| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Nov 2014 15:14:49 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: LKP <lkp@...org>, linux-kernel@...r.kernel.org
Subject: [seccomp] kernel BUG at kernel/fork.c:1102!
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
commit dbd952127d11bb44a4ea30b08cc60531b6a23d71
Author: Kees Cook <keescook@...omium.org>
AuthorDate: Fri Jun 27 15:18:48 2014 -0700
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Fri Jul 18 12:13:39 2014 -0700
seccomp: introduce writer locking
Normally, task_struct.seccomp.filter is only ever read or modified by
the task that owns it (current). This property aids in fast access
during system call filtering as read access is lockless.
Updating the pointer from another task, however, opens up race
conditions. To allow cross-thread filter pointer updates, writes to the
seccomp fields are now protected by the sighand spinlock (which is shared
by all threads in the thread group). Read access remains lockless because
pointer updates themselves are atomic. However, writes (or cloning)
often entail additional checking (like maximum instruction counts)
which require locking to perform safely.
In the case of cloning threads, the child is invisible to the system
until it enters the task list. To make sure a child can't be cloned from
a thread and left in a prior state, seccomp duplication is additionally
moved under the sighand lock. Then parent and child are certain have
the same seccomp state when they exit the lock.
Based on patches by Will Drewry and David Drysdale.
Signed-off-by: Kees Cook <keescook@...omium.org>
Reviewed-by: Oleg Nesterov <oleg@...hat.com>
Reviewed-by: Andy Lutomirski <luto@...capital.net>
+------------------------------------------+------------+------------+------------+
| | c8bee430dc | dbd952127d | c2426d2ad5 |
+------------------------------------------+------------+------------+------------+
| boot_successes | 60 | 0 | 0 |
| boot_failures | 0 | 20 | 11 |
| kernel_BUG_at_kernel/fork.c | 0 | 20 | 11 |
| invalid_opcode | 0 | 20 | 11 |
| EIP_is_at_copy_process | 0 | 20 | 11 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 20 | 11 |
| backtrace:do_fork | 0 | 20 | 11 |
+------------------------------------------+------------+------------+------------+
[ 0.023060] CPU: Intel Core Processor (Haswell) (fam: 06, model: 3c, stepping: 01)
[ 0.046204] ftrace: allocating 39817 entries in 78 pages
[ 0.070150] ------------[ cut here ]------------
[ 0.071335] kernel BUG at kernel/fork.c:1102!
[ 0.072727] invalid opcode: 0000 [#1] PREEMPT
[ 0.074202] CPU: 0 PID: 0 Comm: swapper Not tainted 3.16.0-rc5-00031-gdbd95212 #339
[ 0.076276] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 0.077594] task: c2832140 ti: c2826000 task.ti: c2826000
[ 0.078816] EIP: 0060:[<c1073080>] EFLAGS: 00210046 CPU: 0
[ 0.080000] EIP is at copy_process+0x1720/0x1860
[ 0.080000] EAX: 00000003 EBX: d3464000 ECX: 00000000 EDX: 00000000
[ 0.080000] ESI: fffffff4 EDI: d34701f0 EBP: c2827f84 ESP: c2827f54
[ 0.080000] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
[ 0.080000] CR0: 80050033 CR2: ffffffff CR3: 02c1e000 CR4: 00040690
[ 0.080000] Stack:
[ 0.080000] d3464000 c2827fb8 00000000 00000000 c2457150 00000000 00000000 00800300
[ 0.080000] fffffff4 c2457150 00020800 c2c1f800 c2827fb8 c1073386 00000000 d3407280
[ 0.080000] 00000000 00800300 c24780f5 00000000 00009b89 00000000 c2457150 00020800
[ 0.080000] Call Trace:
[ 0.080000] [<c2457150>] ? rest_init+0x110/0x110
[ 0.080000] [<c2457150>] ? rest_init+0x110/0x110
[ 0.080000] [<c1073386>] do_fork+0x86/0x710
[ 0.080000] [<c24780f5>] ? smp_trace_apic_timer_interrupt+0x5/0x2a6
[ 0.080000] [<c2457150>] ? rest_init+0x110/0x110
[ 0.080000] [<c1073a4b>] kernel_thread+0x3b/0x50
[ 0.080000] [<c245707b>] rest_init+0x3b/0x110
[ 0.080000] [<c2acc562>] start_kernel+0x864/0x88a
[ 0.080000] [<c2acb31b>] i386_start_kernel+0xe9/0xfb
[ 0.080000] Code: 00 83 05 f8 d1 c5 c2 01 83 15 fc d1 c5 c2 00 83 05 00 d2 c5 c2 01 83 15 04 d2 c5 c2 00 83 05 e0 cf c5 c2 01 83 15 e4 cf c5 c2 00 <0f> 0b 83 05 e8 cf c5 c2 01 83 15 ec cf c5 c2 00 8b 45 e4 83 05
[ 0.080000] EIP: [<c1073080>] copy_process+0x1720/0x1860 SS:ESP 0068:c2827f54
[ 0.080000] ---[ end trace 8262cf1029187723 ]---
[ 0.080000] Kernel panic - not syncing: Fatal exception
git bisect start 594081ee7145cc30a3977cb4e218f81213b63dc5 v3.16 --
git bisect bad b49e1043c48dac23f64fba684d31c4a96c1ffaa0 # 19:15 0- 2 tpm: Properly clean sysfs entries in error path
git bisect good 32c2e6752ff0f48fe03b9e1c7c64bde580a840d2 # 20:28 20+ 0 ima: provide double buffering for hash calculation
git bisect bad 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad # 20:46 0- 1 CAPABILITIES: remove undefined caps from all processes
git bisect bad fd33c43677a7965624b46352a686a7c1e72ae4aa # 21:31 0- 2 Merge tag 'seccomp-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next
git bisect good 2ccf4661f315615d018686d91d030a94001d0cc6 # 22:14 20+ 0 Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
git bisect good 839669714f0a85d677283690e6e164fb698ce206 # 22:31 20+ 0 ARM: add seccomp syscall
git bisect good c8bee430dc52cfca6c1aab27752a89275d78d50f # 22:43 20+ 0 seccomp: split filter prep from check and apply
git bisect bad 3ba2530cc06eb4aee4f1f754f43d781e8a12ee09 # 22:48 0- 19 seccomp: allow mode setting across threads
git bisect bad dbd952127d11bb44a4ea30b08cc60531b6a23d71 # 23:16 0- 20 seccomp: introduce writer locking
# first bad commit: [dbd952127d11bb44a4ea30b08cc60531b6a23d71] seccomp: introduce writer locking
git bisect good c8bee430dc52cfca6c1aab27752a89275d78d50f # 23:18 60+ 0 seccomp: split filter prep from check and apply
git bisect good a1cff6e25e6e3b55183610dddca91546951b20e3 # 23:27 60+ 0 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu Haswell,+smep,+smap
-kernel $kernel
-m 320
-smp 1
-net nic,vlan=1,model=e1000
-net user,vlan=1
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
Thanks,
Fengguang
View attachment "dmesg-yocto-kbuild-32:20141105231051:i386-randconfig-ha2-1105:3.16.0-rc5-00031-gdbd95212:339" of type "text/plain" (24724 bytes)
View attachment "config-3.16.0-rc5-00031-gdbd95212" of type "text/plain" (97740 bytes)
_______________________________________________
LKP mailing list
LKP@...ux.intel.com
Powered by blists - more mailing lists