lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5j+eXx+Wc8M0aGKHiiJ-OmnQXTqkXfBuAx9eQNRcRrJeSg@mail.gmail.com>
Date:	Thu, 6 Nov 2014 08:47:25 -0800
From:	Kees Cook <keescook@...omium.org>
To:	Fengguang Wu <fengguang.wu@...el.com>
Cc:	LKP <lkp@...org>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: [seccomp] kernel BUG at kernel/fork.c:1102!

I believe this has been fixed for a while by
69f6a34bdeea4fec50bb90619bc9602973119572 "seccomp: Replace
BUG(!spin_is_locked()) with assert_spin_lock"

Thanks!

-Kees

On Wed, Nov 5, 2014 at 11:14 PM, Fengguang Wu <fengguang.wu@...el.com> wrote:
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> commit dbd952127d11bb44a4ea30b08cc60531b6a23d71
> Author:     Kees Cook <keescook@...omium.org>
> AuthorDate: Fri Jun 27 15:18:48 2014 -0700
> Commit:     Kees Cook <keescook@...omium.org>
> CommitDate: Fri Jul 18 12:13:39 2014 -0700
>
>     seccomp: introduce writer locking
>
>     Normally, task_struct.seccomp.filter is only ever read or modified by
>     the task that owns it (current). This property aids in fast access
>     during system call filtering as read access is lockless.
>
>     Updating the pointer from another task, however, opens up race
>     conditions. To allow cross-thread filter pointer updates, writes to the
>     seccomp fields are now protected by the sighand spinlock (which is shared
>     by all threads in the thread group). Read access remains lockless because
>     pointer updates themselves are atomic.  However, writes (or cloning)
>     often entail additional checking (like maximum instruction counts)
>     which require locking to perform safely.
>
>     In the case of cloning threads, the child is invisible to the system
>     until it enters the task list. To make sure a child can't be cloned from
>     a thread and left in a prior state, seccomp duplication is additionally
>     moved under the sighand lock. Then parent and child are certain have
>     the same seccomp state when they exit the lock.
>
>     Based on patches by Will Drewry and David Drysdale.
>
>     Signed-off-by: Kees Cook <keescook@...omium.org>
>     Reviewed-by: Oleg Nesterov <oleg@...hat.com>
>     Reviewed-by: Andy Lutomirski <luto@...capital.net>
>
> +------------------------------------------+------------+------------+------------+
> |                                          | c8bee430dc | dbd952127d | c2426d2ad5 |
> +------------------------------------------+------------+------------+------------+
> | boot_successes                           | 60         | 0          | 0          |
> | boot_failures                            | 0          | 20         | 11         |
> | kernel_BUG_at_kernel/fork.c              | 0          | 20         | 11         |
> | invalid_opcode                           | 0          | 20         | 11         |
> | EIP_is_at_copy_process                   | 0          | 20         | 11         |
> | Kernel_panic-not_syncing:Fatal_exception | 0          | 20         | 11         |
> | backtrace:do_fork                        | 0          | 20         | 11         |
> +------------------------------------------+------------+------------+------------+
>
> [    0.023060] CPU: Intel Core Processor (Haswell) (fam: 06, model: 3c, stepping: 01)
> [    0.046204] ftrace: allocating 39817 entries in 78 pages
> [    0.070150] ------------[ cut here ]------------
> [    0.071335] kernel BUG at kernel/fork.c:1102!
> [    0.072727] invalid opcode: 0000 [#1] PREEMPT
> [    0.074202] CPU: 0 PID: 0 Comm: swapper Not tainted 3.16.0-rc5-00031-gdbd95212 #339
> [    0.076276] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [    0.077594] task: c2832140 ti: c2826000 task.ti: c2826000
> [    0.078816] EIP: 0060:[<c1073080>] EFLAGS: 00210046 CPU: 0
> [    0.080000] EIP is at copy_process+0x1720/0x1860
> [    0.080000] EAX: 00000003 EBX: d3464000 ECX: 00000000 EDX: 00000000
> [    0.080000] ESI: fffffff4 EDI: d34701f0 EBP: c2827f84 ESP: c2827f54
> [    0.080000]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
> [    0.080000] CR0: 80050033 CR2: ffffffff CR3: 02c1e000 CR4: 00040690
> [    0.080000] Stack:
> [    0.080000]  d3464000 c2827fb8 00000000 00000000 c2457150 00000000 00000000 00800300
> [    0.080000]  fffffff4 c2457150 00020800 c2c1f800 c2827fb8 c1073386 00000000 d3407280
> [    0.080000]  00000000 00800300 c24780f5 00000000 00009b89 00000000 c2457150 00020800
> [    0.080000] Call Trace:
> [    0.080000]  [<c2457150>] ? rest_init+0x110/0x110
> [    0.080000]  [<c2457150>] ? rest_init+0x110/0x110
> [    0.080000]  [<c1073386>] do_fork+0x86/0x710
> [    0.080000]  [<c24780f5>] ? smp_trace_apic_timer_interrupt+0x5/0x2a6
> [    0.080000]  [<c2457150>] ? rest_init+0x110/0x110
> [    0.080000]  [<c1073a4b>] kernel_thread+0x3b/0x50
> [    0.080000]  [<c245707b>] rest_init+0x3b/0x110
> [    0.080000]  [<c2acc562>] start_kernel+0x864/0x88a
> [    0.080000]  [<c2acb31b>] i386_start_kernel+0xe9/0xfb
> [    0.080000] Code: 00 83 05 f8 d1 c5 c2 01 83 15 fc d1 c5 c2 00 83 05 00 d2 c5 c2 01 83 15 04 d2 c5 c2 00 83 05 e0 cf c5 c2 01 83 15 e4 cf c5 c2 00 <0f> 0b 83 05 e8 cf c5 c2 01 83 15 ec cf c5 c2 00 8b 45 e4 83 05
> [    0.080000] EIP: [<c1073080>] copy_process+0x1720/0x1860 SS:ESP 0068:c2827f54
> [    0.080000] ---[ end trace 8262cf1029187723 ]---
> [    0.080000] Kernel panic - not syncing: Fatal exception
>
> git bisect start 594081ee7145cc30a3977cb4e218f81213b63dc5 v3.16 --
> git bisect  bad b49e1043c48dac23f64fba684d31c4a96c1ffaa0  # 19:15      0-      2  tpm: Properly clean sysfs entries in error path
> git bisect good 32c2e6752ff0f48fe03b9e1c7c64bde580a840d2  # 20:28     20+      0  ima: provide double buffering for hash calculation
> git bisect  bad 7d8b6c63751cfbbe5eef81a48c22978b3407a3ad  # 20:46      0-      1  CAPABILITIES: remove undefined caps from all processes
> git bisect  bad fd33c43677a7965624b46352a686a7c1e72ae4aa  # 21:31      0-      2  Merge tag 'seccomp-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into next
> git bisect good 2ccf4661f315615d018686d91d030a94001d0cc6  # 22:14     20+      0  Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next
> git bisect good 839669714f0a85d677283690e6e164fb698ce206  # 22:31     20+      0  ARM: add seccomp syscall
> git bisect good c8bee430dc52cfca6c1aab27752a89275d78d50f  # 22:43     20+      0  seccomp: split filter prep from check and apply
> git bisect  bad 3ba2530cc06eb4aee4f1f754f43d781e8a12ee09  # 22:48      0-     19  seccomp: allow mode setting across threads
> git bisect  bad dbd952127d11bb44a4ea30b08cc60531b6a23d71  # 23:16      0-     20  seccomp: introduce writer locking
> # first bad commit: [dbd952127d11bb44a4ea30b08cc60531b6a23d71] seccomp: introduce writer locking
> git bisect good c8bee430dc52cfca6c1aab27752a89275d78d50f  # 23:18     60+      0  seccomp: split filter prep from check and apply
> git bisect good a1cff6e25e6e3b55183610dddca91546951b20e3  # 23:27     60+      0  Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
>
>
> This script may reproduce the error.
>
> ----------------------------------------------------------------------------
> #!/bin/bash
>
> kernel=$1
>
> kvm=(
>         qemu-system-x86_64
>         -enable-kvm
>         -cpu Haswell,+smep,+smap
>         -kernel $kernel
>         -m 320
>         -smp 1
>         -net nic,vlan=1,model=e1000
>         -net user,vlan=1
>         -boot order=nc
>         -no-reboot
>         -watchdog i6300esb
>         -rtc base=localtime
>         -serial stdio
>         -display none
>         -monitor null
> )
>
> append=(
>         hung_task_panic=1
>         earlyprintk=ttyS0,115200
>         debug
>         apic=debug
>         sysrq_always_enabled
>         rcupdate.rcu_cpu_stall_timeout=100
>         panic=-1
>         softlockup_panic=1
>         nmi_watchdog=panic
>         oops=panic
>         load_ramdisk=2
>         prompt_ramdisk=0
>         console=ttyS0,115200
>         console=tty0
>         vga=normal
>         root=/dev/ram0
>         rw
>         drbd.minor_count=8
> )
>
> "${kvm[@]}" --append "${append[*]}"
> ----------------------------------------------------------------------------
>
> Thanks,
> Fengguang
>
> _______________________________________________
> LKP mailing list
> LKP@...ux.intel.com
>



-- 
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ