lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Wed, 11 Jun 2014 12:05:32 +0800
From:	Jet Chen <jet.chen@...el.com>
To:	Kees Cook <keescook@...omium.org>
CC:	Fengguang Wu <fengguang.wu@...el.com>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Yuanhan Liu <yuanhan.liu@...el.com>
Subject: [seccomp] kernel BUG at kernel/fork.c:1100!

Hi Kees,

0day kernel testing robot got the below dmesg and the first bad commit is

git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git seccomp-tsync-sighand
commit 8c959534443ab563ddbccdcfe6a0f2a4f6fcb863
Author:     Kees Cook <keescook@...omium.org>
AuthorDate: Wed May 21 15:18:02 2014 -0700
Commit:     Kees Cook <keescook@...omium.org>
CommitDate: Tue Jun 10 08:02:42 2014 -0700

    seccomp: introduce writer locking
        Normally, task_struct.seccomp.filter is only ever read or modified by
    the task that owns it (current). This property aids in fast access
    during system call filtering as read access is lockless.
        Updating the pointer from another task, however, opens up race
    conditions. To allow cross-thread filter pointer updates, writes to
    the seccomp fields are now protected by the sighand spinlock (which
    is unique to the thread group). Read access remains lockless because
    pointer updates themselves are atomic.  However, writes (or cloning)
    often entail additional checking (like maximum instruction counts)
    which require locking to perform safely.
        In the case of cloning threads, the child is invisible to the system
    until it enters the task list. To make sure a child can't be cloned from
    a thread and left in a prior state, seccomp duplication is additionally
    moved under the tasklist_lock. Then parent and child are certain have
    the same seccomp state when they exit the lock.
        Based on patches by Will Drewry and David Drysdale.
        Signed-off-by: Kees Cook <keescook@...omium.org>

+----------------------------------------------------------+------------+------------+
|                                                          | 6698e20593 | 8c95953444 |
+----------------------------------------------------------+------------+------------+
| boot_successes                                           | 60         | 0          |
| boot_failures                                            | 0          | 20         |
| kernel_BUG_at_kernel/fork.c                              | 0          | 20         |
| invalid_opcode                                           | 0          | 20         |
| RIP:copy_process                                         | 0          | 20         |
| Kernel_panic-not_syncing:Attempted_to_kill_the_idle_task | 0          | 20         |
| backtrace:do_fork                                        | 0          | 20         |
+----------------------------------------------------------+------------+------------+

[    0.029286] CPU: Intel Common KVM processor (fam: 0f, model: 06, stepping: 01)
[    0.051661] ftrace: allocating 55973 entries in 219 pages
[    0.070092] ------------[ cut here ]------------
[    0.070931] kernel BUG at kernel/fork.c:1100!
[    0.072323] invalid opcode: 0000 [#1] [    0.073449] CPU: 0 PID: 0 Comm: swapper Not tainted 3.15.0-07916-g8c95953 #105
[    0.075327] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[    0.076654] task: ffffffff8321a5c0 ti: ffffffff83200000 task.ti: ffffffff83200000
[    0.078514] RIP: 0010:[<ffffffff8109c6f1>]  [<ffffffff8109c6f1>] copy_process.isra.56+0x1421/0x14c0
[    0.080000] RSP: 0000:ffffffff83203e68  EFLAGS: 00010002
[    0.080000] RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000
[    0.080000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88001244f760
[    0.080000] RBP: ffffffff83203ec0 R08: ffff8800124537c0 R09: 0000000000000040
[    0.080000] R10: ffff880012453800 R11: 7908000000000000 R12: ffffffff8281bae0
[    0.080000] R13: 0000000000000000 R14: 0000000000800300 R15: ffff88001244f760
[    0.080000] FS:  0000000000000000(0000) GS:ffffffff83230000(0000) knlGS:0000000000000000
[    0.080000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[    0.080000] CR2: 00000000ffffffff CR3: 0000000003213000 CR4: 00000000000006f0
[    0.080000] Stack:
[    0.080000]  0000000000000000 0000000000000000 0000000000000000 ffff8800124537c0
[    0.080000]  0000000000000000 fffffff400000002 ffffffffffffffff ffffffff83af0900
[    0.080000]  0000000000800300 ffffffff83af72c0 0000000000000000 ffffffff83203f28
[    0.080000] Call Trace:
[    0.080000]  [<ffffffff8109c905>] do_fork+0x75/0x510
[    0.080000]  [<ffffffff828220c1>] ? ftrace_process_locs.constprop.29+0x42b/0x561
[    0.080000]  [<ffffffff8109cdce>] kernel_thread+0x2e/0x40
[    0.080000]  [<ffffffff8281ba33>] rest_init+0x23/0xd0
[    0.080000]  [<ffffffff839f370d>] start_kernel+0x79d/0x7bb
[    0.080000]  [<ffffffff839f2b89>] ? repair_env_string+0x7f/0x7f
[    0.080000]  [<ffffffff839f2120>] ? early_idt_handlers+0x120/0x120
[    0.080000]  [<ffffffff839f26c0>] x86_64_start_reservations+0x46/0x4f
[    0.080000]  [<ffffffff839f2875>] x86_64_start_kernel+0x1ac/0x1c2
[    0.080000] Code: 83 05 33 fa bc 02 01 e8 6e c1 0b 00 48 83 05 2e fa bc 02 01 ff 04 25 a0 fa 22 83 48 83 05 27 fa bc 02 01 48 83 05 ef f7 bc 02 01 <0f> 0b 48 83 05 ed f7 bc 02 01 48 83 05 5d f9 bc 02 01 b8 f4 ff [    0.080000] RIP  [<ffffffff8109c6f1>] copy_process.isra.56+0x1421/0x14c0
[    0.080000]  RSP <ffffffff83203e68>
[    0.080000] ---[ end trace 556cc7dbbd668af6 ]---
[    0.080000] Kernel panic - not syncing: Attempted to kill the idle task!

git bisect start 05a52ec683855fcbf5dbbc50d0c4d23db4ce21a7 1860e379875dfe7271c649058aeddffe5afd9d0d --
git bisect  bad 0541eb1ef76707c491d3285ef2551f0b9764f4bc  # 01:36      0-     10  Merge 'kees/seccomp-tsync-sighand' into devel-lkp-hsx01-x86_64-201406110035
git bisect good 420e289c1eb93124b1b12aed6321179dcb0c129a  # 01:59     20+      0  0day base guard for 'devel-lkp-hsx01-x86_64-201406110035'
git bisect good 0cdca5640a2395fe9e42f5cb27d7d73f64f751d4  # 02:16     20+      0  Merge 'kees/lsm-mod-pin' into devel-lkp-hsx01-x86_64-201406110035
git bisect  bad 1f1757f2320d5f5aa3614d7739a22dd3a8a6ed0c  # 02:36      0-     20  seccomp: move no_new_privs into seccomp
git bisect good 6698e20593e5bfa53888bbf12f4431f4150dc3c1  # 02:49     20+      0  seccomp: split filter prep from check and apply
git bisect  bad 8c959534443ab563ddbccdcfe6a0f2a4f6fcb863  # 03:11      0-     20  seccomp: introduce writer locking
# first bad commit: [8c959534443ab563ddbccdcfe6a0f2a4f6fcb863] seccomp: introduce writer locking
git bisect good 6698e20593e5bfa53888bbf12f4431f4150dc3c1  # 03:14     60+      0  seccomp: split filter prep from check and apply
git bisect  bad 05a52ec683855fcbf5dbbc50d0c4d23db4ce21a7  # 03:14      0-     13  0day head guard for 'devel-lkp-hsx01-x86_64-201406110035'
git bisect good 5b174fd6472b1d6b6402b30210a212f3fd770d96  # 03:32     60+      0  Merge branch 'for-3.16' of git://linux-nfs.org/~bfields/linux
git bisect good 27a4e439fe5cd92b70137ae237c7aa6888c07b5a  # 03:43     60+      0  Add linux-next specific files for 20140610


This script may reproduce the error.

-----------------------------------------------------------------------------
#!/bin/bash

kernel=$1

kvm=(
	qemu-system-x86_64 -cpu kvm64 -enable-kvm
 	-kernel $kernel
	-smp 2
	-m 256M
	-net nic,vlan=0,macaddr=00:00:00:00:00:00,model=virtio
	-net user,vlan=0
	-net nic,vlan=1,model=e1000
	-net user,vlan=1
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-serial stdio
	-display none
	-monitor null
)

append=(
	debug
	sched_debug
	apic=debug
	ignore_loglevel
	sysrq_always_enabled
	panic=10
	prompt_ramdisk=0
	earlyprintk=ttyS0,115200
	console=ttyS0,115200
	console=tty0
	vga=normal
	root=/dev/ram0
	rw
)

"${kvm[@]}" --append "${append[*]}"
-----------------------------------------------------------------------------

Thanks,
Jet


View attachment "dmesg-quantal-ivb44-114:20140611031108:x86_64-randconfig-ha4-0611:3.15.0-07916-g8c95953:105" of type "text/plain" (24887 bytes)

Download attachment "x86_64-randconfig-ha4-0611-05a52ec683855fcbf5dbbc50d0c4d23db4ce21a7-kernel-BUG-at-43309.log" of type "application/octet-stream" (35292 bytes)

View attachment "config-3.15.0-07916-g8c95953" of type "text/plain" (92309 bytes)

View attachment "Attached Message Part" of type "text/plain" (87 bytes)

Powered by blists - more mailing lists