lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 22 Dec 2014 09:24:19 -0500
From:	Sasha Levin <sasha.levin@...cle.com>
To:	LKML <linux-kernel@...r.kernel.org>
CC:	Greg KH <greg@...ah.com>, Rusty Russell <rusty@...tcorp.com.au>,
	Andrew Morton <akpm@...ux-foundation.org>, hch@...radead.org,
	Al Viro <viro@...IV.linux.org.uk>
Subject: module,sysfs: gpf in module_attr_store

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel, I've stumbled on the following spew:

[ 2775.284941] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 2775.285681] Dumping ftrace buffer:
[ 2775.286124]    (ftrace buffer empty)
[ 2775.286612] Modules linked in:
[ 2775.286999] CPU: 15 PID: 29531 Comm: trinity-c307 Tainted: G    B          3.18.0-next-20141219-sasha-00047-gaab33f6-dirty #1627
[ 2775.288272] task: ffff8805c49aa000 ti: ffff8808f7734000 task.ti: ffff8808f7734000
[ 2775.289081] RIP: module_attr_store (kernel/params.c:894)
[ 2775.290021] RSP: 0018:ffff8808f7737c98  EFLAGS: 00010246
[ 2775.290021] RAX: dfffe90000000000 RBX: ffff88090b3b82f0 RCX: 0000000000001000
[ 2775.290021] RDX: ffff88061852c290 RSI: ffff88090b3bbd98 RDI: ffff88090b3b82f0
[ 2775.290021] RBP: ffff8808f7737cb8 R08: 0000000000000000 R09: 0000000000000000
[ 2775.290021] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88090b3bbd98
[ 2775.290021] R13: ffffffffb04544a0 R14: ffff88061852c290 R15: ffff88090b3bbd98
[ 2775.290021] FS:  00007f727b070700(0000) GS:ffff88064c400000(0000) knlGS:0000000000000000
[ 2775.290021] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2775.290021] CR2: 0000000077d9d000 CR3: 00000008f52e6000 CR4: 00000000000006a0
[ 2775.290021] DR0: ffffffff81000000 DR1: a200000080000000 DR2: 0000000000000000
[ 2775.290021] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 2775.290021] Stack:
[ 2775.290021]  ffff8808f7737d08 ffffffffa09e85f7 ffff8802757c7480 ffffffffa04723b0
[ 2775.290021]  ffff8808f7737d08 ffffffffa0c6d0b9 000000000000000f ffffffffa0c6952e
[ 2775.290021]  ffff8808f7737cf8 ffff88061852c290 0000000000001000 ffff8805b1ae1948
[ 2775.290021] Call Trace:
[ 2775.290021] ? __kmalloc (mm/slub.c:3298)
[ 2775.290021] ? module_attr_show (kernel/params.c:883)
[ 2775.290021] sysfs_kf_write (fs/sysfs/file.c:132)
[ 2775.290021] ? kernfs_fop_write (include/linux/slab.h:436 fs/kernfs/file.c:287)
[ 2775.290021] ? sysfs_kf_bin_read (fs/sysfs/file.c:124)
[ 2775.290021] kernfs_fop_write (fs/kernfs/file.c:311)
[ 2775.290021] do_loop_readv_writev (fs/read_write.c:722)
[ 2775.290021] ? kernfs_vma_page_mkwrite (fs/kernfs/file.c:271)
[ 2775.290021] ? kernfs_vma_page_mkwrite (fs/kernfs/file.c:271)
[ 2775.290021] do_readv_writev (fs/read_write.c:854)
[ 2775.290021] ? preempt_count_sub (kernel/sched/core.c:2620)
[ 2775.290021] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:183)
[ 2775.290021] ? vtime_account_user (kernel/sched/cputime.c:701)
[ 2775.290021] vfs_writev (fs/read_write.c:893)
[ 2775.290021] SyS_writev (fs/read_write.c:926 fs/read_write.c:917)
[ 2775.290021] tracesys_phase2 (arch/x86/kernel/entry_64.S:529)
[ 2775.290021] Code: 00 00 00 00 e9 ff df 48 89 fe 48 c1 ee 03 80 3c 06 00 75 35 48 83 7b 18 00 74 25 48 85 db 74 64 f6 c3 07 75 5f 4c 89 e6 48 89 df <ff> 53 18 48 98 48 83 c4 10 5b 41 5c 5d c3 0f 1f 80 00 00 00 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	e9 ff df 48 89       	jmpq   0xffffffff8948e008
   9:	fe 48 c1             	decb   -0x3f(%rax)
   c:	ee                   	out    %al,(%dx)
   d:	03 80 3c 06 00 75    	add    0x7500063c(%rax),%eax
  13:	35 48 83 7b 18       	xor    $0x187b8348,%eax
  18:	00 74 25 48          	add    %dh,0x48(%rbp,%riz,1)
  1c:	85 db                	test   %ebx,%ebx
  1e:	74 64                	je     0x84
  20:	f6 c3 07             	test   $0x7,%bl
  23:	75 5f                	jne    0x84
  25:	4c 89 e6             	mov    %r12,%rsi
  28:	48 89 df             	mov    %rbx,%rdi
  2b:*	ff 53 18             	callq  *0x18(%rbx)		<-- trapping instruction
  2e:	48 98                	cltq
  30:	48 83 c4 10          	add    $0x10,%rsp
  34:	5b                   	pop    %rbx
  35:	41 5c                	pop    %r12
  37:	5d                   	pop    %rbp
  38:	c3                   	retq
  39:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	ff 53 18             	callq  *0x18(%rbx)
   3:	48 98                	cltq
   5:	48 83 c4 10          	add    $0x10,%rsp
   9:	5b                   	pop    %rbx
   a:	41 5c                	pop    %r12
   c:	5d                   	pop    %rbp
   d:	c3                   	retq
   e:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
	...
[ 2775.290021] RIP module_attr_store (kernel/params.c:894)
[ 2775.290021]  RSP <ffff8808f7737c98>


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists