lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 3 Oct 2007 10:46:07 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Linus Torvalds <torvalds@...ux-foundation.org>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>,
	Alexander Viro <viro@....linux.org.uk>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: [bug] crash when reading /proc/mounts (was: Re: Linux 2.6.23-rc9
	and a heads-up for the 2.6.24 series..)


hm, i just triggered the procfs crash below with -rc9 on a testbox. 
Config attached. It's easy to reproduce it via 'service sshd restart'. 
The crash site is:

 (gdb) list *0xc017599d
 0xc017599d is in seq_path (fs/seq_file.c:354).
 349             if (m->count < m->size) {
 350                     char *s = m->buf + m->count;
 351                     char *p = d_path(dentry, mnt, s, m->size - m->count);
 352                     if (!IS_ERR(p)) {
 353                             while (s <= p) {
 354                                     char c = *p++;
 355                                     if (!c) {
 356                                             p = m->buf + m->count;
 357                                             m->count = s - m->buf;
 358                                             return s - p;
 (gdb)

any ideas? Fortunately i was able to do an strace of the incident:

 3247  munmap(0xb7f3e000, 4096)          = 0
 3247  open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3
 3247  fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
 3247  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f3e000
 3247  read(3,  <unfinished ...>
 3247  +++ killed by SIGSEGV +++

and doing "cat /proc/mounts" triggers the crash reliably.

	Ingo

---------------->
BUG: unable to handle kernel paging request at virtual address f2a40000
 printing eip:
c017599d
*pdpt = 0000000000001001
*pde = 0000000000aee067
*pte = 0000000032a40000
Oops: 0000 [#1]
PREEMPT DEBUG_PAGEALLOC
Modules linked in:
CPU:    0
EIP:    0060:[<c017599d>]    Not tainted VLI
EFLAGS: 00010297   (2.6.23-rc9 #89)
EIP is at seq_path+0x60/0xca
eax: f2a3fffe   ebx: c290c8d4   ecx: f6e341f0   edx: f2a3fffe
esi: f2a3f007   edi: c29097f0   ebp: ec5ddf1c   esp: ec5ddf04
ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
Process sshd (pid: 2743, ti=ec5dc000 task=f6e341f0 task.ti=ec5dc000)
Stack: 00000ff9 c2bf6b40 f2a3fffe c29097c0 c2bf6b40 c29097f0 ec5ddf34 c0173c41 
       c05ffe64 00000400 c2bf6b40 c29097f0 ec5ddf74 c0175d2b 00000400 b7fa2000 
       f5277600 c2bf6b60 00000000 c0109e99 ec5ddf80 00000246 c01555e6 00000000 
Call Trace:
 [<c0106f80>] show_trace_log_lvl+0x19/0x2e
 [<c0107030>] show_stack_log_lvl+0x9b/0xa3
 [<c0107428>] show_registers+0x1c4/0x2e3
 [<c010772d>] die+0x115/0x1e0
 [<c0115e3b>] do_page_fault+0x808/0x8e1
 [<c0508faa>] error_code+0x6a/0x70
 [<c0173c41>] show_vfsmnt+0x44/0x11e
 [<c0175d2b>] seq_read+0xeb/0x25f
 [<c0160e63>] vfs_read+0x87/0xe5
 [<c0161613>] sys_read+0x3d/0x61
 [<c010606e>] sysenter_past_esp+0x6b/0xb5
 =======================
Code: 89 45 f0 76 77 eb 7a 8b 55 ec 8b 4d ec 89 f7 8b 02 89 c2 03 51 0c 29 c7 89 f0 89 79 0c 29 d0 eb 6c 89 f8 88 06 46 eb 54 8b 55 f0 <8b> 3a 42 89 55 f0 89 f9 84 c9 74 d0 8b 45 08 0f be d9 89 da e8 
EIP: [<c017599d>] seq_path+0x60/0xca SS:ESP 0068:ec5ddf04
BUG: unable to handle kernel paging request at virtual address f2a40000
 printing eip:
c017599d
*pdpt = 0000000000001001
*pde = 0000000000aee067
*pte = 0000000032a40000
Oops: 0000 [#2]
PREEMPT DEBUG_PAGEALLOC
Modules linked in:
CPU:    0
EIP:    0060:[<c017599d>]    Tainted: G      D VLI
EFLAGS: 00010297   (2.6.23-rc9 #89)
EIP is at seq_path+0x60/0xca
eax: f2a3fffe   ebx: c290c8d4   ecx: c02be275   edx: f2a3fffe
esi: f2a3f007   edi: c29097f0   ebp: ef2b7f1c   esp: ef2b7f04
ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
Process sshd (pid: 2744, ti=ef2b6000 task=f6e5cce0 task.ti=ef2b6000)
Stack: 00000ff9 c2bf6b40 f2a3fffe c29097c0 c2bf6b40 c29097f0 ef2b7f34 c0173c41 
       c05ffe64 00000400 c2bf6b40 c29097f0 ef2b7f74 c0175d2b 00000400 b7f09000 
       f7375240 c2bf6b60 00000000 00000073 ef2b7f80 00000246 c01555e6 00000000 
Call Trace:
 [<c0106f80>] show_trace_log_lvl+0x19/0x2e
 [<c0107030>] show_stack_log_lvl+0x9b/0xa3
 [<c0107428>] show_registers+0x1c4/0x2e3
 [<c010772d>] die+0x115/0x1e0
 [<c0115e3b>] do_page_fault+0x808/0x8e1
 [<c0508faa>] error_code+0x6a/0x70
 [<c0173c41>] show_vfsmnt+0x44/0x11e
 [<c0175d2b>] seq_read+0xeb/0x25f
 [<c0160e63>] vfs_read+0x87/0xe5
 [<c0161613>] sys_read+0x3d/0x61
 [<c010606e>] sysenter_past_esp+0x6b/0xb5
 =======================
Code: 89 45 f0 76 77 eb 7a 8b 55 ec 8b 4d ec 89 f7 8b 02 89 c2 03 51 0c 29 c7 89 f0 89 79 0c 29 d0 eb 6c 89 f8 88 06 46 eb 54 8b 55 f0 <8b> 3a 42 89 55 f0 89 f9 84 c9 74 d0 8b 45 08 0f be d9 89 da e8 
EIP: [<c017599d>] seq_path+0x60/0xca SS:ESP 0068:ef2b7f04


View attachment "config-crash" of type "text/plain" (40127 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ