Re: [syzbot] linux-next boot error: KASAN: slab-out-of-bounds Read in _find_next_bit

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Dmitry Vyukov <dvyukov@google.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Yury Norov <yury.norov@gmail.com>,
	 syzbot <syzbot+08ca1fa706a22cc17efe@syzkaller.appspotmail.com>,
	 linux-kernel@vger.kernel.org, linux-mm@kvack.org,
	linux-next@vger.kernel.org,  sfr@canb.auug.org.au,
	syzkaller-bugs@googlegroups.com,
	 Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	Alexander Potapenko <glider@google.com>,
	 Andrey Konovalov <andreyknvl@gmail.com>,
	Vincenzo Frascino <vincenzo.frascino@arm.com>
Subject: Re: [syzbot] linux-next boot error: KASAN: slab-out-of-bounds Read in _find_next_bit
Date: Wed, 7 Sep 2022 09:17:24 +0200	[thread overview]
Message-ID: <CACT4Y+bXks8ohNAxdJ7gGOc=tg7bC7Pz+nBJi_J9zHa5Jhta9w@mail.gmail.com> (raw)
In-Reply-To: <20220906225312.263c4493a744cbcb66288283@linux-foundation.org>

On Wed, 7 Sept 2022 at 07:53, Andrew Morton <akpm@linux-foundation.org> wrote:
> > > > The buggy address belongs to the object at ffff888017576600
> > > >  which belongs to the cache kmalloc-192 of size 192
> > > > The buggy address is located 184 bytes inside of
> > > >  192-byte region [ffff888017576600, ffff8880175766c0)
> > >
> > > At offset 184 of a 192-byte region.
> > >
> > > So what's wrong with doing that?  Does KASAN have an off-by-one?
> >
> > Hi Andrew, all,
> >
> > This is a bug in FIND_NEXT_BIT(). It should be
> >   if (idx >= sz / BITS_PER_LONG)                                   \
> >           goto out;                                                \
> >
> > instead of
> >   if (idx > sz / BITS_PER_LONG)                                    \
> >           goto out;                                                \
> >
> > The fix is in bitmap-for-next, expected to be in -next by tomorrow.
> > Sorry for the noise.
>
> OK... but why is KASAN reporting a bad access from an area
> which appears to be OK?

Hi Andrew,

Good point. Filed https://bugzilla.kernel.org/show_bug.cgi?id=216457 for this.
Copy-pasting description below:

KASAN says:

==================================================================
BUG: KASAN: slab-out-of-bounds in _find_next_bit+0x143/0x160 lib/find_bit.c:109
Read of size 8 at addr ffff8880175766b8 by task kworker/1:1/26
...
The buggy address belongs to the object at ffff888017576600
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 184 bytes inside of
 192-byte region [ffff888017576600, ffff8880175766c0)
...
Memory state around the buggy address:
>ffff888017576680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
                                        ^
==================================================================

This "address is located 184 bytes inside of 192-byte region" is
confusing b/c it does not look like an out-of-bounds access.

What happens here is that the allocation request was for 184 bytes, so
the last 8 bytes in the 192-byte slab are poisoned. But KASAN does not
store the requested size in the object header, so it just prints the
full slab size everywhere.

User-space ASAN does store 48-bit requested size in the header. But
KASAN uses additional bytes in the header for:

struct kasan_alloc_meta {
depot_stack_handle_t aux_stack[2];

So we don't have space for requested size w/o increasing header size
(currently should be 16 bytes).

We could either try to infer requested size from the shadow (count
poisoned bytes at the end); or improve wording of the message at least
to make it clear that 192 is just full slab size.

For context see:
https://lore.kernel.org/all/20220906173154.6f2664c8fc6b83470c5dfea1@linux-foundation.org/

     prev parent reply	other threads:[~2022-09-07  7:17 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-06 13:21 syzbot
2022-09-07  0:31 ` Andrew Morton
2022-09-07  0:45   ` Yury Norov
2022-09-07  5:53     ` Andrew Morton
2022-09-07  7:17       ` Dmitry Vyukov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+bXks8ohNAxdJ7gGOc=tg7bC7Pz+nBJi_J9zHa5Jhta9w@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=glider@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-next@vger.kernel.org \
    --cc=ryabinin.a.a@gmail.com \
    --cc=sfr@canb.auug.org.au \
    --cc=syzbot+08ca1fa706a22cc17efe@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=vincenzo.frascino@arm.com \
    --cc=yury.norov@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox