| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210118064734.GC7554@xsang-OptiPlex-9020>
Date: Mon, 18 Jan 2021 14:47:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, io-uring@...r.kernel.org,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
Kees Cook <keescook@...omium.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>
Subject: 14c3c8a27f: kernel_BUG_at_kernel/cred.c
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 14c3c8a27f70d6d6b7c1d64a9af899eb80169495 ("[RFC PATCH v3 2/8] Add a reference to ucounts for each cred")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210115-230051
base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next
in testcase: trinity
version: trinity-i386
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------------+------------+------------+
| | c25050162e | 14c3c8a27f |
+---------------------------------------------------+------------+------------+
| boot_successes | 0 | 0 |
| boot_failures | 8 | 8 |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate | 7 | 8 |
| EIP:refcount_warn_saturate | 7 | 8 |
| BUG:kernel_hang_in_boot_stage | 1 | |
| kernel_BUG_at_kernel/cred.c | 0 | 3 |
| invalid_opcode:#[##] | 0 | 3 |
| EIP:__put_cred | 0 | 7 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 7 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 4 |
| Oops:#[##] | 0 | 4 |
+---------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 77.068709] kernel BUG at kernel/cred.c:150!
[ 77.069392] invalid opcode: 0000 [#1] SMP
[ 77.070035] CPU: 1 PID: 895 Comm: trinity-c7 Tainted: G W 5.11.0-rc2-00004-g14c3c8a27f70 #1
[ 77.071425] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 77.072871] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1))
[ 77.073493] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00
All code
========
0: 66 90 xchg %ax,%ax
2: ba 90 b4 e7 c3 mov $0xc3e7b490,%edx
7: 89 c8 mov %ecx,%eax
9: e8 f4 6e 04 00 callq 0x46f02
e: 5d pop %rbp
f: c3 retq
10: 66 90 xchg %ax,%ax
12: 0f 0b ud2
14: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1a: 0f 0b ud2
1c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
22: 0f 0b ud2
24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
2a:* 0f 0b ud2 <-- trapping instruction
2c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
32: 89 c2 mov %eax,%edx
34: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e6707
3b: 8b .byte 0x8b
3c: 81 .byte 0x81
3d: a8 04 test $0x4,%al
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
8: 89 c2 mov %eax,%edx
a: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e66dd
11: 8b .byte 0x8b
12: 81 .byte 0x81
13: a8 04 test $0x4,%al
...
[ 77.076068] EAX: de3ef880 EBX: de2af080 ECX: 00000000 EDX: 00000000
[ 77.076997] ESI: de3ef880 EDI: 00000000 EBP: de349f74 ESP: de349f50
[ 77.077896] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
[ 77.078914] CR0: 80050033 CR2: b7cb2ff0 CR3: 030a4000 CR4: 000406d0
[ 77.079858] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 77.080745] DR6: fffe0ff0 DR7: 00000400
[ 77.081373] Call Trace:
[ 77.081834] ? keyctl_session_to_parent (kbuild/src/consumer/security/keys/keyctl.c:1711)
[ 77.082629] __ia32_sys_keyctl (kbuild/src/consumer/security/keys/keyctl.c:1951 kbuild/src/consumer/security/keys/keyctl.c:1869 kbuild/src/consumer/security/keys/keyctl.c:1869)
[ 77.083320] __do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:78 kbuild/src/consumer/arch/x86/entry/common.c:137)
[ 77.084032] do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:160)
[ 77.084704] do_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/common.c:204)
[ 77.085316] entry_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/entry_32.S:953)
[ 77.085973] EIP: 0xb7f04549
[ 77.086493] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d 76 00 lea 0x0(%rsi),%esi
35: 58 pop %rax
36: b8 77 00 00 00 mov $0x77,%eax
3b: cd 80 int $0x80
3d: 90 nop
3e: 8d .byte 0x8d
3f: 76 .byte 0x76
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d 76 00 lea 0x0(%rsi),%esi
b: 58 pop %rax
c: b8 77 00 00 00 mov $0x77,%eax
11: cd 80 int $0x80
13: 90 nop
14: 8d .byte 0x8d
15: 76 .byte 0x76
[ 77.089120] EAX: ffffffda EBX: 00000012 ECX: ffff8a8b EDX: ffffffff
[ 77.090075] ESI: 7d7d7d7d EDI: 000000a3 EBP: 426bb44d ESP: bfaa6c8c
[ 77.091007] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 77.092031] Modules linked in:
[ 77.092629] ---[ end trace 66869751d0fb6313 ]---
[ 77.093388] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1))
[ 77.094000] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00
All code
========
0: 66 90 xchg %ax,%ax
2: ba 90 b4 e7 c3 mov $0xc3e7b490,%edx
7: 89 c8 mov %ecx,%eax
9: e8 f4 6e 04 00 callq 0x46f02
e: 5d pop %rbp
f: c3 retq
10: 66 90 xchg %ax,%ax
12: 0f 0b ud2
14: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1a: 0f 0b ud2
1c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
22: 0f 0b ud2
24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
2a:* 0f 0b ud2 <-- trapping instruction
2c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
32: 89 c2 mov %eax,%edx
34: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e6707
3b: 8b .byte 0x8b
3c: 81 .byte 0x81
3d: a8 04 test $0x4,%al
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
8: 89 c2 mov %eax,%edx
a: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e66dd
11: 8b .byte 0x8b
12: 81 .byte 0x81
13: a8 04 test $0x4,%al
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc2-00004-g14c3c8a27f70 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc2-00004-g14c3c8a27f70" of type "text/plain" (123245 bytes)
View attachment "job-script" of type "text/plain" (3980 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (12756 bytes)
Powered by blists - more mailing lists