lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+Yb88=_DCiYHRzOMMbYbfs4HJOU3csJj4fqyjSY8GX8ig@mail.gmail.com>
Date:   Tue, 19 Dec 2017 12:47:18 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot 
        <bot+e1e744d9e0a29be67c9a0801837ac5e6889b974a@...kaller.appspotmail.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Alexander Popov <alex.popov@...ux.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Mark Rutland <mark.rutland@....com>,
        Philippe Ombredanne <pombredanne@...b.com>,
        syzkaller-bugs@...glegroups.com
Subject: Re: kernel BUG at mm/vmalloc.c:LINE!

On Tue, Dec 19, 2017 at 11:52 AM, syzbot
<bot+e1e744d9e0a29be67c9a0801837ac5e6889b974a@...kaller.appspotmail.com>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 6084b576dca2e898f5c101baef151f7bfdbb606d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> netlink: 2 bytes leftover after parsing attributes in process
> `syz-executor6'.
> ------------[ cut here ]------------
> kernel BUG at mm/vmalloc.c:1538!
> invalid opcode: 0000 [#1] SMP
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 0 PID: 10625 Comm: syz-executor1 Not tainted 4.15.0-rc3-next-20171214+
> #67
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:__vunmap+0xd6/0x150 mm/vmalloc.c:1538
> RSP: 0018:ffffc9000111fbc0 EFLAGS: 00010293
> RAX: ffff8801fd102000 RBX: ffff8801fcea6800 RCX: ffffffff813b55a6
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000286
> RBP: ffffc9000111fbe0 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801fd188600
> R13: 0000000000000000 R14: 0000000000000001 R15: ffff880215e00bd0
> FS:  0000000000f52940(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f8e70bc7410 CR3: 000000000301e006 CR4: 00000000001606f0
> DR0: 0000000020000000 DR1: 0000000020001000 DR2: 0000000020000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
> Call Trace:vfreemalloc.c:1606
>  kcov_put+0x16/0x30 kernel/kcov.c:237
>  kcov_close+0x10/0x20 kernel/kcov.c:322
>  __fput+0x120/0x270 fs/file_table.c:209
>  ____fput+0x15/0x20 fs/file_table.c:243
>  task_work_run+0xa3/0xe0 kernel/task_work.c:113
>  exit_task_work include/linux/task_work.h:22 [inline]
>  do_exit+0x3e6/0x1050 kernel/exit.c:869
>  do_group_exit+0x60/0x100 kernel/exit.c:972
>  get_signal+0x36c/0xad0 kernel/signal.c:2337
>  do_signal+0x23/0x670 arch/x86/kernel/signal.c:809
>  exit_to_usermode_loop+0x13c/0x160 arch/x86/entry/common.c:161
>  prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
>  syscall_return_slowpath+0x1b4/0x1e0 arch/x86/entry/common.c:264
>  entry_SYSCALL_64_fastpath+0x94/0x96
> RIP: 0033:0x47e050
> RSP: 002b:0000000000a2fa08 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
> RAX: fffffffffffffdfc RBX: 0000000000f52914 RCX: 000000000047e050
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000a2fa10
> RBP: 0000000000000176 R08: 0000000000000001 R09: 0000000000f52940
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000004 R14: 0000000000010a3d R15: 0000000000000010
> Code: ef 83 c3 01 e8 cc a6 f9 ff 41 39 5c 24 28 76 41 e8 b0 4d f0 ff 49 8b
> 54 24 20 48 63 c3 4c 8b 2c c2 4d 85 ed 75 d1 e8 9a 4d f0 ff <0f> 0b e8 93 4d
> f0 ff 48 89 de 48 c7 c7 a0 26 e6 82 e8 84 c9 e0
> RIP: __vunmap+0xd6/0x150 mm/vmalloc.c:1538 RSP: ffffc9000111fbc0
> ---[ end trace 509bb709bc31ed41 ]---


Humm.... we've seen 3 of these in the last 4 days, all on linux-next.

The only potentially racy thing I see is vm_insert_page() after
unlocking the spinlock in kcov_mmap():

        spin_unlock(&kcov->lock);
        for (off = 0; off < size; off += PAGE_SIZE) {
            page = vmalloc_to_page(kcov->area + off);
            if (vm_insert_page(vma, vma->vm_start + off, page))
                WARN_ONCE(1, "vm_insert_page() failed");
        }

However, we should hold a reference to the file here, so kcov_put()
should not call vfree() yet, right?



> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@...glegroups.com.
> Please credit me with: Reported-by: syzbot <syzkaller@...glegroups.com>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ