| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Oct 2017 04:44:39 +0200
From: Fengguang Wu <fengguang.wu@...el.com>
To: Craig Bergstrom <craigb@...gle.com>
Cc: wfg@...ux.intel.com, Ingo Molnar <mingo@...nel.org>,
linux-kernel@...r.kernel.org, LKP <lkp@...org>
Subject: ce56a86e2a ("x86/mm: Limit mmap() of /dev/mem to valid physical
addresses"): kernel BUG at arch/x86/mm/physaddr.c:79!
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit ce56a86e2ade45d052b3228cdfebe913a1ae7381
Author: Craig Bergstrom <craigb@...gle.com>
AuthorDate: Thu Oct 19 13:28:56 2017 -0600
Commit: Ingo Molnar <mingo@...nel.org>
CommitDate: Fri Oct 20 09:48:00 2017 +0200
x86/mm: Limit mmap() of /dev/mem to valid physical addresses
Currently, it is possible to mmap() any offset from /dev/mem. If a
program mmaps() /dev/mem offsets outside of the addressable limits
of a system, the page table can be corrupted by setting reserved bits.
For example if you mmap() offset 0x0001000000000000 of /dev/mem on an
x86_64 system with a 48-bit bus, the page fault handler will be called
with error_code set to RSVD. The kernel then crashes with a page table
corruption error.
This change prevents this page table corruption on x86 by refusing
to mmap offsets higher than the highest valid address in the system.
Signed-off-by: Craig Bergstrom <craigb@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Borislav Petkov <bp@...en8.de>
Cc: Brian Gerst <brgerst@...il.com>
Cc: Denys Vlasenko <dvlasenk@...hat.com>
Cc: H. Peter Anvin <hpa@...or.com>
Cc: Josh Poimboeuf <jpoimboe@...hat.com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Luis R. Rodriguez <mcgrof@...e.com>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Toshi Kani <toshi.kani@...com>
Cc: dsafonov@...tuozzo.com
Cc: kirill.shutemov@...ux.intel.com
Cc: mhocko@...e.com
Cc: oleg@...hat.com
Link: http://lkml.kernel.org/r/20171019192856.39672-1-craigb@google.com
Signed-off-by: Ingo Molnar <mingo@...nel.org>
7ac7f2c315 x86/mm: Remove debug/x86/tlb_defer_switch_to_init_mm
ce56a86e2a x86/mm: Limit mmap() of /dev/mem to valid physical addresses
bb176f6709 Linux 4.14-rc6
36ef71cae3 Add linux-next specific files for 20171018
+-------------------------------------------------------------------+------------+------------+-----------+---------------+
| | 7ac7f2c315 | ce56a86e2a | v4.14-rc6 | next-20171018 |
+-------------------------------------------------------------------+------------+------------+-----------+---------------+
| boot_successes | 35 | 4 | 8 | 12 |
| boot_failures | 0 | 11 | 11 | 22 |
| kernel_BUG_at_arch/x86/mm/physaddr.c | 0 | 11 | 11 | |
| invalid_opcode:#[##] | 0 | 11 | 11 | |
| EIP:__phys_addr | 0 | 11 | 11 | |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 11 | 11 | |
| BUG:kernel_reboot-without-warning_in_boot_stage | 0 | 0 | 0 | 13 |
| BUG:kernel_hang_in_boot_stage | 0 | 0 | 0 | 8 |
| BUG:kernel_reboot-without-warning_in_early-boot_stage,last_printk | 0 | 0 | 0 | 1 |
+-------------------------------------------------------------------+------------+------------+-----------+---------------+
[ 2.048420] Could not find Carillo Ranch MCH device.
[ 2.048724] no IO addresses supplied
[ 2.049025] usbcore: registered new interface driver smscufx
[ 2.050165] v86d (125) used greatest stack depth: 6972 bytes left
[ 2.050687] ------------[ cut here ]------------
[ 2.050969] kernel BUG at arch/x86/mm/physaddr.c:79!
[ 2.051392] invalid opcode: 0000 [#1] SMP
[ 2.051631] CPU: 0 PID: 126 Comm: v86d Not tainted 4.14.0-rc5-00007-gce56a86 #1
[ 2.052053] task: ce3d46c0 task.stack: cd914000
[ 2.052316] EIP: __phys_addr+0x80/0x90
[ 2.052366] EFLAGS: 00010206 CPU: 0
[ 2.052366] EAX: 0ffdc000 EBX: 0ffdc000 ECX: 00000000 EDX: 0ffdc000
[ 2.052366] ESI: 00001000 EDI: 00000000 EBP: cd915e5c ESP: cd915e58
[ 2.052366] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 2.052366] CR0: 80050033 CR2: 08063e48 CR3: 0d8fa1c0 CR4: 001406b0
[ 2.052366] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 2.052366] DR6: fffe0ff0 DR7: 00000400
[ 2.052366] Call Trace:
[ 2.052366] ? valid_mmap_phys_addr_range+0x2f/0x70
[ 2.052366] ? mmap_mem+0x66/0xe0
[ 2.052366] ? mmap_region+0x248/0x480
[ 2.052366] ? mmap_region+0x2d2/0x480
[ 2.052366] ? do_mmap+0x2c5/0x3a0
[ 2.052366] ? vm_mmap_pgoff+0x8f/0xb0
[ 2.052366] ? SyS_mmap_pgoff+0x1e7/0x210
[ 2.052366] ? do_int80_syscall_32+0x76/0x130
[ 2.052366] ? entry_INT80_32+0x33/0x33
[ 2.052366] Code: 00 00 00 a1 60 0e be c8 05 00 00 80 00 39 c2 72 bb a1 78 94 30 c8 2d 00 b0 78 00 25 00 00 e0 ff 2d 00 20 00 00 39 c2 73 a3 0f 0b <0f> 0b 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 53 e8
[ 2.052366] EIP: __phys_addr+0x80/0x90 SS:ESP: 0068:cd915e58
[ 2.058327] ---[ end trace 51b6b410d44658b1 ]---
[ 2.058607] Kernel panic - not syncing: Fatal exception
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 13769afc2a5ef8e2d19b0b1486bf8ae08caf9f4b 33d930e59a98fa10a0db9f56c7fa2f21a4aef9b9 --
git bisect good 7021889c264abc7a4eef71cb0586f76a22091658 # 16:32 G 10 0 0 0 Merge 'sailus-media/atomisp' into devel-spot-201710231057
git bisect bad 56b2129ddeae19f6a20494b88b61eaba91e519b5 # 17:00 B 0 8 20 0 Merge 'linux-review/Aishwarya-Pant/coccinelle-boolconv-improve-script-to-handle-more-cases/20171022-210918' into devel-spot-201710231057
git bisect bad c7d414af43141682ee0b828bd71d1d9cc190f1bd # 17:22 B 0 11 24 0 Merge 'f2fs/dev-test' into devel-spot-201710231057
git bisect good 89630c8626339b2ec6368ac195237c2ebea3ca23 # 17:47 G 10 0 0 0 Merge 'jpirko-mlxsw/jiri_devel_miniq' into devel-spot-201710231057
git bisect good dbf5855b11e4857696b24d9f621aaf1d4ad35dc2 # 18:04 G 10 0 0 0 Merge 'linux-review/SF-Markus-Elfring/gpio-adnp-Use-common-error-handling-code-in-adnp_gpio_dbg_show/20171023-043514' into devel-spot-201710231057
git bisect bad a0831a3f7f72d8ce846ffd2ff7ea73b88a59da17 # 18:42 B 0 11 24 0 Merge 'linux-review/SF-Markus-Elfring/dmaengine-ioat-Use-common-error-handling-code-in-ioat_xor_val_self_test/20171023-032235' into devel-spot-201710231057
git bisect good 085cf9bfc92a20a7297468f01e868cf2a4f6f4c3 # 19:00 G 10 0 0 0 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad ce56a86e2ade45d052b3228cdfebe913a1ae7381 # 19:14 B 0 11 23 0 x86/mm: Limit mmap() of /dev/mem to valid physical addresses
git bisect good 723f2828a98c8ca19842042f418fb30dd8cfc0f7 # 19:47 G 10 0 0 0 x86/microcode/intel: Disable late loading on model 79
git bisect good 4e57b94664fef55aa71cac33b4632fdfdd52b695 # 20:11 G 10 0 0 0 x86/mm: Tidy up "x86/mm: Flush more aggressively in lazy TLB mode"
git bisect good 7ac7f2c315ef76437f5119df354d334448534fb5 # 20:49 G 10 0 0 0 x86/mm: Remove debug/x86/tlb_defer_switch_to_init_mm
# first bad commit: [ce56a86e2ade45d052b3228cdfebe913a1ae7381] x86/mm: Limit mmap() of /dev/mem to valid physical addresses
git bisect good 7ac7f2c315ef76437f5119df354d334448534fb5 # 21:14 G 30 0 0 0 x86/mm: Remove debug/x86/tlb_defer_switch_to_init_mm
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect bad ce56a86e2ade45d052b3228cdfebe913a1ae7381 # 21:39 B 0 11 24 0 x86/mm: Limit mmap() of /dev/mem to valid physical addresses
# extra tests on HEAD of linux-devel/devel-spot-201710231057
git bisect bad 13769afc2a5ef8e2d19b0b1486bf8ae08caf9f4b # 21:39 B 0 12 27 0 0day head guard for 'devel-spot-201710231057'
# extra tests on tree/branch linus/master
git bisect bad bb176f67090ca54869fc1262c913aa69d2ede070 # 21:52 B 0 11 23 0 Linux 4.14-rc6
# extra tests with first bad commit reverted
git bisect good 668ce515181e53af5f88325ee13fb17d79295670 # 22:16 G 11 0 0 0 Revert "x86/mm: Limit mmap() of /dev/mem to valid physical addresses"
# extra tests on tree/branch linux-next/master
git bisect good 36ef71cae353f88fd6e095e2aaa3e5953af1685d # 22:45 G 10 0 3 22 Add linux-next specific files for 20171018
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-yocto-lkp-hsw01-102:20171023191152:i386-randconfig-c0-10231306:4.14.0-rc5-00007-gce56a86:1.gz" of type "application/gzip" (10537 bytes)
View attachment "reproduce-yocto-lkp-hsw01-102:20171023191152:i386-randconfig-c0-10231306:4.14.0-rc5-00007-gce56a86:1" of type "text/plain" (895 bytes)
View attachment "config-4.14.0-rc5-00007-gce56a86" of type "text/plain" (102546 bytes)
Powered by blists - more mailing lists