NetBSD Problem Report #54008
From www@NetBSD.org Sat Feb 23 15:24:05 2019
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B6B427A1AA
for <gnats-bugs@gnats.NetBSD.org>; Sat, 23 Feb 2019 15:24:05 +0000 (UTC)
Message-Id: <20190223152404.3D8387A1D0@mollari.NetBSD.org>
Date: Sat, 23 Feb 2019 15:24:04 +0000 (UTC)
From: dvyukov@google.com
Reply-To: dvyukov@google.com
To: gnats-bugs@NetBSD.org
Subject: ASan: Unauthorized Access in vioscsi_scsipi_request
X-Send-Pr-Version: www-1.0
>Number: 54008
>Category: kern
>Synopsis: ASan: Unauthorized Access in vioscsi_scsipi_request
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Feb 23 15:25:00 +0000 2019
>Closed-Date: Sat Apr 13 06:21:51 +0000 2019
>Last-Modified: Mon Jul 15 08:25:00 +0000 2019
>Originator: Dmitry Vyukov
>Release: HEAD
>Organization:
>Environment:
NetBSD 8.99.34 NetBSD 8.99.34 (GENERIC_SYZKALLER) #18: Sat Feb 23 15:34:40 CET 2019 sys/arch/amd64/compile/obj/GENERIC_SYZKALLER amd64
>Description:
ASan: Unauthorized Access in vioscsi_scsipi_request
NetBSD 8.99.34 NetBSD 8.99.34 (GENERIC_SYZKALLER) #18: Sat Feb 23 15:34:40 CET 2019 sys/arch/amd64/compile/obj/GENERIC_SYZKALLER amd64
Checkout is on de28d81d1f43015977e489804bbc02041cdc7207
Config:
include "arch/amd64/conf/GENERIC"
makeoptions KASAN=1
options KASAN
no options SVS
Booting resulting kernel on GCE produces an ASan on boot:
[ 1.0000000] Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
[ 1.0000000] 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017,
[ 1.0000000] 2018, 2019 The NetBSD Foundation, Inc. All rights reserved.
[ 1.0000000] Copyright (c) 1982, 1986, 1989, 1991, 1993
[ 1.0000000] The Regents of the University of California. All rights reserved.
[ 1.0000000] NetBSD 8.99.34 (GENERIC_SYZKALLER) #18: Sat Feb 23 15:34:40 CET 2019
[ 1.0000000] /sys/arch/amd64/compile/obj/GENERIC_SYZKALLER
[ 1.0000000] total memory = 3839 MB
[ 1.0000000] avail memory = 3271 MB
[ 1.0000000] rnd: bad seed length 10
[ 1.0000000] pool redzone disabled for 'buf64k'
[ 1.0000000] cpu_rng: RDRAND
[ 1.0000000] timecounter: Timecounters tick every 10.000 msec
[ 1.0000000] Kernelized RAIDframe activated
[ 1.0000000] running cgd selftest aes-xts-256 aes-xts-512 done
[ 1.0000000] timecounter: Timecounter "i8254" frequency 1193182 Hz quality 100
[ 1.0000030] Google Google Compute Engine
[ 1.0000030] mainbus0 (root)
[ 1.0000030] ACPI: RSDP 0x00000000000F2A60 000014 (v00 Google)
[ 1.0000030] ACPI: RSDT 0x00000000BFFFDC10 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
[ 1.0000030] ACPI: FACP 0x00000000BFFFFF00 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
[ 1.0000030] ACPI: DSDT 0x00000000BFFFDC50 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001)
[ 1.0000030] ACPI: FACS 0x00000000BFFFFEC0 000040
[ 1.0000030] ACPI: SSDT 0x00000000BFFFF5F0 0008CF (v01 Google GOOGSSDT 00000001 GOOG 00000001)
[ 1.0000030] ACPI: APIC 0x00000000BFFFF500 00006E (v01 Google GOOGAPIC 00000001 GOOG 00000001)
[ 1.0000030] ACPI: WAET 0x00000000BFFFF4D0 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
[ 1.0000030] ACPI: SRAT 0x00000000BFFFF410 0000B8 (v01 Google GOOGSRAT 00000001 GOOG 00000001)
[ 1.0000030] ACPI: 2 ACPI AML tables successfully acquired and loaded
[ 1.0000030] ioapic0 at mainbus0 apid 0: pa 0xfec00000, version 0x11, 24 pins
[ 1.0000030] cpu0 at mainbus0 apid 0
[ 1.0000030] cpu0: Intel(R) Xeon(R) CPU @ 2.30GHz, id 0x306f0
[ 1.0000030] cpu0: package 0, core 0, smt 0
[ 1.0000030] acpi0 at mainbus0: Intel ACPICA 20181213
[ 1.0000030] acpi0: X/RSDT: OemId <Google,GOOGRSDT,00000001>, AslId <GOOG,00000001>
[ 1.0000030] LNKS: ACPI: Found matching pin for 0.1.INTA at func 3: 9
[ 1.0000030] LNKC: ACPI: Found matching pin for 0.3.INTA at func 0: 11
[ 1.0000030] LNKD: ACPI: Found matching pin for 0.4.INTA at func 0: 11
[ 1.0000030] acpi0: SCI interrupting at int 9
[ 1.0000030] acpi0: fixed power button present
[ 1.0000030] acpi0: fixed sleep button present
[ 1.0000030] timecounter: Timecounter "ACPI-Safe" frequency 3579545 Hz quality 900
[ 1.0066709] pckbc1 at acpi0 (KBD, PNP0303) (kbd port): io 0x60,0x64 irq 1
[ 1.0066709] pckbc2 at acpi0 (MOU, PNP0F13) (aux port): irq 12
[ 1.0066709] COM1 (PNP0501) at acpi0 not configured
[ 1.0066709] COM2 (PNP0501) at acpi0 not configured
[ 1.0066709] COM3 (PNP0501) at acpi0 not configured
[ 1.0066709] COM4 (PNP0501) at acpi0 not configured
[ 1.0066709] PEVT (QEMU0001) at acpi0 not configured
[ 1.0066709] ACPI: Enabled 16 GPEs in block 00 to 0F
[ 1.0066709] pckbd0 at pckbc1 (kbd slot)
[ 1.0066709] pckbc1: using irq 1 for kbd slot
[ 1.0066709] wskbd0 at pckbd0 mux 1
[ 1.0066709] pms0 at pckbc1 (aux slot)
[ 1.0066709] pckbc1: using irq 12 for aux slot
[ 1.0066709] wsmouse0 at pms0 mux 0
[ 1.0066709] pci0 at mainbus0 bus 0: configuration mode 1
[ 1.0066709] pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
[ 1.0066709] pchb0 at pci0 dev 0 function 0: vendor 8086 product 1237 (rev. 0x02)
[ 1.0066709] pcib0 at pci0 dev 1 function 0: vendor 8086 product 7110 (rev. 0x03)
[ 1.0066709] piixpm0 at pci0 dev 1 function 3: vendor 8086 product 7113 (rev. 0x03)
[ 1.0066709] piixpm0: SMBus disabled
[ 1.0066709] virtio0 at pci0 dev 3 function 0
[ 1.0066709] virtio0: Virtio SCSI Device (rev. 0x00)
[ 1.0066709] vioscsi0 at virtio0: Features: 0x0
[ 1.0066709] virtio0: allocated 221184 byte for virtqueue 0 for control, size 8192
[ 1.0066709] virtio0: allocated 221184 byte for virtqueue 1 for event, size 8192
[ 1.0066709] virtio0: allocated 221184 byte for virtqueue 2 for request, size 8192
[ 1.0066709] vioscsi0: cmd_per_lun 256 qsize 8192 seg_max 64 max_target 253 max_lun 1
[ 1.0066709] virtio0: config interrupting at msix0 vec 0
[ 1.0066709] virtio0: queues interrupting at msix0 vec 1
[ 1.0066709] scsibus0 at vioscsi0: 16 targets, 1 lun per target
[ 1.0066709] virtio1 at pci0 dev 4 function 0
[ 1.0066709] virtio1: Virtio Network Device (rev. 0x00)
[ 1.0066709] vioif0 at virtio1: Features: 0x30020<CTRL_VQ,STATUS,MAC>
[ 1.0066709] vioif0: Ethernet address 42:01:0a:80:00:46
[ 1.0066709] virtio1: allocated 114688 byte for virtqueue 0 for rx0, size 4096
[ 1.0066709] virtio1: allocated 114688 byte for virtqueue 1 for tx0, size 4096
[ 1.0066709] virtio1: config interrupting at msix1 vec 0
[ 1.0066709] virtio1: queues interrupting at msix1 vec 1
[ 1.0066709] isa0 at pcib0
[ 1.0066709] com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
[ 1.0066709] com0: console
[ 1.0066709] com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
[ 1.0066709] attimer0 at isa0 port 0x40-0x43
[ 1.0066709] pcppi0 at isa0 port 0x61
[ 1.0066709] spkr0 at pcppi0: PC Speaker
[ 1.0066709] wsbell at spkr0 not configured
[ 1.0066709] midi0 at pcppi0: PC speaker
[ 1.0066709] sysbeep0 at pcppi0
[ 1.0066709] attimer0: attached to pcppi0
[ 1.0066709] acpicpu0 at cpu0: ACPI CPU
[ 1.0066709] acpicpu0: C1: HLT, lat 0 us, pow 0 mW
[ 1.0066709] timecounter: Timecounter "clockinterrupt" frequency 100 Hz quality 0
[ 1.0066709] timecounter: Timecounter "TSC" frequency 2300869780 Hz quality 3000
[ 1.4138338] sd0 at scsibus0 target 2 lun 0: <Google, PersistentDisk, 1> disk fixed
[ 1.4237051] IPsec: Initialized Security Association Processing.
[ 1.4237051] sd0: fabricating a geometry
[ 1.4237051] sd0: 2048 MB, 2048 cyl, 64 head, 32 sec, 512 bytes/sect x 4194304 sectors
[ 1.4342756] sd0: fabricating a geometry
[ 1.4538348] sd0: async, 8-bit transfers, tagged queueing
[ 1.4740155] boot device: sd0
[ 1.4740155] root on sd0a dumps on sd0b
[ 1.5137523] root file system type: ffs
[ 1.5137523] kern.module.path=/stand/amd64/8.99.34/modules
[ 1.5137523] clock: unknown CMOS layout
[ 2.8938666] /dev/sd0a: file system not clean (fs_clean=0x20); please fsck(8)
[ 2.8938666] /dev/sd0a: lost blocks 0 files 0
[ 6.1324074] /dev/sd0a: file system not clean (fs_clean=0x20); please fsck(8)
[ 6.1424467] /dev/sd0a: lost blocks 0 files 0
[ 8.1619135] ASan: Unauthorized Access In 0xffffffff81593baf: Addr 0xffffa18009e3aac0 [4 bytes, read]
[ 8.1742001] #0 0xffffffff81593baf in vioscsi_scsipi_request <netbsd>
[ 8.1819853] #1 0xffffffff8028228d in scsipi_adapter_request <netbsd>
[ 8.1819853] #2 0xffffffff80282484 in scsipi_run_queue <netbsd>
[ 8.1969374] #3 0xffffffff80283135 in scsipi_execute_xs <netbsd>
[ 8.2040307] #4 0xffffffff802987c1 in sd_diskstart <netbsd>
[ 8.2040307] #5 0xffffffff80fcfc28 in dk_start <netbsd>
[ 8.2172705] #6 0xffffffff80fc595f in spec_strategy <netbsd>
[ 8.2240758] #7 0xffffffff80fb3400 in VOP_STRATEGY <netbsd>
[ 8.2240758] #8 0xffffffff80fb8619 in genfs_getpages <netbsd>
[ 8.2378917] #9 0xffffffff80fb3bb1 in VOP_GETPAGES <netbsd>
[ 8.2444090] #10 0xffffffff80e37408 in uvm_fault_internal <netbsd>
[ 8.2518282] #11 0xffffffff80226a38 in trap <netbsd>
[ 8.2518282] #12 0xffffffff8021c4f2 in alltraps <netbsd>
Passing this though addr2line:
0xffffffff81593baf
vioscsi_scsipi_request
dev/pci/vioscsi.c:423
0xffffffff8028228d
scsipi_adapter_unlock
dev/scsipi/scsipi_base.c:2576
scsipi_adapter_request
dev/scsipi/scsipi_base.c:2599
0xffffffff80282484
scsipi_run_queue
dev/scsipi/scsipi_base.c:1860
0xffffffff80283135
scsipi_execute_xs
dev/scsipi/scsipi_base.c:2078
0xffffffff802987c1
sd_diskstart
dev/scsipi/sd.c:782
0xffffffff80fcfc28
dk_start
dev/dksubr.c:422
0xffffffff80fc595f
spec_strategy
miscfs/specfs/spec_vnops.c:1067
0xffffffff80fb3400
VOP_STRATEGY
kern/vnode_if.c:1384
0xffffffff80fb8619
genfs_getpages_read
miscfs/genfs/genfs_io.c:609
genfs_getpages
miscfs/genfs/genfs_io.c:443
0xffffffff80fb8619
genfs_getpages_read
miscfs/genfs/genfs_io.c:609
genfs_getpages
miscfs/genfs/genfs_io.c:443
0xffffffff80fb3bb1
VOP_GETPAGES
kern/vnode_if.c:1577
0xffffffff80e37408
uvm_fault_lower_io
uvm/uvm_fault.c:1918
uvm_fault_lower
uvm/uvm_fault.c:1717
uvm_fault_internal
uvm/uvm_fault.c:905
0xffffffff80226a38
trap
arch/amd64/amd64/trap.c:558
0xffffffff8021c4f2
calltrap
amd64_trap.o:?
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: "Maxime Villard" <maxv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54008 CVS commit: src/sys/dev/pci
Date: Sat, 13 Apr 2019 06:17:33 +0000
Module Name: src
Committed By: maxv
Date: Sat Apr 13 06:17:33 UTC 2019
Modified Files:
src/sys/dev/pci: vioscsi.c
Log Message:
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.
Detected by KASAN, ok jdolecek@.
Fixes PR/54008
Reported-by: syzbot+6513c4afe66237d7207f@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/dev/pci/vioscsi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sat, 13 Apr 2019 06:21:51 +0000
State-Changed-Why:
Fixed, thanks for the report.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54008 CVS commit: [netbsd-8] src/sys/dev/pci
Date: Mon, 15 Jul 2019 08:23:23 +0000
Module Name: src
Committed By: martin
Date: Mon Jul 15 08:23:23 UTC 2019
Modified Files:
src/sys/dev/pci [netbsd-8]: vioscsi.c
Log Message:
Pull up following revision(s) (requested by maxv in ticket #1289):
sys/dev/pci/vioscsi.c: revision 1.21
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.
Detected by KASAN, ok jdolecek@.
Fixes PR/54008
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.19.2.1 src/sys/dev/pci/vioscsi.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home