| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Jan 2016 17:43:14 +0100
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Gleb Natapov <gleb@...nel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>,
"x86@...nel.org" <x86@...nel.org>, kvm@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>
Cc: syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>
Subject: kvm: vmalloc allocation failure in kvm_vcpu_ioctl_set_cpuid
Hello,
The following program triggers vmalloc allocation failure in
kvm_vcpu_ioctl_set_cpuid (tries to allocate 0 bytes, but looks scary
in dmesg):
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
long r[8];
int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20000000, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d", 8);
r[2] = syscall(SYS_open, 0x20000000ul, 0x2ul, 0x0ul, 0, 0, 0);
r[3] = syscall(SYS_ioctl, r[2], 0xae01ul, 0x0ul, 0, 0, 0);
r[4] = syscall(SYS_ioctl, r[3], 0xae41ul, 0x8ul, 0, 0, 0);
*(uint32_t*)0x20000000 = (uint32_t)0x0;
*(uint32_t*)0x20000004 = (uint32_t)0x6;
r[7] = syscall(SYS_ioctl, r[4], 0x4008ae8aul, 0x20000000ul, 0, 0, 0);
return 0;
}
vmalloc: allocation failure: 0 bytes
syz-executor: page allocation failure: order:0, mode:0x24000c2
CPU: 3 PID: 7070 Comm: syz-executor Not tainted 4.4.0-rc8+ #213
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88006255f648 ffffffff82906ccd 1ffff1000c4abecd
ffffffff85fbce20 dffffc0000000000 ffff88006255f760 ffffffff8164e364
ffff880063704680 0000000000000001 0000000041b58ab3 ffffffff86e43544
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82906ccd>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff8164e364>] warn_alloc_failed+0x1f4/0x250 mm/page_alloc.c:2677
[<ffffffff816f530b>] __vmalloc_node_range+0x42b/0x6d0 mm/vmalloc.c:1692
[< inline >] __vmalloc_node mm/vmalloc.c:1715
[< inline >] __vmalloc_node_flags mm/vmalloc.c:1729
[<ffffffff816f567b>] vmalloc+0x5b/0x70 mm/vmalloc.c:1744
[<ffffffff810df80e>] kvm_vcpu_ioctl_set_cpuid+0xae/0x9b0
arch/x86/kvm/cpuid.c:177
[<ffffffff810588b6>] kvm_arch_vcpu_ioctl+0x2176/0x2ef0 arch/x86/kvm/x86.c:3262
[<ffffffff8101cb52>] kvm_vcpu_ioctl+0x1e2/0xd00
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2526
[ 331.709691] Mem-Info:
[ 331.709910] active_anon:2753 inactive_anon:58 isolated_anon:0
[ 331.709910] active_file:4796 inactive_file:3639 isolated_file:0
[ 331.709910] unevictable:0 dirty:26 writeback:0 unstable:0
[ 331.709910] slab_reclaimable:9522 slab_unreclaimable:51558
[ 331.709910] mapped:3216 shmem:65 pagetables:336 bounce:0
[ 331.709910] free:320048 free_pcp:468 free_cma:0
[ 331.712795] Node 0 DMA free:9544kB min:48kB low:60kB high:72kB
active_anon:104kB inactive_anon:0kB active_file:364kB
inactive_file:340kB unevictable:0kB isolated(anon):0kB
isolated(file):0kB present:15992kB managed:15908kB
mlocked:51539607552kB dirty:0kB writeback:0kB mapped:336kB shmem:0kB
slab_reclaimable:384kB slab_unreclaimable:4088kB kernel_stack:32kB
pagetables:20kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB
free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? no
[ 331.716610] lowmem_reserve[]: 0 862 862 862
[ 331.717084] Node 0 DMA32 free:691300kB min:2664kB low:3328kB
high:3996kB active_anon:2660kB inactive_anon:124kB active_file:9004kB
inactive_file:8048kB unevictable:0kB isolated(anon):0kB
isolated(file):0kB present:1032192kB managed:883568kB
mlocked:2473901162496kB dirty:80kB writeback:0kB mapped:7380kB
shmem:136kB slab_reclaimable:22568kB slab_unreclaimable:113320kB
kernel_stack:3168kB pagetables:500kB unstable:0kB bounce:0kB
free_pcp:916kB local_pcp:460kB free_cma:0kB writeback_tmp:0kB
pages_scanned:0 all_unreclaimable? no
[ 331.721165] lowmem_reserve[]: 0 0 0 0
[ 331.721577] Node 1 DMA32 free:579348kB min:2252kB low:2812kB
high:3376kB active_anon:8248kB inactive_anon:108kB active_file:9816kB
inactive_file:6168kB unevictable:0kB isolated(anon):0kB
isolated(file):0kB present:1048560kB managed:746804kB
mlocked:1425929142272kB dirty:24kB writeback:0kB mapped:5148kB
shmem:124kB slab_reclaimable:15136kB slab_unreclaimable:88824kB
kernel_stack:3232kB pagetables:824kB unstable:0kB bounce:0kB
free_pcp:952kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB
pages_scanned:0 all_unreclaimable? no
[ 331.725806] lowmem_reserve[]: 0 0 0 0
[ 331.726243] Node 0 DMA: 26*4kB (UM) 16*8kB (UM) 10*16kB (UM) 8*32kB
(UM) 9*64kB (UME) 1*128kB (U) 2*256kB (UM) 3*512kB (UME) 2*1024kB (UE)
2*2048kB (UM) 0*4096kB = 9544kB
[ 331.727981] Node 0 DMA32: 357*4kB (UM) 304*8kB (UME) 371*16kB (UME)
187*32kB (UM) 95*64kB (UME) 44*128kB (UME) 21*256kB (UME) 14*512kB
(ME) 10*1024kB (UM) 3*2048kB (UM) 155*4096kB (M) = 691300kB
[ 331.729932] Node 1 DMA32: 3*4kB (UME) 145*8kB (UM) 310*16kB (UM)
191*32kB (UME) 101*64kB (UME) 32*128kB (UME) 20*256kB (UME) 19*512kB
(UME) 5*1024kB (UM) 6*2048kB (UM) 128*4096kB (ME) = 579348kB
[ 331.731880] Node 0 hugepages_total=0 hugepages_free=0
hugepages_surp=0 hugepages_size=2048kB
[ 331.733086] Node 1 hugepages_total=0 hugepages_free=0
hugepages_surp=0 hugepages_size=2048kB
[ 331.733841] 8504 total pagecache pages
[ 331.734202] 0 pages in swap cache
[ 331.734508] Swap cache stats: add 0, delete 0, find 0/0
[ 331.734972] Free swap = 0kB
[ 331.735241] Total swap = 0kB
[ 331.735510] 524186 pages RAM
[ 331.735769] 0 pages HighMem/MovableOnly
[ 331.736159] 112616 pages reserved
On commit b06f3a168cdcd80026276898fd1fee443ef25743 (Jan 6).
Powered by blists - more mailing lists