Re: global-out-of-bounds in move_module
From: Jessica Yu
Date: Thu May 27 2021 - 05:01:58 EST
+++ Marc Kleine-Budde [10/05/21 22:26 +0200]:
Hello,
I just noticed on current net-next/master b741596468b0 ("Merge tag
'riscv-for-linus-5.13-mw1' of
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux") on 32 bit
arm, that modprobe of a module triggers the following KASAN bug:
Hi,
Hm, well I just submitted a module loader fix last week (I have no idea
if the fix is related to this report somehow, but it does bring ARM module
loader behavior up to speed with the other arches). I'm wondering if
you can still reproduce this on -rc3?
| [ 110.241783] ==================================================================
| [ 110.249600] BUG: KASAN: global-out-of-bounds in move_module+0x58/0x208
| [ 110.256253] Write of size 69632 at addr bf030000 by task modprobe/290
| [ 110.262789]
| [ 110.264361] CPU: 0 PID: 290 Comm: modprobe Tainted: G W 5.12.0-perf+ #7
| [ 110.272373] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
| [ 110.278977] Backtrace:
| [ 110.281537] [<c150df20>] (dump_backtrace) from [<c150e430>] (show_stack+0x20/0x24)
| [ 110.289245] r7:00000080 r6:80010093 r5:00000000 r4:c24c20a0
| [ 110.294981] [<c150e410>] (show_stack) from [<c151e794>] (dump_stack+0xf0/0x118)
| [ 110.302407] [<c151e6a4>] (dump_stack) from [<c1515770>] (print_address_description.constprop.0+0x58/0x210)
| [ 110.312205] r9:b6e0720e r8:b6e08200 r7:c0273980 r6:00000001 r5:00000000 r4:bf030000
| [ 110.320023] [<c1515718>] (print_address_description.constprop.0) from [<c03da2b4>] (kasan_report+0x11c/0x140)
| [ 110.330088] r7:c0273980 r6:00000001 r5:00011000 r4:bf030000
| [ 110.335820] [<c03da198>] (kasan_report) from [<c03dae54>] (kasan_check_range+0xcc/0x1a4)
| [ 110.344039] r7:000001ff r6:b6e081ff r5:bf040fff r4:b6e07210
| [ 110.349772] [<c03dad88>] (kasan_check_range) from [<c03db6e0>] (memset+0x28/0x44)
| [ 110.357386] r10:cc6a3ef4 r9:f0f1ef18 r8:f0de8740 r7:cc6a3ee0 r6:00000000 r5:bf030000
| [ 110.365296] r4:00011000 r3:c0273980
| [ 110.368943] [<c03db6b8>] (memset) from [<c0273980>] (move_module+0x58/0x208)
| [ 110.376116] r7:cc6a3ee0 r6:f0de8880 r5:f0de8884 r4:bf030000
| [ 110.381850] [<c0273928>] (move_module) from [<c0274314>] (layout_and_allocate+0x1bc/0x290)
| [ 110.390233] r10:cc6a3ef4 r9:f0f1ef18 r8:cc6a3ef0 r7:00000039 r6:cc6a3ee4 r5:cc6a3ee0
| [ 110.398138] r4:00000000
| [ 110.400743] [<c0274158>] (layout_and_allocate) from [<c0274734>] (load_module+0x34c/0xbe4)
| [ 110.409125] r10:cc6a0000 r9:b88d47b8 r8:c165cb00 r7:f3f3f3f3 r6:cc6a3e40 r5:cc6a3ee0
| [ 110.417031] r4:cc6a0000
| [ 110.419634] [<c02743e8>] (load_module) from [<c0275248>] (sys_finit_module+0x110/0x178)
| [ 110.427760] r10:0000017b r9:00000003 r8:cc6a3ee0 r7:004762d0 r6:00000000 r5:cc6a3f80
| [ 110.435666] r4:b88d47d4
| [ 110.438273] [<c0275138>] (sys_finit_module) from [<c0100080>] (ret_fast_syscall+0x0/0x2c)
| [ 110.446565] Exception stack(0xcc6a3fa8 to 0xcc6a3ff0)
| [ 110.451708] 3fa0: 004780c0 00000000 00000003 004762d0 00000000 00477cd0
| [ 110.459983] 3fc0: 004780c0 00000000 98560c00 0000017b 0210a3f8 0048a090 0047544c 0210a360
| [ 110.468246] 3fe0: b6c91978 b6c91968 0046eb0d aea934f2
| [ 110.473388] r9:cc6a0000 r8:c0100268 r7:0000017b r6:98560c00 r5:00000000 r4:004780c0
| [ 110.481206]
| [ 110.482769]
| [ 110.484329] Memory state around the buggy address:
| [ 110.489199] bf038f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| [ 110.495812] bf038f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| [ 110.502419] >bf039000: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
| [ 110.509021] ^
| [ 110.515018] bf039080: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 02 f9 f9
| [ 110.521626] bf039100: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 00 00
| [ 110.528231] ==================================================================
regards,
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung West/Dortmund | Phone: +49-231-2826-924 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |