[BUG] RISC-V: KASAN out-of-bounds read in walk_stackframe() when reading /proc/self/stack

许佳凯 xujiakai24 at mails.ucas.ac.cn
Sun Oct 19 23:11:03 PDT 2025 

Hi RISC-V maintainers,

During fuzz testing with KASAN enabled, we observed an out-of-bounds read reported in `walk_stackframe()` when reading from `/proc/self/stack`. It appears that this may not be a true memory corruption issue, but rather a KASAN false positive similar to the one fixed on x86 by commit 84936118bdf37bda513d4a361c38181a216427e0 (“x86/unwind: Disable KASAN checks for non-current tasks”).

The referenced commit is:

commit 84936118bdf37bda513d4a361c38181a216427e0
Author: Josh Poimboeuf <jpoimboe at kernel.org>
Date:   Mon Jan 9 12:00:23 2017 -0600

    x86/unwind: Disable KASAN checks for non-current tasks
    
    There are a handful of callers to save_stack_trace_tsk() and
    show_stack() which try to unwind the stack of a task other than current.
    In such cases, it's remotely possible that the task is running on one
    CPU while the unwinder is reading its stack from another CPU, causing
    the unwinder to see stack corruption.
    
    These cases seem to be mostly harmless.  The unwinder has checks which
    prevent it from following bad pointers beyond the bounds of the stack.
    So it's not really a bug as long as the caller understands that
    unwinding another task will not always succeed.
    
    In such cases, it's possible that the unwinder may read a KASAN-poisoned
    region of the stack.  Account for that by using READ_ONCE_NOCHECK() when
    reading the stack of another task.
    
    Use READ_ONCE() when reading the stack of the current task, since KASAN
    warnings can still be useful for finding bugs in that case.
    
    Reported-by: Dmitry Vyukov <dvyukov at google.com>
    Signed-off-by: Josh Poimboeuf <jpoimboe at redhat.com>
    Cc: Andy Lutomirski <luto at amacapital.net>
    Cc: Andy Lutomirski <luto at kernel.org>
    Cc: Borislav Petkov <bp at alien8.de>
    Cc: Brian Gerst <brgerst at gmail.com>
    Cc: Dave Jones <davej at codemonkey.org.uk>
    Cc: Denys Vlasenko <dvlasenk at redhat.com>
    Cc: H. Peter Anvin <hpa at zytor.com>
    Cc: Linus Torvalds <torvalds at linux-foundation.org>
    Cc: Miroslav Benes <mbenes at suse.cz>
    Cc: Peter Zijlstra <peterz at infradead.org>
    Cc: Thomas Gleixner <tglx at linutronix.de>
    Link: http://lkml.kernel.org/r/4c575eb288ba9f73d498dfe0acde2f58674598f1.1483978430.git.jpoimboe@redhat.com
    Signed-off-by: Ingo Molnar <mingo at kernel.org>

-The crash was successfully reproduced on the upstream Linux kernel version 6.16, specifically at commit 038d61fd642278bab63ee8ef722c50d10ab01e8f.
-The kernel was built with the accompanying configuration file (see attachment: .config), which includes the necessary KASAN options to detect this issue.
-We have provided a reliable C reproducer program (repro.cprog attached) to trigger this bug. Additional diagnostic information, including full kernel logs and system context, can be found in the attached files log0, report0, and machineInfo0.


Thank you for your attention to this matter.</mingo at kernel.org></tglx at linutronix.de></peterz at infradead.org></mbenes at suse.cz></torvalds at linux-foundation.org></hpa at zytor.com></dvlasenk at redhat.com></davej at codemonkey.org.uk></brgerst at gmail.com></bp at alien8.de></luto at kernel.org></luto at amacapital.net></jpoimboe at redhat.com></dvyukov at google.com></jpoimboe at kernel.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config
Type: application/octet-stream
Size: 224634 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-riscv/attachments/20251020/c0a0e661/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log0
Type: application/octet-stream
Size: 98061 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-riscv/attachments/20251020/c0a0e661/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: machineInfo0
Type: application/octet-stream
Size: 1141 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-riscv/attachments/20251020/c0a0e661/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: report0
Type: application/octet-stream
Size: 3319 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-riscv/attachments/20251020/c0a0e661/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: repro.cprog
Type: application/octet-stream
Size: 26831 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/linux-riscv/attachments/20251020/c0a0e661/attachment-0004.obj>

More information about the linux-riscv mailing list