lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 08 Apr 2020 15:36:45 +0200
From:   Thomas Gleixner <tglx@...utronix.de>
To:     syzbot <syzbot+a95c7753605c9d219466@...kaller.appspotmail.com>,
        akpm@...ux-foundation.org, bgeffon@...gle.com,
        dvhart@...radead.org, linux-kernel@...r.kernel.org,
        mingo@...hat.com, peterx@...hat.com, peterz@...radead.org,
        syzkaller-bugs@...glegroups.com, torvalds@...ux-foundation.org
Subject: Re: general protection fault in get_futex_key

syzbot <syzbot+a95c7753605c9d219466@...kaller.appspotmail.com> writes:
> syzbot found the following crash on:
>
> HEAD commit:    763dede1 Merge tag 'for-linus-5.7-rc1' of git://git.kernel..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=136a055de00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=12205d036cec317f
> dashboard link: https://syzkaller.appspot.com/bug?extid=a95c7753605c9d219466
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1578287de00000
>
> The bug was bisected to:
>
> commit 4426e945df588f2878affddf88a51259200f7e29
> Author: Peter Xu <peterx@...hat.com>
> Date:   Thu Apr 2 04:08:49 2020 +0000
>
>     mm/gup: allow VM_FAULT_RETRY for multiple times
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1707878fe00000
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=1487878fe00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1087878fe00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a95c7753605c9d219466@...kaller.appspotmail.com
> Fixes: 4426e945df58 ("mm/gup: allow VM_FAULT_RETRY for multiple times")
>
> general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> CPU: 1 PID: 8869 Comm: syz-executor.1 Not tainted 5.6.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
> RIP: 0010:compound_head include/linux/page-flags.h:174 [inline]
> RIP: 0010:get_futex_key+0x2cd/0x1670 kernel/futex.c:574

This means that

     get_user_pages_fast(address, 1, FOLL_WRITE, &page)

returned 0, which is breaking the interface:

 * Returns number of pages pinned. This may be fewer than the number requested.
 * If nr_pages is 0 or negative, returns 0. If no pages were pinned, returns
 * -errno.

nr_pages is clearly 1. So if the call fails, the number of pinned pages
is 0 and it should return a proper error number. It did before.

>From a quick look at the commit in question I assume it's the

+               if (fatal_signal_pending(current))
+                       break;

which can cause that to happen.

Thanks,

        tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ