Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-13040] BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180 https://jira.whamcloud.com/browse/LU-13040 Lustre <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>Nov 27 00:46:15 lustre-client kernel: ================================================================== Nov 27 00:46:15 lustre-client kernel: BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: Read of size 1 at addr ffff888217560921 by task parse_foreign_d/23741 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: CPU: 3 PID: 23741 Comm: parse_foreign_d Tainted: P O 5.4.0-1.ldiskfs.d.el7.x86_64 #1 Nov 27 00:46:15 lustre-client kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014 Nov 27 00:46:15 lustre-client kernel: Call Trace: Nov 27 00:46:15 lustre-client kernel: dump_stack+0x7b/0xba Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: print_address_description.constprop.7.cold.9+0x9/0x350 Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: __kasan_report.cold.10+0x1b/0x3f Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: kasan_report+0x12/0x20 Nov 27 00:46:15 lustre-client kernel: __asan_load1+0x47/0x50 Nov 27 00:46:15 lustre-client kernel: string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: ? widen_string+0x190/0x190 Nov 27 00:46:15 lustre-client kernel: string+0xb6/0xc0 Nov 27 00:46:15 lustre-client kernel: ? hex_string+0x2e0/0x2e0 Nov 27 00:46:15 lustre-client kernel: vsnprintf+0x56c/0x8e0 Nov 27 00:46:15 lustre-client kernel: ? pointer+0x4e0/0x4e0 Nov 27 00:46:15 lustre-client kernel: ? vsnprintf+0x655/0x8e0 Nov 27 00:46:15 lustre-client kernel: libcfs_debug_msg+0x4f2/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? put_pages_on_daemon_list+0xd0/0xd0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: lsm_md_dump+0x14a/0x270 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_update_inode+0xb6c/0x2010 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_test_inode_by_fid+0x30/0x30 [lustre] Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_read+0x11/0x20 Nov 27 00:46:15 lustre-client kernel: ll_iget+0x2bf/0x420 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_prep_inode+0x50e/0xca0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_open_cleanup+0x6b0/0x6b0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? strcpy+0x30/0x50 Nov 27 00:46:15 lustre-client kernel: ? cfs_trace_unlock_tcd+0x20/0xb0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? lustre_msg_buf_v2+0x8a/0x220 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? ptlrpc_buf_need_swab+0x5d/0xf0 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? __req_capsule_get+0x72a/0x8a0 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? lustre_swab_generic_32s+0x20/0x20 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it_finish+0x349/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_splice_alias+0x410/0x410 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_md_need_convert+0x2c0/0x2c0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_md_need_convert+0x2c0/0x2c0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? libcfs_log_return+0x22/0x30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? lmv_intent_lock+0x2f0/0x560 [lmv] Nov 27 00:46:15 lustre-client kernel: ? lmv_intent_lookup+0xaf0/0xaf0 [lmv] Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_write+0x14/0x20 Nov 27 00:46:15 lustre-client kernel: ll_lookup_it+0xeae/0x2000 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_lookup_it_finish+0x1500/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ? strcpy+0x30/0x50 Nov 27 00:46:15 lustre-client kernel: ? cfs_trace_unlock_tcd+0x20/0xb0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? put_pages_on_daemon_list+0xd0/0xd0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? __d_alloc+0x277/0x380 Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_write+0x14/0x20 Nov 27 00:46:15 lustre-client kernel: ? d_alloc_parallel+0x435/0x950 Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ll_lookup_nd+0x1ee/0x2b0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_atomic_open+0x2360/0x2360 [lustre] Nov 27 00:46:15 lustre-client kernel: ? __d_lookup+0x49/0x230 Nov 27 00:46:15 lustre-client kernel: __lookup_slow+0x123/0x230 Nov 27 00:46:15 lustre-client kernel: ? vfs_readlink+0x220/0x220 Nov 27 00:46:15 lustre-client kernel: ? __nd_alloc_stack+0xa0/0xa0 Nov 27 00:46:15 lustre-client kernel: lookup_slow+0x44/0x60 Nov 27 00:46:15 lustre-client kernel: walk_component+0x3e3/0x680 Nov 27 00:46:15 lustre-client kernel: ? lookup_slow+0x60/0x60 Nov 27 00:46:15 lustre-client kernel: ? link_path_walk.part.41+0x292/0x830 Nov 27 00:46:15 lustre-client kernel: ? lookup_one_len+0x130/0x130 Nov 27 00:46:15 lustre-client kernel: ? path_init+0x451/0x5a0 Nov 27 00:46:15 lustre-client kernel: ? save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: ? __kasan_kmalloc.constprop.14+0xc1/0xd0 Nov 27 00:46:15 lustre-client kernel: ? kasan_slab_alloc+0x11/0x20 Nov 27 00:46:15 lustre-client kernel: ? getname_flags+0x6f/0x2c0 Nov 27 00:46:15 lustre-client kernel: path_lookupat.isra.43+0x118/0x420 Nov 27 00:46:15 lustre-client kernel: ? path_parentat.isra.42+0xa0/0xa0 Nov 27 00:46:15 lustre-client kernel: ? deactivate_slab.isra.79+0x21b/0x5c0 Nov 27 00:46:15 lustre-client kernel: ? check_object+0xb5/0x290 Nov 27 00:46:15 lustre-client kernel: ? init_object+0x7e/0x90 Nov 27 00:46:15 lustre-client kernel: filename_lookup.part.59+0x116/0x240 Nov 27 00:46:15 lustre-client kernel: ? __ia32_sys_rename+0x50/0x50 Nov 27 00:46:15 lustre-client kernel: ? __check_object_size+0x1a7/0x216 Nov 27 00:46:15 lustre-client kernel: ? strncpy_from_user+0xdd/0x200 Nov 27 00:46:15 lustre-client kernel: ? getname_flags+0x112/0x2c0 Nov 27 00:46:15 lustre-client kernel: user_path_at_empty+0x3e/0x50 Nov 27 00:46:15 lustre-client kernel: path_getxattr+0xa8/0x130 Nov 27 00:46:15 lustre-client kernel: ? getxattr+0x230/0x230 Nov 27 00:46:15 lustre-client kernel: __x64_sys_getxattr+0x5b/0x70 Nov 27 00:46:15 lustre-client kernel: do_syscall_64+0x78/0x200 Nov 27 00:46:15 lustre-client kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 Nov 27 00:46:15 lustre-client kernel: RIP: 0033:0x7fec4f3453ea Nov 27 00:46:15 lustre-client kernel: Code: 73 01 c3 48 8b 0d 86 9a 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 bf 00 00 00 0f 05 &lt;48&gt; 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 9a 2c 00 f7 d8 64 89 01 48 Nov 27 00:46:15 lustre-client kernel: RSP: 002b:00007ffd6b274628 EFLAGS: 00000206 ORIG_RAX: 00000000000000bf Nov 27 00:46:15 lustre-client kernel: RAX: ffffffffffffffda RBX: 00007ffd6b274748 RCX: 00007fec4f3453ea Nov 27 00:46:15 lustre-client kernel: RDX: 0000000000000000 RSI: 0000000000400cff RDI: 00007ffd6b276054 Nov 27 00:46:15 lustre-client kernel: RBP: 0000000000400cfc R08: 0000000000000000 R09: 0000000000000000 Nov 27 00:46:15 lustre-client kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003 Nov 27 00:46:15 lustre-client kernel: R13: 00007ffd6b276054 R14: 0000000000000000 R15: 0000000000000000 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Allocated by task 23741: Nov 27 00:46:15 lustre-client kernel: save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: __kasan_kmalloc.constprop.14+0xc1/0xd0 Nov 27 00:46:15 lustre-client kernel: kasan_kmalloc+0x9/0x10 Nov 27 00:46:15 lustre-client kernel: __kmalloc+0x139/0x300 Nov 27 00:46:15 lustre-client kernel: lmv_unpackmd+0x5d3/0x12a0 [lmv] Nov 27 00:46:15 lustre-client kernel: mdc_get_lustre_md+0x81a/0x12a0 [mdc] Nov 27 00:46:15 lustre-client kernel: lmv_get_lustre_md+0x1c9/0x1e0 [lmv] Nov 27 00:46:15 lustre-client kernel: ll_prep_inode+0x1e7/0xca0 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it_finish+0x349/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it+0xeae/0x2000 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_nd+0x1ee/0x2b0 [lustre] Nov 27 00:46:15 lustre-client kernel: __lookup_slow+0x123/0x230 Nov 27 00:46:15 lustre-client kernel: lookup_slow+0x44/0x60 Nov 27 00:46:15 lustre-client kernel: walk_component+0x3e3/0x680 Nov 27 00:46:15 lustre-client kernel: path_lookupat.isra.43+0x118/0x420 Nov 27 00:46:15 lustre-client kernel: filename_lookup.part.59+0x116/0x240 Nov 27 00:46:15 lustre-client kernel: user_path_at_empty+0x3e/0x50 Nov 27 00:46:15 lustre-client kernel: path_getxattr+0xa8/0x130 Nov 27 00:46:15 lustre-client kernel: __x64_sys_getxattr+0x5b/0x70 Nov 27 00:46:15 lustre-client kernel: do_syscall_64+0x78/0x200 Nov 27 00:46:15 lustre-client kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Freed by task 0: Nov 27 00:46:15 lustre-client kernel: save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: __kasan_slab_free+0x128/0x170 Nov 27 00:46:15 lustre-client kernel: kasan_slab_free+0xe/0x10 Nov 27 00:46:15 lustre-client kernel: kfree+0xa4/0x290 Nov 27 00:46:15 lustre-client kernel: autogroup_free+0x25/0x30 Nov 27 00:46:15 lustre-client kernel: sched_free_group+0x22/0x40 Nov 27 00:46:15 lustre-client kernel: sched_free_group_rcu+0x15/0x20 Nov 27 00:46:15 lustre-client kernel: rcu_do_batch+0x27c/0x660 Nov 27 00:46:15 lustre-client kernel: rcu_core+0x2a8/0x460 Nov 27 00:46:15 lustre-client kernel: rcu_core_si+0xe/0x10 Nov 27 00:46:15 lustre-client kernel: __do_softirq+0x10d/0x3c9 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: The buggy address belongs to the object at ffff8882175608c8#012 which belongs to the cache kmalloc-96 of size 96 Nov 27 00:46:15 lustre-client kernel: The buggy address is located 89 bytes inside of#012 96-byte region [ffff8882175608c8, ffff888217560928) Nov 27 00:46:15 lustre-client kernel: The buggy address belongs to the page: Nov 27 00:46:15 lustre-client kernel: page:ffffea00085d5800 refcount:1 mapcount:0 mapping:ffff888227010a00 index:0xffff888217563488 compound_mapcount: 0 Nov 27 00:46:15 lustre-client kernel: flags: 0x17ffffc0010200(slab|head) Nov 27 00:46:15 lustre-client kernel: raw: 0017ffffc0010200 ffffea0007cc0208 ffff888227003a50 ffff888227010a00 Nov 27 00:46:15 lustre-client kernel: raw: ffff888217563488 0000000000240011 00000001ffffffff 0000000000000000 Nov 27 00:46:15 lustre-client kernel: page dumped because: kasan: bad access detected Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Memory state around the buggy address: Nov 27 00:46:15 lustre-client kernel: ffff888217560800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ffff888217560880: fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 Nov 27 00:46:15 lustre-client kernel: &gt;ffff888217560900: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ^ Nov 27 00:46:15 lustre-client kernel: ffff888217560980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ffff888217560a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ==================================================================</pre> </div></div> LU-13040 BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180 Bug Minor Resolved Fixed Shaun Tancheff Shaun Tancheff Sat, 30 Nov 2019 22:14:45 +0000 Sun, 1 Mar 2020 15:49:25 +0000 Sun, 1 Mar 2020 15:49:25 +0000 Lustre 2.14.0 0 2 <p>This KASAN indicates two different issues,</p> <p>The root cause is indicated by lsm_md_dump() where the lsm_md_pool_name is not null terminated. This case appears to be rooted in <del>a strncpy().</del> attempting to read the pool_name when lsm_md_magic == LMV_MAGIC_FOREIGN.</p> <p>The second issue is the theoretical buffer overflow in libcfs_debug_msg() where the second pass of snprintf() reports number of bytes need, where the results is expected to be number of bytes actual. There are a couple of additional uses of snprintf that should also be changed to scnprintf() here.</p> <p>Shaun Tancheff (stancheff@cray.com) uploaded a new patch: <a href="https://review.whamcloud.com/36908" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36908</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-13040" title="BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180" class="issue-link" data-issue-key="LU-13040"><del>LU-13040</del></a> lmv: Pool name string handling<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 645180347fdb5f7d4c4555e351260a74b96372ba</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/36908/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36908/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-13040" title="BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180" class="issue-link" data-issue-key="LU-13040"><del>LU-13040</del></a> lmv: Pool name string handling<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 5a798e527b8e852363858bd568f297520a5325fd</p> <p>Landed for 2.14</p> Development Rank 1|i00q8n: Rank (Obsolete) 9223372036854775807 Severity