| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGyP=7eiuUH_JbNEgxdBh4cEHgk82KnbHS0i8PEsJ6D3Exx=pg@mail.gmail.com>
Date: Wed, 10 Mar 2021 15:11:06 +0530
From: Palash Oswal <oswalpalash@...il.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Davidlohr Bueso <dave@...olabs.net>,
Kees Cook <keescook@...omium.org>,
LKML <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Stephen Smalley <sds@...ho.nsa.gov>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: kernel panic: Attempted to kill init!
> The kernel stack is not very useful in this case, it's a common faulting stack.
> Maybe it will shed some light if you install gdb in the image, attach
> it to the systemd process, then trigger the segfault and then unwind
> stack in the systemd process at the time of fault, dump registers,
> etc. However, I don't know if gdb will get the signal first, or the
> kernel will panic first...
Here's the gdb trace from the end of open_by_handle_at to the panic. I
will try to attach gdb to systemd and report back.
Thread 1 hit Breakpoint 3, __x64_sys_open_by_handle_at
(regs=0xffffc90000933f58) at fs/fhandle.c:271
271 return ret;
do_syscall_64 (nr=<optimized out>, regs=0xffffc90000933f58) at
arch/x86/entry/common.c:56
56 syscall_exit_to_user_mode(regs);
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:127
127 movq RCX(%rsp), %rcx
128 movq RIP(%rsp), %r11
130 cmpq %rcx, %r11 /* SYSRET requires RCX == RIP */
131 jne swapgs_restore_regs_and_return_to_usermode
145 ALTERNATIVE "shl $(64 - 48), %rcx; sar $(64 - 48), %rcx", \
153 cmpq %rcx, %r11
154 jne swapgs_restore_regs_and_return_to_usermode
156 cmpq $__USER_CS, CS(%rsp) /* CS must match SYSRET */
157 jne swapgs_restore_regs_and_return_to_usermode
159 movq R11(%rsp), %r11
160 cmpq %r11, EFLAGS(%rsp) /* R11 == RFLAGS */
161 jne swapgs_restore_regs_and_return_to_usermode
181 testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
182 jnz swapgs_restore_regs_and_return_to_usermode
186 cmpq $__USER_DS, SS(%rsp) /* SS must match SYSRET */
187 jne swapgs_restore_regs_and_return_to_usermode
195 POP_REGS pop_rdi=0 skip_r11rcx=1
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:201
201 movq %rsp, %rdi
202 movq PER_CPU_VAR(cpu_tss_rw + TSS_sp0), %rsp
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:205
205 pushq RSP-RDI(%rdi) /* RSP */
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:206
206 pushq (%rdi) /* RDI */
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:214
214 SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
216 popq %rdi
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:217
217 popq %rsp
entry_SYSCALL_64 () at arch/x86/entry/entry_64.S:218
218 USERGS_SYSRET64
native_io_apic_read (apic=<optimized out>, reg=24) at
arch/x86/kernel/apic/io_apic.c:277
277 return readl(&io_apic->data);
59 build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
__ioapic_read_entry (apic=0, pin=<optimized out>) at
arch/x86/kernel/apic/io_apic.c:294
294 entry.w2 = io_apic_read(apic, 0x11 + 2 * pin);
296 return entry;
ioapic_irq_get_chip_state (irqd=<optimized out>, which=<optimized
out>, state=0xffffc90000247a8f) at arch/x86/kernel/apic/io_apic.c:1960
1960 if (rentry.irr && rentry.is_level) {
1952 for_each_irq_pin(p, mcd->irq_2_pin) {
1965 raw_spin_unlock(&ioapic_lock);
1966 return 0;
__synchronize_hardirq (desc=desc@...ry=0xffff888003d36c00,
sync_chip=sync_chip@...ry=true) at kernel/irq/manage.c:71
71 raw_spin_unlock_irqrestore(&desc->lock, flags);
74 } while (inprogress);
synchronize_irq (irq=4) at kernel/irq/manage.c:138
138 wait_event(desc->wait_for_threads,
138 wait_event(desc->wait_for_threads,
serial8250_do_shutdown (port=port@...ry=0xffffffff836b62a0
<serial8250_ports>) at drivers/tty/serial/8250/8250_port.c:2449
2449 if (up->dma)
329 return &lock->rlock;
2453 if (port->flags & UPF_FOURPORT) {
2458 port->mctrl &= ~TIOCM_OUT2;
2460 serial8250_set_mctrl(port, port->mctrl);
2461 spin_unlock_irqrestore(&port->lock, flags);
2467 serial_port_in(port, UART_LCR) & ~UART_LCR_SBC);
2466 serial_port_out(port, UART_LCR,
2468 serial8250_clear_fifos(up);
2474 disable_rsa(up);
2481 serial_port_in(port, UART_RX);
2482 serial8250_rpm_put(up);
2484 up->ops->release_irq(up);
uart_port_shutdown (port=port@...ry=0xffff8880054e0000) at
drivers/tty/serial/serial_core.c:1716
1716 synchronize_irq(uport->irq);
uart_shutdown (tty=tty@...ry=0xffff88800451c400,
state=state@...ry=0xffff8880054e0000) at
drivers/tty/serial/serial_core.c:307
307 tty_port_set_suspended(port, 0);
315 uart_port_lock(state, flags);
316 xmit_buf = state->xmit.buf;
317 state->xmit.buf = NULL;
318 uart_port_unlock(uport, flags);
320 if (xmit_buf)
321 free_page((unsigned long)xmit_buf);
uart_hangup (tty=tty@...ry=0xffff88800451c400) at ./include/linux/spinlock.h:329
329 return &lock->rlock;
1680 spin_unlock_irqrestore(&port->lock, flags);
1681 tty_port_set_active(port, 0);
1682 tty_port_tty_set(port, NULL);
1683 if (uport && !uart_console(uport))
1685 wake_up_interruptible(&port->open_wait);
1686 wake_up_interruptible(&port->delta_msr_wait);
1688 mutex_unlock(&port->mutex);
__tty_hangup (tty=tty@...ry=0xffff88800451c400,
exit_session=exit_session@...ry=1) at drivers/tty/tty_io.c:651
651 set_bit(TTY_HUPPED, &tty->flags);
652 clear_bit(TTY_HUPPING, &tty->flags);
653 tty_unlock(tty);
655 if (f)
disassociate_ctty (on_exit=on_exit@...ry=1) at drivers/tty/tty_jobctrl.c:279
279 tty_kref_put(tty);
295 spin_lock_irq(¤t->sighand->siglock);
15 return this_cpu_read_stable(current_task);
298 tty = tty_kref_get(current->signal->tty);
299 spin_unlock_irq(¤t->sighand->siglock);
301 if (tty) {
316 read_lock(&tasklist_lock);
317 session_clear_tty(task_session(current));
318 read_unlock(&tasklist_lock);
do_exit (code=code@...ry=7) at kernel/exit.c:824
824 exit_task_namespaces(tsk);
825 exit_task_work(tsk);
826 exit_thread(tsk);
834 perf_event_exit_task(tsk);
836 sched_autogroup_exit_task(tsk);
837 cgroup_exit(tsk);
842 flush_ptrace_hw_breakpoint(tsk);
844 exit_tasks_rcu_start();
845 exit_notify(tsk, group_dead);
846 proc_exit_connector(tsk);
847 mpol_put_task_policy(tsk);
849 if (unlikely(current->pi_state_cache))
15 return this_cpu_read_stable(current_task);
857 if (tsk->io_context)
858 exit_io_context(tsk);
860 if (tsk->splice_pipe)
863 if (tsk->task_frag.page)
869 preempt_disable();
870 if (tsk->nr_dirtied)
871 __this_cpu_add(dirty_throttle_leaks, tsk->nr_dirtied);
872 exit_rcu();
873 exit_tasks_rcu_finish();
876 do_task_dead();
> FWIW I can't reproduce this locally on wheezy/stretch images.
These are the reproducers I have for this bug from various ext4 images-
Repro 1 -
r0 = creat(&(0x7f0000000180)='./file0\x00', 0x0)
open_by_handle_at(r0, &(0x7f0000000000)={0xa, 0x1, "b70b"}, 0x40200)
Repro 2 -
r0 = creat(&(0x7f00000001c0)='./file0\x00', 0x0)
open_by_handle_at(r0,
&(0x7f0000000000)=ANY=[@ANYBLOB="0a000000020000004b0d"], 0x2f00)
Repro 3 -
r0 = creat(&(0x7f0000000040)='./file0\x00', 0x0)
open_by_handle_at(r0,
&(0x7f0000000080)=ANY=[@ANYBLOB="2700000001000000d10b"], 0x2f00)
Have you tried running syzkaller with "enable_syscalls":
["creat","open_by_handle_at"]? It takes about an hour on my system to
identify this bug for a new image.
I'm using the stretch images.
Powered by blists - more mailing lists