【标题描述】执行kerlnel_test kprobe用例出现KASAN call trace
【环境信息】
硬件信息:
1) 裸机场景提供出问题的硬件信息;
2) 虚机场景提供虚机XML文件或者配置信息
软件信息:
1) OS版本及分支
2) 内核信息
3) 发现问题的组件版本信息
如果有特殊组网,请提供网络拓扑图
【问题复现步骤】
复现demo:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kprobes.h>
#include <linux/version.h>
static int data_size=0;
module_param(data_size, int, 0644);
static struct kretprobe rp;
static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
printk(KERN_DEBUG "ret_handler\n");
return 0;
}
static int entry_handler(struct kretprobe_instance *ri, struct pt_regs
*regs)
{
printk(KERN_DEBUG "entry_handler\n");
return 0;
}
static int __init kretprobe_init(void)
{
int ret;
printk(KERN_DEBUG"size = %ld\n", sizeof(struct kretprobe_instance)
- 1);
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,2,0)
rp.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("_do_fork");
#else
rp.kp.addr = (kprobe_opcode_t *)kallsyms_lookup_name("do_fork");
#endif
rp.handler = ret_handler;
rp.entry_handler = entry_handler;
rp.data_size = data_size;
rp.maxactive = 1;
ret = register_kretprobe(&rp);
if (ret < 0)
{
printk(KERN_DEBUG "register_kretprobe failed, returned %d\n", ret);
return -1;
}
printk(KERN_DEBUG "register_kretprobe pass\n");
return 0;
}
static void __exit kretprobe_exit(void)
{
unregister_kretprobe(&rp);
printk(KERN_DEBUG "kretprobe unregistered\n");
}
module_init(kretprobe_init)
module_exit(kretprobe_exit)
MODULE_LICENSE("GPL");
insmod this module
sudo insmod testRegKretprobe.ko data_size=-1
出现概率(是否必现,概率性错误)
【预期结果】
kretprobe注册失败,返回错误
【实际结果】
kretprobe注册成功
描述出问题的结果
出现内存越界访问
【附件信息】
Actual results (现象):
[ 1277.862412] ==================================================================
[ 1277.863463] BUG: KASAN: slab-out-of-bounds in trampoline_probe_handler+0xb4/0x2f0 at addr ffff8001af47d6a0
[ 1277.872612] Read of size 8 by task sh/1910
[ 1277.873212] =============================================================================
[ 1277.874289] BUG kmalloc-64 (Tainted: G B OE ): kasan: bad access detected
[ 1277.875212] -----------------------------------------------------------------------------
[ 1277.875212]
[ 1277.881592] INFO: Allocated in register_kretprobe+0x12c/0x350 age=11445 cpu=6 pid=1912
[ 1277.882730] alloc_debug_processing+0x18c/0x1a0
[ 1277.883491] __slab_alloc+0x52c/0x560
[ 1277.886165] __kmalloc+0x254/0x2e0
[ 1277.886827] register_kretprobe+0x12c/0x350
[ 1277.887469] 0xffff7ffffc090050
[ 1277.888076] do_one_initcall+0x120/0x260
[ 1277.892827] do_init_module+0xf0/0x288
[ 1277.893495] load_module+0x1834/0x1b60
[ 1277.894166] SyS_init_module+0x164/0x1e0
[ 1277.894835] el0_svc_naked+0x20/0x24
[ 1277.895548] INFO: Freed in do_one_initcall+0x110/0x260 age=11463 cpu=6 pid=1912
[ 1277.896589] free_debug_processing+0x1d4/0x2c0
[ 1277.897336] __slab_free+0x240/0x390
[ 1277.897994] kfree+0x1cc/0x1e0
[ 1277.898593] do_one_initcall+0x110/0x260
[ 1277.899280] do_init_module+0xf0/0x288
[ 1277.899944] load_module+0x1834/0x1b60
[ 1277.900601] SyS_init_module+0x164/0x1e0
[ 1277.901269] el0_svc_naked+0x20/0x24
[ 1277.901920] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=11 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1277.903141] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0x (null)
[ 1277.903141]
[ 1277.904383] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1277.905603] Object ffff8001af47d680: 00 00 00 00 00 00 00 00 48 e4 82 01 00 80 ff ff ........H.......
[ 1277.906810] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff ........ .......
[ 1277.908012] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00 ................
[ 1277.909220] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1277.910457] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1277.911696] CPU: 2 PID: 1910 Comm: sh Tainted: G B OE 4.1.46 #8
[ 1277.911858] Hardware name: linux,dummy-virt (DT)
[ 1277.911990] Call trace:
[ 1277.912587] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1277.912897] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1277.913195] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1277.913499] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1277.913807] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1277.914077] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1277.914404] [<ffff8000002e39a0>] __asan_load8+0x60/0x80
[ 1277.914708] [<ffff800001000054>] trampoline_probe_handler+0xb4/0x2f0
[ 1277.914999] [<ffff800000ffff38>] kretprobe_trampoline+0x54/0xbc
[ 1277.915144] Memory state around the buggy address:
[ 1277.915898] ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.916875] ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.917852] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1277.918752] ^
[ 1277.919451] ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.920433] ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1277.921312] ==================================================================
[ 1277.922198] ret_handler
[ 1281.525417] ==================================================================
[ 1281.526507] BUG: KASAN: slab-out-of-bounds in pre_handler_kretprobe+0x10c/0x2e0 at addr ffff8001af47d6a0
[ 1281.527523] Write of size 8 by task sh/1910
[ 1281.528033] =============================================================================
[ 1281.529885] BUG kmalloc-64 (Tainted: G B OE ): kasan: bad access detected
[ 1281.530826] -----------------------------------------------------------------------------
[ 1281.530826]
[ 1281.534390] INFO: Allocated in register_kretprobe+0x12c/0x350 age=12358 cpu=6 pid=1912
[ 1281.535519] alloc_debug_processing+0x18c/0x1a0
[ 1281.538353] __slab_alloc+0x52c/0x560
[ 1281.539037] __kmalloc+0x254/0x2e0
[ 1281.539688] register_kretprobe+0x12c/0x350
[ 1281.543986] 0xffff7ffffc090050
[ 1281.545285] do_one_initcall+0x120/0x260
[ 1281.545989] do_init_module+0xf0/0x288
[ 1281.546664] load_module+0x1834/0x1b60
[ 1281.547329] SyS_init_module+0x164/0x1e0
[ 1281.547994] el0_svc_naked+0x20/0x24
[ 1281.551980] INFO: Freed in do_one_initcall+0x110/0x260 age=12375 cpu=6 pid=1912
[ 1281.557086] free_debug_processing+0x1d4/0x2c0
[ 1281.557846] __slab_free+0x240/0x390
[ 1281.558519] kfree+0x1cc/0x1e0
[ 1281.559115] do_one_initcall+0x110/0x260
[ 1281.559808] do_init_module+0xf0/0x288
[ 1281.560469] load_module+0x1834/0x1b60
[ 1281.561130] SyS_init_module+0x164/0x1e0
[ 1281.561795] el0_svc_naked+0x20/0x24
[ 1281.562450] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=10 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1281.563646] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0xdead000000000100
[ 1281.563646]
[ 1281.564885] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1281.566102] Object ffff8001af47d680: 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
[ 1281.567308] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff ........ .......
[ 1281.568515] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00 ................
[ 1281.569725] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1281.570948] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1281.572197] CPU: 4 PID: 1910 Comm: sh Tainted: G B OE 4.1.46 #8
[ 1281.572361] Hardware name: linux,dummy-virt (DT)
[ 1281.572497] Call trace:
[ 1281.573095] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1281.573409] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1281.573713] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1281.574021] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1281.574349] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1281.574628] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1281.574950] [<ffff8000002e3a20>] __asan_store8+0x60/0x80
[ 1281.575261] [<ffff8000001d7edc>] pre_handler_kretprobe+0x10c/0x2e0
[ 1281.575548] [<ffff800000fff8bc>] kprobe_handler+0x12c/0x290
[ 1281.575844] [<ffff800000fffba8>] kprobe_breakpoint_handler+0x18/0x30
[ 1281.576130] [<ffff8000000865c0>] brk_handler+0x80/0xa0
[ 1281.576402] [<ffff80000008257c>] do_debug_exception+0x7c/0x120
[ 1281.576619] Exception stack(0xffff8001af4a7d60 to 0xffff8001af4a7ea0)
[ 1281.576906] 7d60: 0000000001200011 0000000000000000 0000000000000000 0000000000000000
[ 1281.577207] 7d80: 0000ffffaf5540d0 0000ffffaf554000 0000000000000000 0000ffffaf5546f0
[ 1281.577495] 7da0: 00000000000000dc ffff80000008471c 0000000000000776 0000000000000025
[ 1281.577797] 7dc0: 0000000000000028 ffffffffffffffff ffffffffffffffff 0000ffffaf35622c
[ 1281.578090] 7de0: ffff8000000e8800 0000ffffaf3ef670 0000000000000000 0000000000000000
[ 1281.578408] 7e00: 0000ffffd1f191e0 ffffffffffffffff 0000ffffaf3ef714 0000000060000000
[ 1281.578699] 7e20: 0000000000000015 000000000000011a 00000000000000dc ffff80000100d000
[ 1281.579014] 7e40: ffff8001af4a4000 ffff8001af4a7ea0 ffff8000000e8820 ffff8001af4a7ea0
[ 1281.579308] 7e60: ffff8000000e8270 0000000080000145 0000000000000000 000000005632cbd4
[ 1281.579593] 7e80: 0000000000000000 000000000000006d 0001000000000000 0000000000001000
[ 1281.579848] [<ffff800000083ed4>] el1_dbg+0x18/0x8c
[ 1281.579993] Memory state around the buggy address:
[ 1281.580757] ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.581738] ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.582734] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1281.583629] ^
[ 1281.584322] ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.585302] ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1281.586189] ==================================================================
[ 1281.587066] entry_handler
[ 1281.915832] ==================================================================
[ 1281.925612] BUG: KASAN: slab-out-of-bounds in trampoline_probe_handler+0xb4/0x2f0 at addr ffff8001af47d6a0
[ 1281.926840] Read of size 8 by task sh/1910
[ 1281.927431] =============================================================================
[ 1281.929215] BUG kmalloc-64 (Tainted: G B OE ): kasan: bad access detected
[ 1281.930152] -----------------------------------------------------------------------------
[ 1281.930152]
[ 1281.931576] INFO: Allocated in register_kretprobe+0x12c/0x350 age=12457 cpu=6 pid=1912
[ 1281.935773] alloc_debug_processing+0x18c/0x1a0
[ 1281.938018] __slab_alloc+0x52c/0x560
[ 1281.938704] __kmalloc+0x254/0x2e0
[ 1281.939357] register_kretprobe+0x12c/0x350
[ 1281.940006] 0xffff7ffffc090050
[ 1281.943904] do_one_initcall+0x120/0x260
[ 1281.947826] do_init_module+0xf0/0x288
[ 1281.951691] load_module+0x1834/0x1b60
[ 1281.955572] SyS_init_module+0x164/0x1e0
[ 1281.959596] el0_svc_naked+0x20/0x24
[ 1281.963545] INFO: Freed in do_one_initcall+0x110/0x260 age=12475 cpu=6 pid=1912
[ 1281.967837] free_debug_processing+0x1d4/0x2c0
[ 1281.971839] __slab_free+0x240/0x390
[ 1281.975746] kfree+0x1cc/0x1e0
[ 1281.979615] do_one_initcall+0x110/0x260
[ 1281.981107] do_init_module+0xf0/0x288
[ 1281.981778] load_module+0x1834/0x1b60
[ 1281.982453] SyS_init_module+0x164/0x1e0
[ 1281.983122] el0_svc_naked+0x20/0x24
[ 1281.983770] INFO: Slab 0xffff7bffc6bd1f00 objects=21 used=10 fp=0xffff8001af47c900 flags=0xffff00000004080
[ 1281.991427] INFO: Object 0xffff8001af47d680 @offset=5760 fp=0x (null)
[ 1281.991427]
[ 1281.995948] Bytes b4 ffff8001af47d670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1281.997957] Object ffff8001af47d680: 00 00 00 00 00 00 00 00 48 e4 82 01 00 80 ff ff ........H.......
[ 1281.999174] Object ffff8001af47d690: e8 83 08 fc ff 7f ff ff 20 88 0e 00 00 80 ff ff ........ .......
[ 1282.003618] Object ffff8001af47d6a0: 80 a8 a1 b0 01 80 ff ff 00 00 00 00 00 00 00 00 ................
[ 1282.008069] Object ffff8001af47d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1282.015983] Padding ffff8001af47d7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 1282.022380] CPU: 4 PID: 1910 Comm: sh Tainted: G B OE 4.1.46 #8
[ 1282.022542] Hardware name: linux,dummy-virt (DT)
[ 1282.022674] Call trace:
[ 1282.023286] [<ffff80000008d2a0>] dump_backtrace+0x0/0x220
[ 1282.023597] [<ffff80000008d4e0>] show_stack+0x20/0x30
[ 1282.023894] [<ffff800000ff2278>] dump_stack+0xa8/0xcc
[ 1282.028262] [<ffff8000002dc6c8>] print_trailer+0xf8/0x160
[ 1282.028580] [<ffff8000002e20d8>] object_err+0x48/0x60
[ 1282.028853] [<ffff8000002e48dc>] kasan_report+0x26c/0x5a0
[ 1282.029172] [<ffff8000002e39a0>] __asan_load8+0x60/0x80
[ 1282.029483] [<ffff800001000054>] trampoline_probe_handler+0xb4/0x2f0
[ 1282.029777] [<ffff800000ffff38>] kretprobe_trampoline+0x54/0xbc
[ 1282.029922] Memory state around the buggy address:
[ 1282.030697] ffff8001af47d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.031683] ffff8001af47d600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.032666] >ffff8001af47d680: 00 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc
[ 1282.033561] ^
[ 1282.034266] ffff8001af47d700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.035246] ffff8001af47d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1282.036123] ==================================================================
[ 1282.037007] ret_handler
[ 1283.715570] kretprobe unregister
Hi lihuafei1, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at
https://gitee.com/openeuler/community/blob/master/en/sig-infrastructure/command.md.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers: @Xie XiuQi, @YangYingliang, @成坚 (CHENG Jian).
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
您好,请问一下您的复现步骤是什么样的,kallsyms_lookup_name("_do_fork")的返回值一直为0,因为内核中并没有_do_fork函数的函数地址,所以在register_kretprobe时直接会返回-EINVAL,并未出现越界的情况;还有就是这个问题是偶现还是必现的?
登录 后才可以发表评论