lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a6427f11-0e61-cd89-525c-88433bfa2334@redhat.com>
Date:	Tue, 31 May 2016 11:56:07 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	Dmitry Vyukov <dvyukov@...gle.com>, Gleb Natapov <gleb@...nel.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	"x86@...nel.org" <x86@...nel.org>, kvm@...r.kernel.org,
	LKML <linux-kernel@...r.kernel.org>
Cc:	Eric Northup <digitaleric@...gle.com>,
	Andrew Honig <ahonig@...gle.com>,
	Steve Rutherford <srutherford@...gle.com>,
	Robert Swiecki <swiecki@...gle.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	syzkaller <syzkaller@...glegroups.com>
Subject: Re: kvm: GPF in kvm_irq_map_gsi



On 15/02/2016 14:30, Dmitry Vyukov wrote:
>     *(uint32_t*)0x2000a6b9 = (uint32_t)0x3e;
>     *(uint16_t*)0x2000a6bd = (uint16_t)0x8;
>     *(uint8_t*)0x2000a6bf = (uint8_t)0x8d4;
>     *(uint8_t*)0x2000a6c0 = (uint8_t)0xffffffffffff5fe9;
>     *(uint8_t*)0x2000a6c1 = (uint8_t)0x80000001;
>     *(uint8_t*)0x2000a6c2 = (uint8_t)0x0;
>     *(uint8_t*)0x2000a6c3 = (uint8_t)0xbe2;
>     *(uint8_t*)0x2000a6c4 = (uint8_t)0x9;
>     *(uint8_t*)0x2000a6c5 = (uint8_t)0x7ff;
>     *(uint8_t*)0x2000a6c6 = (uint8_t)0x1;
>     *(uint8_t*)0x2000a6c7 = (uint8_t)0x1f;
>     *(uint8_t*)0x2000a6c8 = (uint8_t)0x1d8;
>     *(uint16_t*)0x2000a6c9 = (uint16_t)0x8;

This field (.channels[0].count_load_time) should be uint64_t.  I
understand that it's all random, but it makes it even harder to follow
what's going on...

Thanks,

Paolo

>     *(uint32_t*)0x2000a6cd = (uint32_t)0x736d;
>     *(uint16_t*)0x2000a6d1 = (uint16_t)0x3;
>     *(uint8_t*)0x2000a6d3 = (uint8_t)0xff;
>     *(uint8_t*)0x2000a6d4 = (uint8_t)0x3;
>     *(uint8_t*)0x2000a6d5 = (uint8_t)0xffffffffffff8000;
>     *(uint8_t*)0x2000a6d6 = (uint8_t)0xc20;
>     *(uint8_t*)0x2000a6d7 = (uint8_t)0x6;
>     *(uint8_t*)0x2000a6d8 = (uint8_t)0x2;
>     *(uint8_t*)0x2000a6d9 = (uint8_t)0x6;
>     *(uint8_t*)0x2000a6da = (uint8_t)0x8;
>     *(uint8_t*)0x2000a6db = (uint8_t)0x3;
>     *(uint8_t*)0x2000a6dc = (uint8_t)0x1;
>     *(uint16_t*)0x2000a6dd = (uint16_t)0xce;
>     *(uint32_t*)0x2000a6e1 = (uint32_t)0xab85;
>     *(uint16_t*)0x2000a6e5 = (uint16_t)0x0;
>     *(uint8_t*)0x2000a6e7 = (uint8_t)0xa0e3;
>     *(uint8_t*)0x2000a6e8 = (uint8_t)0x100000001;
>     *(uint8_t*)0x2000a6e9 = (uint8_t)0x3;
>     *(uint8_t*)0x2000a6ea = (uint8_t)0x1;
>     *(uint8_t*)0x2000a6eb = (uint8_t)0x2;
>     *(uint8_t*)0x2000a6ec = (uint8_t)0x1;
>     *(uint8_t*)0x2000a6ed = (uint8_t)0x7ff;
>     *(uint8_t*)0x2000a6ee = (uint8_t)0x2;
>     *(uint8_t*)0x2000a6ef = (uint8_t)0x8a;
>     *(uint8_t*)0x2000a6f0 = (uint8_t)0xca6;
>     *(uint16_t*)0x2000a6f1 = (uint16_t)0x1;
>     *(uint32_t*)0x2000a6f5 = (uint32_t)0x401;
>     *(uint32_t*)0x2000a6f9 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a6fd = (uint32_t)0x0;
>     *(uint32_t*)0x2000a701 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a705 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a709 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a70d = (uint32_t)0x0;
>     *(uint32_t*)0x2000a711 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a715 = (uint32_t)0x0;
>     *(uint32_t*)0x2000a719 = (uint32_t)0x0;
>     r[71] =
>         syscall(SYS_ioctl, r[3], 0x4070aea0ul, 0x2000a6b9ul, 0, 0, 0);
>     break;
>   case 6:
>     r[72] = syscall(SYS_mmap, 0x2000e000ul, 0x1000ul, 0x3ul, 0x32ul,
>                     0xfffffffffffffffful, 0x0ul);
>     break;
>   case 7:
>     r[73] = syscall(SYS_ioctl, r[2], 0x5424ul, 0x2000e630ul, 0, 0, 0);
>     break;
>   }
>   return 0;
> }
> 
> int main()
> {
>   long i;
>   pthread_t th[8];
> 
>   srand(getpid());
>   memset(r, -1, sizeof(r));
>   for (i = 0; i < 8; i++) {
>     pthread_create(&th[i], 0, thr, (void*)i);
>     usleep(rand()%10000);
>   }
>   for (i = 0; i < 8; i++)
>     pthread_join(th[i], 0);
>   for (i = 0; i < 8; i++) {
>     pthread_create(&th[i], 0, thr, (void*)i);
>     if (rand()%2)
>       usleep(rand()%10000);
>   }
>   for (i = 0; i < 8; i++)
>     pthread_join(th[i], 0);
>   return 0;
> }
> 
> 
> On commit 388f7b1d6e8ca06762e2454d28d6c3c55ad0fe95 (4.5-rc3)
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ