx
ffffffff811c70f1: 48 89 fb mov %rdi,%rbx
ffffffff811c70f4: 48 83 ec 10 sub $0x10,%rsp
ffffffff811c70f8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
ffffffff811c70fc: 48 89 f8 mov %rdi,%rax
ffffffff811c70ff: 83 e0 07 and $0x7,%eax
ffffffff811c7102: 83 c0 03 add $0x3,%eax
ffffffff811c7105: 38 d0 cmp %dl,%al
ffffffff811c7107: 7c 08 jl ffffffff811c7111 <unwind_get_return_address+0x41>
ffffffff811c7109: 84 d2 test %dl,%dl
ffffffff811c710b: 0f 85 0e 01 00 00 jne ffffffff811c721f <unwind_get_return_address+0x14f>
ffffffff811c7111: 8b 03 mov (%rbx),%eax
ffffffff811c7113: 85 c0 test %eax,%eax
ffffffff811c7115: 0f 84 c9 00 00 00 je ffffffff811c71e4 <unwind_get_return_address+0x114>
ffffffff811c711b: 48 8d 7b 40 lea 0x40(%rbx),%rdi
ffffffff811c711f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c7126: fc ff df
ffffffff811c7129: 48 89 fa mov %rdi,%rdx
ffffffff811c712c: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c7130: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811c7134: 0f 85 ef 00 00 00 jne ffffffff811c7229 <unwind_get_return_address+0x159>
ffffffff811c713a: 4c 8b 63 40 mov 0x40(%rbx),%r12
ffffffff811c713e: 4d 85 e4 test %r12,%r12
ffffffff811c7141: 0f 84 ac 00 00 00 je ffffffff811c71f3 <unwind_get_return_address+0x123>
ffffffff811c7147: 49 8d bc 24 88 00 00 lea 0x88(%r12),%rdi
ffffffff811c714e: 00
ffffffff811c714f: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c7156: fc ff df
ffffffff811c7159: 48 89 f9 mov %rdi,%rcx
ffffffff811c715c: 48 c1 e9 03 shr $0x3,%rcx
ffffffff811c7160: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1)
ffffffff811c7164: 0f 85 4f 01 00 00 jne ffffffff811c72b9 <unwind_get_return_address+0x1e9>
ffffffff811c716a: 41 f6 84 24 88 00 00 testb $0x3,0x88(%r12)
ffffffff811c7171: 00 03
ffffffff811c7173: 75 6f jne ffffffff811c71e4 <unwind_get_return_address+0x114>
ffffffff811c7175: 49 83 ec 80 sub $0xffffffffffffff80,%r12
ffffffff811c7179: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c7180: fc ff df
ffffffff811c7183: 4c 89 e2 mov %r12,%rdx
ffffffff811c7186: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c718a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811c718e: 0f 85 2f 01 00 00 jne ffffffff811c72c3 <unwind_get_return_address+0x1f3>
ffffffff811c7194: 4c 8d 73 28 lea 0x28(%rbx),%r14
ffffffff811c7198: 49 8b 14 24 mov (%r12),%rdx
ffffffff811c719c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c71a3: fc ff df
ffffffff811c71a6: 48 8d 73 30 lea 0x30(%rbx),%rsi
ffffffff811c71aa: 4c 89 f1 mov %r14,%rcx
ffffffff811c71ad: 48 c1 e9 03 shr $0x3,%rcx
ffffffff811c71b1: 80 3c 01 00 cmpb $0x0,(%rcx,%rax,1)
ffffffff811c71b5: 0f 85 15 01 00 00 jne ffffffff811c72d0 <unwind_get_return_address+0x200>
ffffffff811c71bb: 48 8b 7b 28 mov 0x28(%rbx),%rdi
ffffffff811c71bf: 4c 89 e1 mov %r12,%rcx
ffffffff811c71c2: e8 59 7a 2c 00 callq ffffffff8148ec20 <ftrace_graph_ret_addr>
ffffffff811c71c7: 48 89 c7 mov %rax,%rdi
ffffffff811c71ca: 49 89 c5 mov %rax,%r13
ffffffff811c71cd: e8 9e 30 0c 00 callq ffffffff8128a270 <__kernel_text_address>
ffffffff811c71d2: 89 c2 mov %eax,%edx
ffffffff811c71d4: 4c 89 e8 mov %r13,%rax
ffffffff811c71d7: 85 d2 test %edx,%edx
ffffffff811c71d9: 75 0b jne ffffffff811c71e6 <unwind_get_return_address+0x116>
ffffffff811c71db: 80 3d 18 29 f9 02 00 cmpb $0x0,0x2f92918(%rip) # ffffffff84159afa <__print_once.27085>
ffffffff811c71e2: 74 4f je ffffffff811c7233 <unwind_get_return_address+0x163>
ffffffff811c71e4: 31 c0 xor %eax,%eax
ffffffff811c71e6: 48 83 c4 10 add $0x10,%rsp
ffffffff811c71ea: 5b pop %rbx
ffffffff811c71eb: 41 5c pop %r12
ffffffff811c71ed: 41 5d pop %r13
ffffffff811c71ef: 41 5e pop %r14
ffffffff811c71f1: 5d pop %rbp
ffffffff811c71f2: c3 retq
ffffffff811c71f3: 48 8d 7b 38 lea 0x38(%rbx),%rdi
ffffffff811c71f7: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c71fe: fc ff df
ffffffff811c7201: 48 89 fa mov %rdi,%rdx
ffffffff811c7204: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c7208: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811c720c: 0f 85 9d 00 00 00 jne ffffffff811c72af <unwind_get_return_address+0x1df>
ffffffff811c7212: 48 8b 43 38 mov 0x38(%rbx),%rax
ffffffff811c7216: 4c 8d 60 08 lea 0x8(%rax),%r12
ffffffff811c721a: e9 5a ff ff ff jmpq ffffffff811c7179 <unwind_get_return_address+0xa9>
ffffffff811c721f: e8 6c b0 45 00 callq ffffffff81622290 <__asan_report_load4_noabort>
ffffffff811c7224: e9 e8 fe ff ff jmpq ffffffff811c7111 <unwind_get_return_address+0x41>
ffffffff811c7229: e8 b2 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c722e: e9 07 ff ff ff jmpq ffffffff811c713a <unwind_get_return_address+0x6a>
ffffffff811c7233: 4c 89 f2 mov %r14,%rdx
ffffffff811c7236: c6 05 bd 28 f9 02 01 movb $0x1,0x2f928bd(%rip) # ffffffff84159afa <__print_once.27085>
ffffffff811c723d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c7244: fc ff df
ffffffff811c7247: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c724b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
ffffffff811c724f: 75 4d jne ffffffff811c729e <unwind_get_return_address+0x1ce>
ffffffff811c7251: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
ffffffff811c7258: fc ff df
ffffffff811c725b: 48 8b 5b 28 mov 0x28(%rbx),%rbx
ffffffff811c725f: 48 8d bb c0 04 00 00 lea 0x4c0(%rbx),%rdi
ffffffff811c7266: 48 89 fa mov %rdi,%rdx
ffffffff811c7269: 48 c1 ea 03 shr $0x3,%rdx
ffffffff811c726d: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
ffffffff811c7271: 84 c0 test %al,%al
ffffffff811c7273: 74 04 je ffffffff811c7279 <unwind_get_return_address+0x1a9>
ffffffff811c7275: 3c 03 cmp $0x3,%al
ffffffff811c7277: 7e 2f jle ffffffff811c72a8 <unwind_get_return_address+0x1d8>
ffffffff811c7279: 44 8b 83 c0 04 00 00 mov 0x4c0(%rbx),%r8d
ffffffff811c7280: 48 8d 8b 58 06 00 00 lea 0x658(%rbx),%rcx
ffffffff811c7287: 4c 89 e2 mov %r12,%rdx
ffffffff811c728a: 4c 89 ee mov %r13,%rsi
ffffffff811c728d: 48 c7 c7 e0 1d 45 83 mov $0xffffffff83451de0,%rdi
ffffffff811c7294: e8 49 8c 35 00 callq ffffffff8151fee2 <printk_deferred>
ffffffff811c7299: e9 46 ff ff ff jmpq ffffffff811c71e4 <unwind_get_return_address+0x114>
ffffffff811c729e: 4c 89 f7 mov %r14,%rdi
ffffffff811c72a1: e8 3a b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c72a6: eb a9 jmp ffffffff811c7251 <unwind_get_return_address+0x181>
ffffffff811c72a8: e8 e3 af 45 00 callq ffffffff81622290 <__asan_report_load4_noabort>
ffffffff811c72ad: eb ca jmp ffffffff811c7279 <unwind_get_return_address+0x1a9>
ffffffff811c72af: e8 2c b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c72b4: e9 59 ff ff ff jmpq ffffffff811c7212 <unwind_get_return_address+0x142>
ffffffff811c72b9: e8 22 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c72be: e9 a7 fe ff ff jmpq ffffffff811c716a <unwind_get_return_address+0x9a>
ffffffff811c72c3: 4c 89 e7 mov %r12,%rdi
ffffffff811c72c6: e8 15 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c72cb: e9 c4 fe ff ff jmpq ffffffff811c7194 <unwind_get_return_address+0xc4>
ffffffff811c72d0: 4c 89 f7 mov %r14,%rdi
ffffffff811c72d3: 48 89 75 d0 mov %rsi,-0x30(%rbp)
ffffffff811c72d7: 48 89 55 d8 mov %rdx,-0x28(%rbp)
ffffffff811c72db: e8 00 b0 45 00 callq ffffffff816222e0 <__asan_report_load8_noabort>
ffffffff811c72e0: 48 8b 75 d0 mov -0x30(%rbp),%rsi
ffffffff811c72e4: 48 8b 55 d8 mov -0x28(%rbp),%rdx
ffffffff811c72e8: e9 ce fe ff ff jmpq ffffffff811c71bb <unwind_get_return_address+0xeb>
ffffffff811c72ed: 0f 1f 00 nopl (%rax)


---
3==================================================================
3BUG: KASAN: stack-out-of-bounds in unwind_get_return_address+0x1fb/0x220 at addr ffff88042f88bba0
3Read of size 8 by task swapper/2/0
0page:ffffea0010be22c0 count:1 mapcount:0 mapping: (null) index:0x0c
0flags: 0x2ffff8000000400(reserved)
1page dumped because: kasan: bad access detected
dCPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.9.0-rc5-00530-gd8866fc-dirty #3
dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
dCall Trace:
d <NMI>
d dump_stack+0x67/0x94
d kasan_report_error+0x4a1/0x4d0
d ? printk+0xef/0xef
d __asan_report_load8_noabort+0x43/0x50
d ? unwind_get_return_address+0x1fb/0x220
d unwind_get_return_address+0x1fb/0x220
d perf_callchain_kernel+0x356/0x550
d ? arch_perf_update_userpage+0x350/0x350
d ? __perf_event_header__init_id+0x500/0x500
d get_perf_callchain+0x276/0x670
d ? put_callchain_buffers+0x50/0x50
d ? sched_clock_cpu+0x11c/0x1a0
d perf_callchain+0x128/0x1a0
d perf_prepare_sample+0x70e/0xfb0
d perf_event_output_forward+0x93/0x110
d ? perf_prepare_sample+0xfb0/0xfb0
d ? arch_perf_update_userpage+0x26c/0x350
d ? sched_clock_cpu+0x11c/0x1a0
d __perf_event_overflow+0x1a3/0x570
d perf_event_overflow+0x14/0x20
d __intel_pmu_pebs_event+0x3ca/0x610
d ? pebs_update_state+0x310/0x310
d ? acpi_map_lookup+0x40/0xad
d ? intel_pmu_disable_bts+0xc0/0xc0
d ? acpi_map_lookup+0x40/0xad
d ? put_dec+0x1c/0xb0
d ? number+0x71c/0xa70
d ? put_dec+0xb0/0xb0
d intel_pmu_drain_pebs_nhm+0x5f6/0xbf0
d ? __intel_pmu_pebs_event+0x610/0x610
d ? early_serial_putc+0x41/0x70
d ? early_serial_write+0x7c/0xf0
d ? trace_raw_output_console+0x160/0x160
d intel_pmu_handle_irq+0x4b2/0xa90
d ? intel_pmu_save_and_restart+0xe0/0xe0
d ? acpi_os_read_memory+0x228/0x262
d ? acpi_os_get_timer+0x1a/0x1a
d ? vunmap_page_range+0x269/0x400
d ? ghes_copy_tofrom_phys+0x149/0x270
d ? ghes_read_estatus+0x11e/0x6b0
d ? ghes_copy_tofrom_phys+0x270/0x270
d perf_event_nmi_handler+0x2d/0x50
d nmi_handle+0x9e/0x250
d default_do_nmi+0x111/0x180
d do_nmi+0x1a2/0x210
d end_repeat_nmi+0x1a/0x1e
dRIP: 0010:irq_exit+0x10/0x1d0
dRSP: 0000:ffff88042f887fc8 EFLAGS: 00000046c
dRAX: 0000000000000000 RBX: ffffffff83a77980 RCX: 1ffff10080965faf
dRDX: 1ffff10085f13747 RSI: 0000000000000000 RDI: ffff88042f89ba38
dRBP: ffff88042f887fd0 R08: ffff8804060b1a08 R09: 1ffff10085f1276e
dR10: ffffed0080c16369 R11: ffff88042f89dd04 R12: 00000023af3410aa
dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180
d ? irq_exit+0x10/0x1d0
d ? irq_exit+0x10/0x1d0
d <EOE>
d <IRQ>
d smp_call_function_single_interrupt+0x70/0x90
d call_function_single_interrupt+0x90/0xa0
dRIP: 0010:cpuidle_enter_state+0x121/0x7a0
dRSP: 0000:ffff88042caffe28 EFLAGS: 00000246c ORIG_RAX: ffffffffffffff04
dRAX: 0000000000000000 RBX: ffff88042f8ab720 RCX: 000000000000001f
dRDX: 1ffff10085f142f9 RSI: 000000002dd33691 RDI: ffff88042f8a17c8
dRBP: ffff88042caffe88 R08: 0000000000000018 R09: ffffffff83f3f320
dR10: 071c71c71c71c71c R11: ffff88042f89dd04 R12: 00000023af3410aa
dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180
d <EOI>
d ? cpuidle_enter_state+0x11c/0x7a0
d cpuidle_enter+0x17/0x20
d call_cpuidle+0x47/0xc0
d ? cpuidle_select+0x59/0x80
d cpu_startup_entry+0x1a6/0x2d0
d start_secondary+0x245/0x2d0
d start_cpu+0x5/0x14
3Memory state around the buggy address:
3 ffff88042f88ba80: f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f3 f3 f3
3 ffff88042f88bb00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3>ffff88042f88bb80: f1 f1 f1 f1 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2
3 ^
3 ffff88042f88bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 ffff88042f88bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3==================================================================
4Disabling lock debugging due to kernel taint
3==================================================================
3BUG: KASAN: stack-out-of-bounds in unwind_next_frame+0x5fc/0x780 at addr ffff88042f88bb98
3Read of size 8 by task swapper/2/0
0page:ffffea0010be22c0 count:1 mapcount:0 mapping: (null) index:0x0c
0flags: 0x2ffff8000000400(reserved)
1page dumped because: kasan: bad access detected
dCPU: 2 PID: 0 Comm: swapper/2 Tainted: G B 4.9.0-rc5-00530-gd8866fc-dirty #3
dHardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
dCall Trace:
d <NMI>
d dump_stack+0x67/0x94
d kasan_report_error+0x4a1/0x4d0
d ? kasan_report_error+0x420/0x4d0
d __asan_report_load8_noabort+0x43/0x50
d ? unwind_next_frame+0x5fc/0x780
d unwind_next_frame+0x5fc/0x780
d perf_callchain_kernel+0x341/0x550
d ? arch_perf_update_userpage+0x350/0x350
d ? __perf_event_header__init_id+0x500/0x500
d get_perf_callchain+0x276/0x670
d ? put_callchain_buffers+0x50/0x50
d ? sched_clock_cpu+0x11c/0x1a0
d perf_callchain+0x128/0x1a0
d perf_prepare_sample+0x70e/0xfb0
d perf_event_output_forward+0x93/0x110
d ? perf_prepare_sample+0xfb0/0xfb0
d ? arch_perf_update_userpage+0x26c/0x350
d ? sched_clock_cpu+0x11c/0x1a0
d __perf_event_overflow+0x1a3/0x570
d perf_event_overflow+0x14/0x20
d __intel_pmu_pebs_event+0x3ca/0x610
d ? pebs_update_state+0x310/0x310
d ? acpi_map_lookup+0x40/0xad
d ? intel_pmu_disable_bts+0xc0/0xc0
d ? acpi_map_lookup+0x40/0xad
d ? put_dec+0x1c/0xb0
d ? number+0x71c/0xa70
d ? put_dec+0xb0/0xb0
d intel_pmu_drain_pebs_nhm+0x5f6/0xbf0
d ? __intel_pmu_pebs_event+0x610/0x610
d ? early_serial_putc+0x41/0x70
d ? early_serial_write+0x7c/0xf0
d ? trace_raw_output_console+0x160/0x160
d intel_pmu_handle_irq+0x4b2/0xa90
d ? intel_pmu_save_and_restart+0xe0/0xe0
d ? acpi_os_read_memory+0x228/0x262
d ? acpi_os_get_timer+0x1a/0x1a
d ? vunmap_page_range+0x269/0x400
d ? ghes_copy_tofrom_phys+0x149/0x270
d ? ghes_read_estatus+0x11e/0x6b0
d ? ghes_copy_tofrom_phys+0x270/0x270
d perf_event_nmi_handler+0x2d/0x50
d nmi_handle+0x9e/0x250
d default_do_nmi+0x111/0x180
d do_nmi+0x1a2/0x210
d end_repeat_nmi+0x1a/0x1e
dRIP: 0010:irq_exit+0x10/0x1d0
dRSP: 0000:ffff88042f887fc8 EFLAGS: 00000046c
dRAX: 0000000000000000 RBX: ffffffff83a77980 RCX: 1ffff10080965faf
dRDX: 1ffff10085f13747 RSI: 0000000000000000 RDI: ffff88042f89ba38
dRBP: ffff88042f887fd0 R08: ffff8804060b1a08 R09: 1ffff10085f1276e
dR10: ffffed0080c16369 R11: ffff88042f89dd04 R12: 00000023af3410aa
dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180
d ? irq_exit+0x10/0x1d0
d ? irq_exit+0x10/0x1d0
d <EOE>
d <IRQ>
d smp_call_function_single_interrupt+0x70/0x90
d call_function_single_interrupt+0x90/0xa0
dRIP: 0010:cpuidle_enter_state+0x121/0x7a0
dRSP: 0000:ffff88042caffe28 EFLAGS: 00000246c ORIG_RAX: ffffffffffffff04
dRAX: 0000000000000000 RBX: ffff88042f8ab720 RCX: 000000000000001f
dRDX: 1ffff10085f142f9 RSI: 000000002dd33691 RDI: ffff88042f8a17c8
dRBP: ffff88042caffe88 R08: 0000000000000018 R09: ffffffff83f3f320
dR10: 071c71c71c71c71c R11: ffff88042f89dd04 R12: 00000023af3410aa
dR13: 0000000000000004 R14: 0000000000000004 R15: 0000000000000180
d <EOI>
d ? cpuidle_enter_state+0x11c/0x7a0
d cpuidle_enter+0x17/0x20
d call_cpuidle+0x47/0xc0
d ? cpuidle_select+0x59/0x80
d cpu_startup_entry+0x1a6/0x2d0
d start_secondary+0x245/0x2d0
d start_cpu+0x5/0x14
3Memory state around the buggy address:
3 ffff88042f88ba80: f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f3 f3 f3
3 ffff88042f88bb00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3>ffff88042f88bb80: f1 f1 f1 f1 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2
3 ^
3 ffff88042f88bc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 ffff88042f88bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3==================================================================