Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752345AbcKQXLz (ORCPT ); Thu, 17 Nov 2016 18:11:55 -0500 Received: from mga02.intel.com ([134.134.136.20]:60405 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752007AbcKQXLy (ORCPT ); Thu, 17 Nov 2016 18:11:54 -0500 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,655,1473145200"; d="scan'208";a="32591344" From: Andi Kleen To: Vince Weaver Cc: "linux-kernel\@vger.kernel.org" , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , "dvyukov\@google.com" , alexander.shishkin@intel.com Subject: Re: perf: fuzzer KASAN: global-out-of-bounds in match_token References: Date: Thu, 17 Nov 2016 15:11:45 -0800 In-Reply-To: (Vince Weaver's message of "Thu, 17 Nov 2016 15:24:48 -0500 (EST)") Message-ID: <8760nl1z2m.fsf@tassilo.jf.intel.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3735 Lines: 57 Vince Weaver writes: Adding Alex since it seems to be related to PT code. > So got my skylake machine re-compiled with gcc-5 and got this. > > Should I keep reporting these, or is everyone fuzzing now so you're all > hitting them too? > > [ 911.507365] ================================================================== > [ 911.514824] BUG: KASAN: global-out-of-bounds in match_token+0x268/0x310 at addr ffffffffb14ad058 > [ 911.523912] Read of size 8 by task perf_fuzzer/20662 > [ 911.528945] Address belongs to variable if_tokens+0x78/0xa0 > [ 911.534619] CPU: 7 PID: 20662 Comm: perf_fuzzer Tainted: G L 4.9.0-rc5+ #12 > [ 911.534620] Hardware name: LENOVO 10FY0017US/SKYBAY, BIOS FWKT53A 06/06/2016 > [ 911.534622] ffff8801efd2f970 ffffffffb0f17c88 ffff8801efd2fa08 ffffffffb14ad058 > [ 911.534624] ffff8801efd2f9f8 ffffffffb0d0a9f3 1ffff1003dfa5f38 ffff8801efd2fc38 > [ 911.534627] ffff8801f12ca100 0000000000000297 ffff8801efd2fc38 ffff8801efd2fa38 > [ 911.534629] Call Trace: > [ 911.534633] [] dump_stack+0x63/0x8b > [ 911.534636] [] kasan_report_error+0x493/0x4c0 > [ 911.534638] [] ? simple_strtoull+0x93/0xe0 > [ 911.534640] [] kasan_report+0x58/0x60 > [ 911.534642] [] ? match_token+0x268/0x310 > [ 911.534644] [] __asan_load8+0x5e/0x70 > [ 911.534646] [] match_token+0x268/0x310 > [ 911.534649] [] ? kmem_cache_alloc_node_trace+0x108/0x5a0 > [ 911.534651] [] ? match_wildcard+0x130/0x130 > [ 911.534653] [] ? wp_page_copy+0x6f5/0xb80 > [ 911.534656] [] ? perf_event_set_addr_filter+0x1f8/0x630 > [ 911.534658] [] perf_event_set_addr_filter+0x24b/0x630 > [ 911.534660] [] ? perf_pin_task_context+0xd0/0xd0 > [ 911.534663] [] ? kasan_unpoison_shadow+0x36/0x50 > [ 911.534665] [] ? kasan_kmalloc+0xad/0xe0 > [ 911.534667] [] ? __kmalloc_track_caller+0x10b/0x580 > [ 911.534669] [] ? vm_normal_page+0x130/0x130 > [ 911.534671] [] ? strndup_user+0x46/0x70 > [ 911.534673] [] ? kasan_check_write+0x14/0x20 > [ 911.534675] [] ? memdup_user+0x4d/0x80 > [ 911.534677] [] perf_ioctl+0x5fa/0x810 > [ 911.534680] [] ? SYSC_perf_event_open+0x11e0/0x11e0 > [ 911.534682] [] ? handle_mm_fault+0x602/0x1c30 > [ 911.534684] [] do_vfs_ioctl+0x14b/0x920 > [ 911.534686] [] ? ioctl_preallocate+0x160/0x160 > [ 911.534689] [] ? security_file_permission+0xd3/0x100 > [ 911.534692] [] ? __perf_sw_event+0x98/0xc0 > [ 911.534694] [] ? __do_page_fault+0x579/0x650 > [ 911.534696] [] SyS_ioctl+0x79/0x90 > [ 911.534699] [] entry_SYSCALL_64_fastpath+0x1e/0xad > [ 911.534700] Memory state around the buggy address: > [ 911.539563] ffffffffb14acf00: fa fa fa fa 06 fa fa fa fa fa fa fa 06 fa fa fa > [ 911.546942] ffffffffb14acf80: fa fa fa fa 03 fa fa fa fa fa fa fa 00 00 00 00 > [ 911.554269] >ffffffffb14ad000: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa > [ 911.561598] ^ > [ 911.567800] ffffffffb14ad080: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa > [ 911.575138] ffffffffb14ad100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 > [ 911.582492] ==================================================================