lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Ym4AVNGo5P2E_5pV2whf-zBps+qAww=rkMA5b=o1-Mfg@mail.gmail.com>
Date:	Tue, 26 Jan 2016 16:12:54 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	Andrew Morton <akpm@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>,
	"Amanieu d'Antras" <amanieu@...il.com>,
	Richard Weinberger <richard@....at>,
	Davidlohr Bueso <dave@...olabs.net>,
	Vladimir Davydov <vdavydov@...allels.com>,
	Palmer Dabbelt <palmer@...belt.com>,
	Andy Lutomirski <luto@...capital.net>,
	LKML <linux-kernel@...r.kernel.org>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	Eric Dumazet <edumazet@...gle.com>
Subject: WARNING in do_jobctl_trap

Hello,

The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0()
Modules linked in:
CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000
 ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9
 ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff829e798d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff813536d9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff81353909>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<     inline     >] do_jobctl_trap kernel/signal.c:2076
 [<ffffffff81382d8a>] get_signal+0x125a/0x14f0 kernel/signal.c:2195
 [<ffffffff811a0db3>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
 [<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:282
 [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
 [<ffffffff86459c22>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 8084a3d0c9430433 ]---


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <sched.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <memory.h>
#include <stdio.h>
#include <errno.h>

void *thr(void *arg)
{
    switch ((long)arg) {
    case 0:
        ptrace(PTRACE_SEIZE, getppid(), 0, 0);
        ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
        break;
    case 1:
        break;
    case 2:
        kill(getpid(), SIGPIPE);
        break;
    }
    return 0;
}

int main1(void *arg)
{
    int i, fd, pid, status;
    pthread_t th[3];

    setpgrp();
    prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
    fd = open("/proc/self/setgroups", O_RDWR);
    write(fd, "deny", strlen("deny"));
    close(fd);
    fd = open("/proc/self/uid_map", O_RDWR);
    write(fd, "0 0 1\n", strlen("0 0 1\n"));
    close(fd);
    fd = open("/proc/self/gid_map", O_RDWR);
    write(fd, "0 0 1\n", strlen("0 0 1\n"));
    close(fd);
    pid = fork();
    if (pid == 0) {
        for (i = 0; i < 3; i++) {
            pthread_create(&th[i], 0, thr, (void*)(long)i);
            usleep(1000);
        }
        for (i = 0; i < 3; i++) {
            pthread_create(&th[i], 0, thr, (void*)(long)i);
            if (rand()%2)
                usleep(rand()%1000);
        }
        usleep(10000);
        exit(0);
    }
    while (waitpid(pid, &status, __WALL) != pid) {
    }
    exit(0);
}

int main()
{
    int pid, status;
    char stack[1<<20];

    srand(getpid());
    pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER |
CLONE_NEWPID, 0);
    while (waitpid(pid, &status, __WALL) != pid) {
    }
    return 0;
}

On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ