I observed false KSAN positives in the sctp code, when
sctp uses jprobe_return() in jsctp_sf_eat_sack().
The stray 0xf4 in shadow memory are stack redzones:
[ ] ==================================================================
[ ] BUG: KASAN: stack-out-of-bounds in memcmp+0xe9/0x150 at addr
ffff88005e48f480
[ ] Read of size 1 by task syz-executor/18535
[ ] page:
ffffea00017923c0 count:0 mapcount:0 mapping: (null) index:0x0
[ ] flags: 0x1fffc0000000000()
[ ] page dumped because: kasan: bad access detected
[ ] CPU: 1 PID: 18535 Comm: syz-executor Not tainted 4.8.0+ #28
[ ] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ ]
ffff88005e48f2d0 ffffffff82d2b849 ffffffff0bc91e90 fffffbfff10971e8
[ ]
ffffed000bc91e90 ffffed000bc91e90 0000000000000001 0000000000000000
[ ]
ffff88005e48f480 ffff88005e48f350 ffffffff817d3169 ffff88005e48f370
[ ] Call Trace:
[ ] [<
ffffffff82d2b849>] dump_stack+0x12e/0x185
[ ] [<
ffffffff817d3169>] kasan_report+0x489/0x4b0
[ ] [<
ffffffff817d31a9>] __asan_report_load1_noabort+0x19/0x20
[ ] [<
ffffffff82d49529>] memcmp+0xe9/0x150
[ ] [<
ffffffff82df7486>] depot_save_stack+0x176/0x5c0
[ ] [<
ffffffff817d2031>] save_stack+0xb1/0xd0
[ ] [<
ffffffff817d27f2>] kasan_slab_free+0x72/0xc0
[ ] [<
ffffffff817d05b8>] kfree+0xc8/0x2a0
[ ] [<
ffffffff85b03f19>] skb_free_head+0x79/0xb0
[ ] [<
ffffffff85b0900a>] skb_release_data+0x37a/0x420
[ ] [<
ffffffff85b090ff>] skb_release_all+0x4f/0x60
[ ] [<
ffffffff85b11348>] consume_skb+0x138/0x370
[ ] [<
ffffffff8676ad7b>] sctp_chunk_put+0xcb/0x180
[ ] [<
ffffffff8676ae88>] sctp_chunk_free+0x58/0x70
[ ] [<
ffffffff8677fa5f>] sctp_inq_pop+0x68f/0xef0
[ ] [<
ffffffff8675ee36>] sctp_assoc_bh_rcv+0xd6/0x4b0
[ ] [<
ffffffff8677f2c1>] sctp_inq_push+0x131/0x190
[ ] [<
ffffffff867bad69>] sctp_backlog_rcv+0xe9/0xa20
[ ... ]
[ ] Memory state around the buggy address:
[ ]
ffff88005e48f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ]
ffff88005e48f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ] >
ffff88005e48f480: f4 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ] ^
[ ]
ffff88005e48f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ]
ffff88005e48f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ ] ==================================================================
KASAN stack instrumentation poisons stack redzones on function entry
and unpoisons them on function exit. If a function exits abnormally
(e.g. with a longjmp like jprobe_return()), stack redzones are left
poisoned. Later this leads to random KASAN false reports.
Unpoison stack redzones in the frames we are going to jump over
before doing actual longjmp in jprobe_return().
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: kasan-dev@googlegroups.com
Cc: surovegin@google.com
Cc: rostedt@goodmis.org
Link: http://lkml.kernel.org/r/1476454043-101898-1-git-send-email-dvyukov@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
projects / cascardo / linux.git / commitdiff