KASAN: stack-out-of-bounds in tfw_ctlfn_state_io() #2551
Description
Caught the warning only once on master as of b0a65b5 on ./scripts/tempesta.sh --stop after sending several requests like and several hours of inactivity after that:
wget http://192.168.1.1
wget http://192.168.1.1
wget http://192.168.1.1//xmlrpc.php
wget http://192.168.1.1//xmlrpc.php
wget http://192.168.100.4//xmlrpc.php
wget https://192.168.100.4//xmlrpc.php
wget http://192.168.100.4//xmlrpc.php
wget http://192.168.100.4/xmlrpc.php
wget http://192.168.100.4/xmlrc.php
wget http://192.168.100.4/
curl -i -H 'Host: tempesta-tech.com' http://192.168.100.4/
curl -i -H 'Host: tempesta-tech.com' http://192.168.100.4/xmlrpc.php
curl -i -H 'Host: tempesta-tech.com' http://192.168.100.4/xmlrc.php
curl -i -H 'Host: tempesta-tech.com' http://192.168.100.4////xmlrpc.php
curl -i -H 'Host: tempesta-tech.com' http://192.168.100.4////xmlrpc.php?rsd
curl -i -H 'Host: tempesta-tech.com' https://192.168.100.4////xmlrpc.php?rsd
curl -v -k --http2 -i -H 'Host: tempesta-tech.com' https://192.168.100.4////xmlrpc.php?rsd
curl -v -k --http2 -i -H 'Host: tempesta-tech.com' https://192.168.100.4/
[31040.787834] [tempesta fw] Warning: Invalid ipv6 header in skb
[31041.789299] [tempesta fw] Warning: Invalid ipv6 header in skb
[31041.789328] [tempesta fw] Warning: Invalid ipv6 header in skb
[31043.791540] [tempesta fw] Warning: Invalid ipv6 header in skb
[31043.791594] [tempesta fw] Warning: Invalid ipv6 header in skb
[32092.194559] [tempesta fw] Warning: Invalid ipv6 header in skb
[32092.194598] [tempesta fw] Warning: Invalid ipv6 header in skb
[33324.051653] loop6: detected capacity change from 0 to 130608
[33324.055956] squashfs: SQUASHFS error: Xattrs in filesystem, these will be ignored
[33324.056843] unable to read xattr id index table
[33325.258365] loop7: detected capacity change from 0 to 151368
[33325.264625] squashfs: SQUASHFS error: Xattrs in filesystem, these will be ignored
[33325.265780] unable to read xattr id index table
[33329.672311] loop0: detected capacity change from 0 to 242568
[33966.149701] kworker/u16:2 (9620) used greatest stack depth: 23416 bytes left
[35281.318824] ==================================================================
[35281.319837] BUG: KASAN: stack-out-of-bounds in strlen+0x23/0x40
[35281.320874] Read of size 1 at addr ffffc90008bbfb78 by task sysctl/11000
[35281.322195]
[35281.322905] CPU: 1 UID: 0 PID: 11000 Comm: sysctl Kdump: loaded Tainted: G O 6.12.12-dbg+ #5
[35281.324046] Tainted: [O]=OOT_MODULE
[35281.324929] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[35281.326149] Call Trace:
[35281.326921] <TASK>
[35281.327720] dump_stack_lvl+0x53/0x70
[35281.328590] print_address_description.constprop.0+0x30/0x410
[35281.329592] ? irq_work_claim+0x1e/0x40
[35281.330530] ? strlen+0x23/0x40
[35281.331380] print_report+0xad/0x250
[35281.332288] ? __virt_addr_valid+0x4b/0x170
[35281.333236] ? kasan_addr_to_slab+0xd/0xa0
[35281.334213] ? strlen+0x23/0x40
[35281.335115] kasan_report+0xaf/0xe0
[35281.336074] ? strlen+0x23/0x40
[35281.336975] strlen+0x23/0x40
[35281.337894] proc_dostring+0x1d3/0x220
[35281.338871] tfw_ctlfn_state_io+0x1c0/0x3c0 [tempesta_fw]
[35281.340068] ? __pfx_tfw_ctlfn_state_io+0x10/0x10 [tempesta_fw]
[35281.341319] ? __pfx_tfw_ctlfn_state_io+0x10/0x10 [tempesta_fw]
[35281.342534] ? set_track_prepare+0x45/0x70
[35281.343600] ? __kmalloc_node_noprof+0x34d/0x430
[35281.344683] ? kasan_save_track+0x14/0x30
[35281.345748] ? __kasan_kmalloc+0x8f/0xa0
[35281.347287] ? check_heap_object+0xc1/0x280
[35281.348378] ? 0xffffffffbb200000
[35281.349421] ? __check_object_size.part.0+0xc0/0x180
[35281.350591] proc_sys_call_handler+0x285/0x360
[35281.351726] ? __pfx_proc_sys_call_handler+0x10/0x10
[35281.352918] ? security_file_permission+0x55/0x80
[35281.354106] ? __pfx_proc_sys_write+0x10/0x10
[35281.355353] vfs_write+0x3d7/0x690
[35281.356567] ? __pfx_vfs_write+0x10/0x10
[35281.357842] ? fdget_pos+0x1e6/0x220
[35281.359042] ksys_write+0xbc/0x160
[35281.360293] ? __pfx_ksys_write+0x10/0x10
[35281.361553] ? up_read+0x1a/0x90
[35281.362793] ? do_user_addr_fault+0x366/0x6f0
[35281.364130] do_syscall_64+0x4b/0x110
[35281.365357] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[35281.366683] RIP: 0033:0x7fda4eb1c5a4
[35281.367922] Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
[35281.371013] RSP: 002b:00007fff83370448 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[35281.372511] RAX: ffffffffffffffda RBX: 00005576101f36a0 RCX: 00007fda4eb1c5a4
[35281.374010] RDX: 0000000000000005 RSI: 00005576101f1570 RDI: 0000000000000004
[35281.375528] RBP: 00007fff83370480 R08: 0000000000000000 R09: 0000000000000000
[35281.377504] R10: 0000000000000001 R11: 0000000000000202 R12: 00005576101f1530
[35281.378870] R13: 0000000000000005 R14: 00007fda4ec02420 R15: 00007fda4ec01ee0
[35281.380461] </TASK>
[35281.382078]
[35281.383600] The buggy address belongs to stack of task sysctl/11000
[35281.385538] and is located at offset 160 in frame:
[35281.387674] tfw_ctlfn_state_io+0x0/0x3c0 [tempesta_fw]
[35281.389602]
[35281.391139] This frame has 5 objects:
[35281.392894] [32, 88) 'tmp'
[35281.392899] [128, 160) 'buf'
[35281.394530] [192, 224) 'start'
[35281.396144] [256, 288) 'stop'
[35281.397840] [320, 352) 'start_fail_reconfig'
[35281.399425]
[35281.402627] The buggy address belongs to the virtual mapping at
[35281.402627] [ffffc90008bb8000, ffffc90008bc1000) created by:
[35281.402627] copy_process+0x273/0x23c0
[35281.408086]
[35281.409667] The buggy address belongs to the physical page:
[35281.411631] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888100000000 pfn:0x114458
[35281.413902] memcg:ffff888110e20e02
[35281.415731] flags: 0x2fff80000000000(node=0|zone=2|lastcpupid=0x1fff)
[35281.418309] raw: 02fff80000000000 0000000000000000 dead000000000122 0000000000000000
[35281.420468] raw: ffff888100000000 0000000000000000 00000001ffffffff ffff888110e20e02
[35281.422562] page dumped because: kasan: bad access detected
[35281.424557]
[35281.426274] Memory state around the buggy address:
[35281.428462] ffffc90008bbfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[35281.430622] ffffc90008bbfa80: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
[35281.432805] >ffffc90008bbfb00: 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 f2
[35281.435044] ^
[35281.437245] ffffc90008bbfb80: f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2
[35281.439399] ffffc90008bbfc00: f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00
[35281.441521] ==================================================================
[35281.443908] Disabling lock debugging due to kernel taint
[35281.772997] [tdb] Close table 'client0.tdb'
[35281.856824] [tdb] Close table 'sessions0.tdb'
[35283.196050] [tdb] Close table 'cache0.tdb'
[35283.342612] [tdb] Close table 'filter0.tdb'
[35283.347333] [tempesta fw] modules are stopped
[35284.618135] [tempesta fw] exiting...
[35285.333080] [tdb] Shutdown Tempesta DB
Tempesta FW config:
cache 2;
cache_fulfill * *;
cache_methods GET HEAD;
cache_ttl 3600;
listen 192.168.100.4:443 proto=h2;
#listen 192.168.100.4:443 proto=https;
listen 192.168.100.4:80;
srv_group default {
#server 10.245.18.215:80;
server 192.168.100.4:8000;
}
tls_certificate /root/tempesta/etc/tfw-root.crt;
tls_certificate_key /root/tempesta/etc/tfw-root.key;
tls_match_any_server_name;
#tls_certificate /home/tempesta/fullchain.pem;
#tls_certificate_key /home/tempesta/privkey.pem;
req_hdr_add X-Forwarded-Proto "https";
resp_hdr_set Strict-Transport-Security "max-age=31536000; includeSubDomains";
vhost default {
resp_hdr_set Cache-Control;
nonidempotent GET * *;
nonidempotent HEAD * *;
nonidempotent POST * *;
proxy_pass default;
}
frang_limits {
# request_rate 200;
http_method_override_allowed true;
http_methods post put get;
}
#cache_purge;
#cache_purge_acl 3.72.94.204 127.0.0.1;
access_log dmesg mmap logger_config=/root/tempesta/etc/tfw_logger.json;
block_action attack reply;
block_action error reply;
http_chain {
# Set cache_ttl for speciefic locations
uri == "/blog/*" -> cache_ttl = 1;
uri == "/knowledge-base/*" -> cache_ttl = 600;
uri == "*/xmlrpc.php" -> block;
# Set Security
# mark == 23 -> default;
-> default;
}
Kernel config