lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.11.1505181325110.32481@vincent-weaver-1.umelst.maine.edu>
Date:	Mon, 18 May 2015 13:40:31 -0400 (EDT)
From:	Vince Weaver <vincent.weaver@...ne.edu>
To:	Peter Zijlstra <peterz@...radead.org>
cc:	Stephane Eranian <eranian@...gle.com>,
	Vince Weaver <vincent.weaver@...ne.edu>,
	LKML <linux-kernel@...r.kernel.org>,
	Arnaldo Carvalho de Melo <acme@...nel.org>,
	Jiri Olsa <jolsa@...hat.com>, Ingo Molnar <mingo@...hat.com>,
	Paul Mackerras <paulus@...ba.org>
Subject: Re: perf: fuzzer triggers NULL pointer derefreence in
 x86_schedule_events

On Thu, 7 May 2015, Peter Zijlstra wrote:

> On Mon, May 04, 2015 at 12:32:56PM -0700, Stephane Eranian wrote:
> > I think it is more likely related to the bitmask (idxmsk).  But then
> > it is always allocated with the constraint even with the HT bug
> > workaround.  So most, likely the index is bogus and you touch outside
> > the idxmsk[] array.
> 
> [428232.701319] BUG: unable to handle kernel NULL pointer dereference at           (null)
> 
> But the thing really tried to touch NULL, not some random address that
> faulted.
> 
> As always, Vince has found us a good puzzle ;-)

so the Haswell machine turned up the following oops that looks related.

Yet again we are ending up with a NULL pointer in the constraint table 
somehow.

This maps to 

static bool __perf_sched_find_counter(struct perf_sched *sched)

        c = sched->events[sched->state.event]->hw.constraint;

        /* Prefer fixed purpose counters */
--->	if (c->idxmsk64 & (~0ULL << INTEL_PMC_IDX_FIXED)) {

ffffffff81029ce4:       48 8b 55 88             mov    -0x78(%rbp),%rdx
ffffffff81029ce8:       48 8b 04 c2             mov    (%rdx,%rax,8),%rax
ffffffff81029cec:       ba 20 00 00 00          mov    $0x20,%edx
ffffffff81029cf1:       48 8b 98 98 01 00 00    mov    0x198(%rax),%rbx
ffffffff81029cf8:       4c 85 23                test   %r12,(%rbx)


[306672.100641] BUG: unable to handle kernel NULL pointer dereference at           (null)
[306672.109653] IP: [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.116829] PGD cea0f067 PUD cea0e067 PMD 0 
[306672.121965] Oops: 0000 [#1] SMP 
[306672.125994] Modules linked in: fuse x86_pkg_temp_thermal intel_powerclamp intel_rapl iosf_mbi coretemp hid_generic kvm_intel usbhid hid kvm crct10dif_pclmul snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic crc32_pclmul snd_hda_intel ghash_clmulni_intel snd_hda_controller i915 ppdev iTCO_wdt snd_hda_codec snd_hda_core aesni_intel aes_x86_64 lrw snd_hwdep gf128mul snd_pcm iTCO_vendor_support evdev glue_helper drm_kms_helper parport_pc drm pcspkr snd_timer ablk_helper snd cryptd soundcore processor button psmouse xhci_pci serio_raw xhci_hcd mei_me video battery lpc_ich parport mei i2c_i801 i2c_algo_bit tpm_tis tpm mfd_core wmi sg sr_mod sd_mod cdrom ehci_pci ehci_hcd ahci libahci e1000e libata ptp usbcore scsi_mod crc32c_intel usb_common pps_core thermal fan thermal_sys
[306672.203832] CPU: 1 PID: 606 Comm: perf_fuzzer Tainted: G        W       4.1.0-rc2+ #144
[306672.213036] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[306672.221600] task: ffff8800c40b0590 ti: ffff8800c40e0000 task.ti: ffff8800c40e0000
[306672.230293] RIP: 0010:[<ffffffff81029cf8>]  [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.240224] RSP: 0018:ffff8800c40e3c28  EFLAGS: 00010293
[306672.246580] RAX: ffff880118dd8800 RBX: 0000000000000000 RCX: 0000000000000000
[306672.254891] RDX: 0000000000000020 RSI: 0000000000000002 RDI: ffff8800c40e3c88
[306672.263220] RBP: ffff8800c40e3ca8 R08: 0000000000000000 R09: ffff880036fcf520
[306672.271541] R10: ffff8800c40e3c28 R11: 0000000000000005 R12: ffffffff00000000
[306672.279874] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000005
[306672.288220] FS:  00007fad66e4e700(0000) GS:ffff88011ea40000(0000) knlGS:0000000000000000
[306672.297573] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[306672.304432] CR2: 0000000000000000 CR3: 0000000036f38000 CR4: 00000000001407e0
[306672.312745] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[306672.321097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[306672.329459] Stack:
[306672.332304]  0000000200000005 ffff880036fcf520 0000000000000004 0000000200000000
[306672.341024]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[306672.349720]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[306672.358431] Call Trace:
[306672.361771]  [<ffffffff8102b4bd>] x86_schedule_events+0x1dd/0x250
[306672.369002]  [<ffffffff8102a76e>] x86_pmu_event_init+0x12e/0x3d0
[306672.376138]  [<ffffffff81160090>] ? perf_event_ctx_lock_nested+0x20/0x110
[306672.384102]  [<ffffffff8116029d>] perf_try_init_event+0x4d/0xb0
[306672.391139]  [<ffffffff8116840f>] perf_init_event+0x13f/0x170
[306672.397977]  [<ffffffff811682d5>] ? perf_init_event+0x5/0x170
[306672.404822]  [<ffffffff8116888b>] perf_event_alloc+0x44b/0x6d0
[306672.411736]  [<ffffffff81168f03>] SYSC_perf_event_open+0x3f3/0xde0
[306672.419063]  [<ffffffff81063051>] ? __do_page_fault+0x1d1/0x460
[306672.426071]  [<ffffffff81169dbe>] SyS_perf_event_open+0xe/0x10
[306672.432987]  [<ffffffff816dd1b2>] system_call_fastpath+0x16/0x7a
[306672.440088] Code: 49 bc 00 00 00 00 ff ff ff ff 85 c0 74 65 48 63 45 94 3b 45 84 7d 5c 48 8b 55 88 48 8b 04 c2 ba 20 00 00 00 48 8b 98 98 01 00 00 <4c> 85 23 0f 85 95 00 00 00 48 63 55 98 eb 20 66 0f 1f 84 00 00 
[306672.462285] RIP  [<ffffffff81029cf8>] perf_assign_events+0xa8/0x290
[306672.469745]  RSP <ffff8800c40e3c28>
[306672.474187] CR2: 0000000000000000

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ