[Bug 219291] New: KASAN: slab-use-after-free in acpi_ps_parse_loop+0x1f40/0x26f0

Thu, 19 Sep 2024 20:58:39 -0700 

https://bugzilla.kernel.org/show_bug.cgi?id=219291

            Bug ID: 219291
           Summary: KASAN: slab-use-after-free in
                    acpi_ps_parse_loop+0x1f40/0x26f0
           Product: ACPI
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ACPICA-Core
          Assignee: acpi_acpica-c...@kernel-bugs.osdl.org
          Reporter: ace...@gmail.com
        Regression: No

Created attachment 306900
  --> https://bugzilla.kernel.org/attachment.cgi?id=306900&action=edit
dmesg + kasan

Mainline kernel: 6.11.0-2004cef11ea0+
Enable KASAN in the kernel config and found the KASAN error messages

It looks like the issue happens while parsing the ACPI tables.

[    2.147393] BUG: KASAN: slab-use-after-free in
acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147403] Read of size 2 at addr ffff888107eac012 by task swapper/0/1

[    2.147410] CPU: 16 UID: 0 PID: 1 Comm: swapper/0 Not tainted
6.11.0-2004cef11ea0+ #39
[    2.147415] Hardware name: Dell Inc. Dell Tower E0T2250/, BIOS 0.6.19
07/12/2024
[    2.147420] Call Trace:
[    2.147422]  <TASK>
[    2.147426]  dump_stack_lvl+0x72/0xa0
[    2.147432]  print_report+0xd1/0x670
[    2.147437]  ? _raw_read_unlock_irqrestore+0x60/0x60
[    2.147441]  ? ret_from_fork_asm+0x11/0x20
[    2.147445]  ? kasan_complete_mode_report_info+0x66/0x1c0
[    2.147449]  kasan_report+0xd6/0x110
[    2.147453]  ? acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147456]  ? acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147460]  __asan_report_load2_noabort+0x14/0x20
[    2.147464]  acpi_ps_parse_loop+0x1f40/0x26f0
[    2.147468]  ? acpi_ps_get_next_arg+0x14e0/0x14e0
[    2.147472]  ? acpi_ds_delete_walk_state+0x22d/0x370
[    2.147476]  acpi_ps_parse_aml+0x616/0xf50
[    2.147480]  ? acpi_ut_create_internal_object_dbg+0x1a2/0x240
[    2.147484]  acpi_ps_execute_method+0x52e/0xde0
[    2.147488]  ? acpi_ut_acquire_mutex+0x1a7/0x490
[    2.147492]  acpi_ns_evaluate+0x530/0x14a0
[    2.147496]  acpi_evaluate_object+0x37d/0xca0
[    2.147499]  ? acpi_get_data_full+0xf0/0xf0
[    2.147503]  ? kobject_set_name_vargs+0xb3/0x120
[    2.147507]  acpi_get_physical_device_location+0x8b/0x250
[    2.147512]  ? acpi_handle_list_equal+0x120/0x120
[    2.147516]  acpi_device_add+0x389/0xa10
[    2.147520]  ? acpi_tie_acpi_dev+0x90/0x90
[    2.147523]  ? acpi_scan_check_and_detach+0x240/0x240
[    2.147527]  acpi_add_single_object+0x834/0x1ad0
[    2.147531]  ? acpi_ns_get_node+0x89/0xe0
[    2.147535]  ? acpi_get_handle+0xdf/0x220
[    2.147538]  ? acpi_get_data+0xb0/0xb0
[    2.147541]  ? acpi_init_device_object+0x1e40/0x1e40
[    2.147545]  ? acpi_mipi_check_crs_csi2+0xa6/0x310
[    2.147549]  ? up+0x75/0xc0
[    2.147553]  ? acpi_has_method+0x68/0xa0
[    2.147557]  ? acpi_get_physical_device_location+0x250/0x250
[    2.147561]  acpi_bus_check_add+0x206/0x6e0
[    2.147565]  ? arch_acpi_add_auto_dep+0x10/0x10
[    2.147568]  ? __kasan_check_write+0x14/0x20
[    2.147572]  ? _raw_spin_lock_irqsave+0x96/0x100
[    2.147576]  ? acpi_os_signal_semaphore+0xf4/0x150
[    2.147580]  acpi_bus_check_add_1+0x16/0x20
[    2.147583]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147587]  ? acpi_bus_check_add+0x6e0/0x6e0
[    2.147590]  ? acpi_bus_check_add+0x6e0/0x6e0
[    2.147594]  acpi_walk_namespace+0x158/0x170
[    2.147598]  acpi_bus_scan+0x351/0x400
[    2.147602]  ? acpi_bus_check_add_1+0x20/0x20
[    2.147605]  ? __kasan_check_write+0x14/0x20
[    2.147609]  ? mutex_lock+0x8e/0xe0
[    2.147612]  ? __mutex_lock_slowpath+0x20/0x20
[    2.147616]  ? acpi_get_table+0x13b/0x1d0
[    2.147619]  acpi_scan_init+0x1e5/0x640
[    2.147624]  ? acpi_hest_init+0x9d/0x2d0
[    2.147628]  ? acpi_match_madt+0xa0/0xa0
[    2.147631]  ? acpi_viot_early_init+0x71/0xc0
[    2.147634]  ? viot_get_iommu+0x790/0x790
[    2.147637]  ? acpi_ffh_address_space_arch_handler+0x10/0x10
[    2.147640]  acpi_init+0x406/0xa20
[    2.147644]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  ? vprintk+0x7d/0x100
[    2.147645]  ? _printk+0xbc/0x100
[    2.147645]  ? rng_is_initialized+0x20/0x20
[    2.147645]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  ? acpi_sleep_proc_init+0x60/0x60
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  ? trace_event_raw_event_initcall_level+0x210/0x210
[    2.147645]  ? kernel_init_freeable+0x83c/0xe90
[    2.147645]  ? kasan_poison+0x3a/0x60
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  ? rest_init+0x170/0x170
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ? rest_init+0x170/0x170
[    2.147645]  ret_from_fork_asm+0x11/0x20
[    2.147645]  </TASK>

[    2.147645] Allocated by task 1:
[    2.147645]  kasan_save_stack+0x39/0x60
[    2.147645]  kasan_save_track+0x14/0x40
[    2.147645]  kasan_save_alloc_info+0x37/0x50
[    2.147645]  __kasan_slab_alloc+0x95/0xa0
[    2.147645]  kmem_cache_alloc_noprof+0x123/0x3d0
[    2.147645]  acpi_ps_alloc_op+0x220/0x2f0
[    2.147645]  acpi_ps_create_op+0x48f/0xcc0
[    2.147645]  acpi_ps_parse_loop+0x79e/0x26f0
[    2.147645]  acpi_ps_parse_aml+0x616/0xf50
[    2.147645]  acpi_ps_execute_method+0x52e/0xde0
[    2.147645]  acpi_ns_evaluate+0x530/0x14a0
[    2.147645]  acpi_evaluate_object+0x37d/0xca0
[    2.147645]  acpi_get_physical_device_location+0x8b/0x250
[    2.147645]  acpi_device_add+0x389/0xa10
[    2.147645]  acpi_add_single_object+0x834/0x1ad0
[    2.147645]  acpi_bus_check_add+0x206/0x6e0
[    2.147645]  acpi_bus_check_add_1+0x16/0x20
[    2.147645]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147645]  acpi_walk_namespace+0x158/0x170
[    2.147645]  acpi_bus_scan+0x351/0x400
[    2.147645]  acpi_scan_init+0x1e5/0x640
[    2.147645]  acpi_init+0x406/0xa20
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ret_from_fork_asm+0x11/0x20

[    2.147645] Freed by task 1:
[    2.147645]  kasan_save_stack+0x39/0x60
[    2.147645]  kasan_save_track+0x14/0x40
[    2.147645]  kasan_save_free_info+0x3b/0x60
[    2.147645]  __kasan_slab_free+0x52/0x70
[    2.147645]  kmem_cache_free+0x1a4/0x560
[    2.147645]  kmem_cache_free+0x1a4/0x560
[    2.147645]  acpi_os_release_object+0xe/0x20
[    2.147645]  acpi_ps_free_op+0xa5/0x200
[    2.147645]  acpi_ps_delete_parse_tree+0x190/0x430
[    2.147645]  acpi_ps_complete_this_op+0x5f3/0xb00
[    2.147645]  acpi_ps_complete_final_op+0x3b8/0x540
[    2.147645]  acpi_ps_parse_loop+0xa68/0x26f0
[    2.147645]  acpi_ps_parse_aml+0x616/0xf50
[    2.147645]  acpi_ps_execute_method+0x52e/0xde0
[    2.147645]  acpi_ns_evaluate+0x530/0x14a0
[    2.147645]  acpi_evaluate_object+0x37d/0xca0
[    2.147645]  acpi_get_physical_device_location+0x8b/0x250
[    2.147645]  acpi_device_add+0x389/0xa10
[    2.147645]  acpi_add_single_object+0x834/0x1ad0
[    2.147645]  acpi_bus_check_add+0x206/0x6e0
[    2.147645]  acpi_bus_check_add_1+0x16/0x20
[    2.147645]  acpi_ns_walk_namespace+0x32a/0x560
[    2.147645]  acpi_walk_namespace+0x158/0x170
[    2.147645]  acpi_bus_scan+0x351/0x400
[    2.147645]  acpi_scan_init+0x1e5/0x640
[    2.147645]  acpi_init+0x406/0xa20
[    2.147645]  do_one_initcall+0xae/0x400
[    2.147645]  kernel_init_freeable+0x9aa/0xe90
[    2.147645]  kernel_init+0x1f/0x210
[    2.147645]  ret_from_fork+0x40/0x90
[    2.147645]  ret_from_fork_asm+0x11/0x20

[    2.147645] The buggy address belongs to the object at ffff888107eac008
                which belongs to the cache Acpi-Parse of size 80
[    2.147645] The buggy address is located 10 bytes inside of
                freed 80-byte region [ffff888107eac008, ffff888107eac058)

[    2.147645] The buggy address belongs to the physical page:
[    2.147645] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
pfn:0x107eac
[    2.147645] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0
pincount:0
[    2.147645] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[    2.147645] page_type: 0xfdffffff(slab)
[    2.147645] raw: 0017ffffc0000040 ffff888100053840 ffffea00041f9f10
ffffea00041fe310
[    2.147645] raw: 0000000000000000 00000000002a002a 00000001fdffffff
0000000000000000
[    2.147645] head: 0017ffffc0000040 ffff888100053840 ffffea00041f9f10
ffffea00041fe310
[    2.147645] head: 0000000000000000 00000000002a002a 00000001fdffffff
0000000000000000
[    2.147645] head: 0017ffffc0000001 ffffea00041fab01 ffffffffffffffff
0000000000000000
[    2.147645] head: 0000000000000002 0000000000000000 00000000ffffffff
0000000000000000
[    2.147645] page dumped because: kasan: bad access detected

[    2.147645] Memory state around the buggy address:
[    2.147645]  ffff888107eabf00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
fc
[    2.147645]  ffff888107eabf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[    2.147645] >ffff888107eac000: fc fa fb fb fb fb fb fb fb fb fb fc fc fc fc
fc
[    2.147645]                          ^
[    2.147645]  ffff888107eac080: fc fc fc fc fc fc fc fc fc fa fb fb fb fb fb
fb
[    2.147645]  ffff888107eac100: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
fc

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

_______________________________________________
acpi-bugzilla mailing list
acpi-bugzilla@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acpi-bugzilla

Reply via email to