| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210113063318.GG7528@xsang-OptiPlex-9020>
Date: Wed, 13 Jan 2021 14:33:18 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org,
Linux Containers <containers@...ts.linux-foundation.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Alexey Gladkov <legion@...nel.org>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Kees Cook <keescook@...omium.org>,
Christian Brauner <christian@...uner.io>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: 59ebc79722: kernel_BUG_at_kernel/cred.c
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 59ebc797229e679f2c87fc13f6859ba7c0f2bdc3 ("[RFC PATCH v2 2/8] Add a reference to ucounts for each user")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210111-014938
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 2ff90100ace886895e4fbb2850b8d5e49d931ed6
in testcase: trinity
version: trinity-i386
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | e58c759c87 | 59ebc79722 |
+------------------------------------------+------------+------------+
| boot_successes | 10 | 0 |
| boot_failures | 0 | 12 |
| kernel_BUG_at_kernel/cred.c | 0 | 7 |
| invalid_opcode:#[##] | 0 | 7 |
| RIP:__put_cred | 0 | 7 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 7 |
| WARNING:at_kernel/ucount.c:#dec_ucount | 0 | 5 |
| RIP:dec_ucount | 0 | 5 |
+------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 16.291000] kernel BUG at kernel/cred.c:148!
[ 16.292585] invalid opcode: 0000 [#1] SMP PTI
[ 16.295176] CPU: 0 PID: 581 Comm: trinity-c1 Not tainted 5.11.0-rc2-00426-g59ebc797229e #1
[ 16.300880] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 16.304261] RIP: 0010:__put_cred (kbuild/src/consumer/kernel/cred.c:148 (discriminator 1))
[ 16.308047] Code: 00 00 4c 8d 87 a0 00 00 00 85 c0 74 08 4c 89 c7 e9 1d ff ff ff 48 c7 c6 20 c3 28 a9 4c 89 c7 e9 ce 79 04 00 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 1f 40 00 e9 5b 6b 2f 00 66 66 2e 0f 1f 84 00 00 00
All code
========
0: 00 00 add %al,(%rax)
2: 4c 8d 87 a0 00 00 00 lea 0xa0(%rdi),%r8
9: 85 c0 test %eax,%eax
b: 74 08 je 0x15
d: 4c 89 c7 mov %r8,%rdi
10: e9 1d ff ff ff jmpq 0xffffffffffffff32
15: 48 c7 c6 20 c3 28 a9 mov $0xffffffffa928c320,%rsi
1c: 4c 89 c7 mov %r8,%rdi
1f: e9 ce 79 04 00 jmpq 0x479f2
24: 0f 0b ud2
26: 0f 0b ud2
28: 0f 0b ud2
2a:* 0f 0b ud2 <-- trapping instruction
2c: 0f 0b ud2
2e: 0f 1f 40 00 nopl 0x0(%rax)
32: e9 5b 6b 2f 00 jmpq 0x2f6b92
37: 66 data16
38: 66 data16
39: 2e cs
3a: 0f .byte 0xf
3b: 1f (bad)
3c: 84 00 test %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 0f 0b ud2
4: 0f 1f 40 00 nopl 0x0(%rax)
8: e9 5b 6b 2f 00 jmpq 0x2f6b68
d: 66 data16
e: 66 data16
f: 2e cs
10: 0f .byte 0xf
11: 1f (bad)
12: 84 00 test %al,(%rax)
...
[ 16.314607] RSP: 0018:ffffa9090080bee8 EFLAGS: 00010246
[ 16.316319] RAX: 0000000000000000 RBX: ffff97ecc5ba8d80 RCX: 000000000000fffe
[ 16.318408] RDX: ffff97ecc6316d80 RSI: 0000000000000000 RDI: ffff97ecc6316cc0
[ 16.320545] RBP: ffff97ecc6316cc0 R08: 00000000000000c0 R09: ffff97ecc6316cc0
[ 16.322689] R10: 0000000000000004 R11: 0000000000003433 R12: ffffffffffffffff
[ 16.326628] R13: ffff97ecc6316d60 R14: 0000000000000000 R15: ffff97ecc5be4380
[ 16.332744] FS: 0000000000000000(0000) GS:ffff97edf7c00000(0063) knlGS:000000000a305880
[ 16.335685] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 16.337531] CR2: 00000000f7971de0 CR3: 0000000105a34000 CR4: 00000000000006f0
[ 16.339776] Call Trace:
[ 16.343257] keyctl_session_to_parent (kbuild/src/consumer/security/keys/keyctl.c:1711)
[ 16.344926] __do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:78 kbuild/src/consumer/arch/x86/entry/common.c:137)
[ 16.346403] do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:160)
[ 16.347724] entry_SYSENTER_compat_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64_compat.S:141)
[ 16.352881] RIP: 0023:0xf7f71549
[ 16.354461] Code: Unable to access opcode bytes at RIP 0xf7f7151f.
Code starting with the faulting instruction
===========================================
[ 16.359740] RSP: 002b:00000000ffbc55dc EFLAGS: 00000206 ORIG_RAX: 0000000000000120
[ 16.362299] RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 000000007818a343
[ 16.364587] RDX: 0000000002000000 RSI: 000000000000fffc RDI: 000000003e3e3e3e
[ 16.366789] RBP: 00000000fffffffd R08: 0000000000000000 R09: 0000000000000000
[ 16.369117] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 16.372090] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 16.377777] Modules linked in:
[ 16.378939] ---[ end trace 6eb09af71dd8bf1b ]---
[ 16.380446] RIP: 0010:__put_cred (kbuild/src/consumer/kernel/cred.c:148 (discriminator 1))
[ 16.381914] Code: 00 00 4c 8d 87 a0 00 00 00 85 c0 74 08 4c 89 c7 e9 1d ff ff ff 48 c7 c6 20 c3 28 a9 4c 89 c7 e9 ce 79 04 00 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 1f 40 00 e9 5b 6b 2f 00 66 66 2e 0f 1f 84 00 00 00
All code
========
0: 00 00 add %al,(%rax)
2: 4c 8d 87 a0 00 00 00 lea 0xa0(%rdi),%r8
9: 85 c0 test %eax,%eax
b: 74 08 je 0x15
d: 4c 89 c7 mov %r8,%rdi
10: e9 1d ff ff ff jmpq 0xffffffffffffff32
15: 48 c7 c6 20 c3 28 a9 mov $0xffffffffa928c320,%rsi
1c: 4c 89 c7 mov %r8,%rdi
1f: e9 ce 79 04 00 jmpq 0x479f2
24: 0f 0b ud2
26: 0f 0b ud2
28: 0f 0b ud2
2a:* 0f 0b ud2 <-- trapping instruction
2c: 0f 0b ud2
2e: 0f 1f 40 00 nopl 0x0(%rax)
32: e9 5b 6b 2f 00 jmpq 0x2f6b92
37: 66 data16
38: 66 data16
39: 2e cs
3a: 0f .byte 0xf
3b: 1f (bad)
3c: 84 00 test %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 0f 0b ud2
4: 0f 1f 40 00 nopl 0x0(%rax)
8: e9 5b 6b 2f 00 jmpq 0x2f6b68
d: 66 data16
e: 66 data16
f: 2e cs
10: 0f .byte 0xf
11: 1f (bad)
12: 84 00 test %al,(%rax)
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc2-00426-g59ebc797229e .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc2-00426-g59ebc797229e" of type "text/plain" (126055 bytes)
View attachment "job-script" of type "text/plain" (4078 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (11976 bytes)
Powered by blists - more mailing lists