lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110407002832.GA5185@amos.fritz.box>
Date:	Thu, 7 Apr 2011 02:28:33 +0200
From:	Andreas Bombe <andreas.bombe@...um.de>
To:	linux-kernel@...r.kernel.org
Subject: OOPS procfs in vma_stop() from bad vma pointer

So I got this Oops in an x86-64 2.6.38-08569-g16c29da (not the very
latest, so maybe it is known already). It was triggered by Debian's
popularity-contest program that was started from cron. Here it is:

[ 2106.743933] BUG: unable to handle kernel paging request at fffffffffffffff3
[ 2106.744039] IP: [<ffffffff81158b01>] vma_stop.clone.3+0x13/0x2e
[ 2106.744118] PGD 1805067 PUD 1806067 PMD 0 
[ 2106.744180] Oops: 0000 [#1] PREEMPT SMP 
[ 2106.744240] last sysfs file: /sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/net/eth0/statistics/collisions
[ 2106.744356] CPU 0 
[ 2106.744381] Modules linked in: acpi_cpufreq mperf cpufreq_powersave cpufreq_stats cpufreq_userspace cpufreq_conservative snd_hrtimer binfmt_misc kvm_intel kvm uinput fuse xfs sha256_generic twofish_generic twofish_x86_64 twofish_common cbc dm_crypt snd_hda_codec_hdmi snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_hda_codec_realtek snd_seq_midi_emul snd_emu10k1 snd_hda_intel snd_ac97_codec ac97_bus snd_hda_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_util_mem snd_hwdep snd_seq_midi snd_rawmidi snd_seq_midi_event radeon snd_seq snd_timer snd_seq_device snd ttm intel_agp joydev emu10k1_gp drm_kms_helper processor intel_gtt wacom soundcore i2c_i801 pcspkr gameport evdev snd_page_alloc thermal_sys asus_atk0110 button dm_mod usbhid ahci libahci firewire_ohci atl1e firewire_core libata crc_itu_t uhci_hcd ehci_hcd [last unloaded: scsi_wait_scan]
[ 2106.745580] 
[ 2106.745600] Pid: 5874, comm: popularity-cont Not tainted 2.6.38-08569-g16c29da #64 System manufacturer P5Q/P5Q
[ 2106.745730] RIP: 0010:[<ffffffff81158b01>]  [<ffffffff81158b01>] vma_stop.clone.3+0x13/0x2e
[ 2106.745834] RSP: 0018:ffff8800c9877e48  EFLAGS: 00010286
[ 2106.745897] RAX: 00000000fffffff3 RBX: ffff880129b7fde0 RCX: ffff8800be696900
[ 2106.745979] RDX: ffffffff814169d0 RSI: fffffffffffffff3 RDI: ffff880129b7fdf0
[ 2106.746064] RBP: ffff8800c9877e58 R08: ffff8800be696900 R09: ffff8800c9877e08
[ 2106.746149] R10: 0000000000000001 R11: ffff88012aab2600 R12: ffff8800b65fbe00
[ 2106.746232] R13: ffff8800be696900 R14: fffffffffffffff3 R15: 0000000000000000
[ 2106.746321] FS:  00007f6babc8f700(0000) GS:ffff88012fc00000(0000) knlGS:0000000000000000
[ 2106.746420] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2106.746488] CR2: fffffffffffffff3 CR3: 0000000036f66000 CR4: 00000000000406f0
[ 2106.746571] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2106.746654] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2106.746737] Process popularity-cont (pid: 5874, threadinfo ffff8800c9876000, task ffff880127239fb0)
[ 2106.746841] Stack:
[ 2106.746866]  0000000000000004 ffff880129b7fde0 ffff8800c9877e78 ffffffff81158b78
[ 2106.746878]  0000000000000004 0000000000001000 ffff8800c9877ef8 ffffffff8112901f
[ 2106.746878]  0000000000000001 ffff8800fffffff3 0000000000000004 ffff8800be696938
[ 2106.746878] Call Trace:
[ 2106.746878]  [<ffffffff81158b78>] m_stop+0x19/0x2b
[ 2106.746878]  [<ffffffff8112901f>] seq_read+0x23b/0x369
[ 2106.746878]  [<ffffffff8110de6e>] vfs_read+0xa4/0xf7
[ 2106.746878]  [<ffffffff8110f0fe>] ? fget_light+0x3d/0x9b
[ 2106.746878]  [<ffffffff8110df06>] sys_read+0x45/0x69
[ 2106.746878]  [<ffffffff813e2612>] system_call_fastpath+0x16/0x1b
[ 2106.746878] Code: 39 c4 74 05 49 8b 54 24 08 48 89 53 30 41 5d 31 c0 5b 41 5c 41 5d c9 c3 55 48 89 e5 53 48 83 ec 08 48 85 f6 74 1c 48 3b 37 74 17 
[ 2106.746878]  8b 1e 48 8d bb 98 00 00 00 e8 2f 17 f1 ff 48 89 df e8 95 f7 
[ 2106.746878] RIP  [<ffffffff81158b01>] vma_stop.clone.3+0x13/0x2e
[ 2106.746878]  RSP <ffff8800c9877e48>
[ 2106.746878] CR2: fffffffffffffff3
[ 2107.173115] ---[ end trace 8cdfece298b5cc14 ]---


I disassembled vma_stop:
| Dump of assembler code for function vma_stop:
| 91	static void vma_stop(struct proc_maps_private *priv, struct vm_area_struct *vma)
|    0xffffffff81158aee <+0>:	push   %rbp
|    0xffffffff81158aef <+1>:	mov    %rsp,%rbp
|    0xffffffff81158af2 <+4>:	push   %rbx
|    0xffffffff81158af3 <+5>:	sub    $0x8,%rsp
| 
| 92	{
| 93		if (vma && vma != priv->tail_vma) {
|    0xffffffff81158af7 <+9>:	test   %rsi,%rsi
|    0xffffffff81158afa <+12>:	je     0xffffffff81158b18 <vma_stop+42>
|    0xffffffff81158afc <+14>:	cmp    (%rdi),%rsi
|    0xffffffff81158aff <+17>:	je     0xffffffff81158b18 <vma_stop+42>
| 
| 94			struct mm_struct *mm = vma->vm_mm;
|    0xffffffff81158b01 <+19>:	mov    (%rsi),%rbx
Oops here                       ^^^^^^^^^^^^^^^^^^
| 95			up_read(&mm->mmap_sem);
|    0xffffffff81158b04 <+22>:	lea    0x98(%rbx),%rdi
|    0xffffffff81158b0b <+29>:	callq  0xffffffff8106a23f <up_read>
| 
| 96			mmput(mm);
|    0xffffffff81158b10 <+34>:	mov    %rbx,%rdi
|    0xffffffff81158b13 <+37>:	callq  0xffffffff810482ad <mmput>
| 
| 97		}
| 98	}
|    0xffffffff81158b18 <+42>:	pop    %rax
|    0xffffffff81158b19 <+43>:	pop    %rbx
|    0xffffffff81158b1a <+44>:	leaveq 
|    0xffffffff81158b1b <+45>:	retq   
| 
| End of assembler dump.

It looks like vma_stop() got called with -13 as the vma pointer. This is
the first time that happened and I have no way to reproduce it.

-- 
Andreas Bombe
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ