lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZEG3=FVVnnC=SWarZYLaEJWGuzNEeRoFQ-qX5Mek=KTQ@mail.gmail.com>
Date:   Sat, 12 Nov 2016 14:07:05 -0800
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Paolo Bonzini <pbonzini@...hat.com>, rkrcmar@...hat.com,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>, KVM list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Steve Rutherford <srutherford@...gle.com>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: kvm: GPF in gfn_to_rmap

Hello,

The following program triggers GPF in gfn_to_rmap:
https://gist.githubusercontent.com/dvyukov/6669049830e8786d2cfa0ffec5928186/raw/b7d1ec4dc555146ac0175b5b0aae98c1904299eb/gistfile1.txt

On commit 015ed9433be2b476ec7e2e6a9a411a56e3b5b035 (Nov 11).

general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 29153 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800387e9700 task.stack: ffff88003c200000
RIP: 0010:[<ffffffff810d1c8c>]  [<     inline     >] search_memslots
include/linux/kvm_host.h:913
RIP: 0010:[<ffffffff810d1c8c>]  [<     inline     >] __gfn_to_memslot
include/linux/kvm_host.h:928
RIP: 0010:[<ffffffff810d1c8c>]  [<ffffffff810d1c8c>]
gfn_to_rmap+0x33c/0x400 arch/x86/kvm/mmu.c:1060
RSP: 0018:ffff88003c207538  EFLAGS: 00010283
RAX: dffffc0000000000 RBX: ffffc900074980b8 RCX: ffffc90000535000
RDX: 0000000000000867 RSI: ffffc90007498000 RDI: ffffc900074980c0
RBP: ffff88003c207588 R08: 0000000000000000 R09: 000000000003985d
R10: ffffffff84da2600 R11: 1ffff10007840eaa R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  00007f4da434d700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000003d850000 CR4: 00000000000026e0
Stack:
 1ffff10000000001 ffffc900074a3408 ffff88003b399008 0000000000000002
 ffffc90007498000 ffff88003d087000 ffff880039620040 0000000000000000
 ffff88003b399008 ffff8800bd087000 ffff88003c207600 ffffffff810d3dbb
Call Trace:
 [<     inline     >] rmap_add arch/x86/kvm/mmu.c:1079
 [<ffffffff810d3dbb>] mmu_set_spte+0x36b/0x6f0 arch/x86/kvm/mmu.c:2654
 [<ffffffff810e3e90>] __direct_map.part.115+0x2a0/0x400 arch/x86/kvm/mmu.c:2759
 [<     inline     >] __direct_map arch/x86/kvm/mmu.c:3586
 [<ffffffff810e4a0c>] tdp_page_fault+0x4fc/0x5e0 arch/x86/kvm/mmu.c:3586
 [<ffffffff810cd727>] kvm_mmu_page_fault+0xe7/0x200 arch/x86/kvm/mmu.c:4530
 [<ffffffff8115a8f6>] handle_ept_violation+0x116/0x480 arch/x86/kvm/vmx.c:6195
 [<ffffffff8116bd65>] vmx_handle_exit+0x545/0x34c0 arch/x86/kvm/vmx.c:8494
 [<     inline     >] vcpu_enter_guest arch/x86/kvm/x86.c:6767
 [<     inline     >] vcpu_run arch/x86/kvm/x86.c:6826
 [<ffffffff810bae42>] kvm_arch_vcpu_ioctl_run+0x29c2/0x5a90
arch/x86/kvm/x86.c:6984
 [<ffffffff81060cee>] kvm_vcpu_ioctl+0x61e/0xdd0
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
 [<     inline     >] vfs_ioctl fs/ioctl.c:43
 [<ffffffff816b03cc>] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
 [<     inline     >] SYSC_ioctl fs/ioctl.c:694
 [<ffffffff816b130f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff831f0dc1>] entry_SYSCALL_64_fastpath+0x1f/0xc2
Code: 89 d8 8b 5d c8 89 45 c8 e8 72 be 38 00 8b 45 c8 89 5d c8 44 8d
60 01 e9 41 fe ff ff e8 5e be 38 00 48 b8 00 00 00 00 00 fc ff df <80>
38 00 75 0f 4c 8b 24 25 00 00 00 00 31 db e9 67 ff ff ff 31
RIP  [<     inline     >] search_memslots include/linux/kvm_host.h:913
RIP  [<     inline     >] __gfn_to_memslot include/linux/kvm_host.h:928
RIP  [<ffffffff810d1c8c>] gfn_to_rmap+0x33c/0x400 arch/x86/kvm/mmu.c:1060
 RSP <ffff88003c207538>
---[ end trace 531b7f0c43302f3c ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
reboot: cpu_has_vmx: ecx=80a02021 1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ