| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Jul 2021 18:56:55 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: Andy Lutomirski <luto@...nel.org>
Cc: LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com, aubrey.li@...ux.intel.com, yu.c.chen@...el.com
Subject: [sched, exec] ed4e648f7e: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: ed4e648f7e1f8c6251b883ff42675ff291ee68dc ("sched, exec: Move the activate_mm() call sequence into sched/core.c")
https://git.kernel.org/cgit/linux/kernel/git/luto/linux.git sched/lazymm
in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 6ddf24f898 | ed4e648f7e |
+---------------------------------------------+------------+------------+
| boot_successes | 19 | 0 |
| boot_failures | 0 | 23 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 23 |
| Oops:#[##] | 0 | 23 |
| EIP:begin_new_exec | 0 | 23 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 23 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>
[ 4.040301] BUG: kernel NULL pointer dereference, address: 00000030
[ 4.041181] #PF: supervisor write access in kernel mode
[ 4.041901] #PF: error_code(0x0002) - not-present page
[ 4.042611] *pde = 00000000
[ 4.043196] Oops: 0002 [#1] SMP
[ 4.043697] CPU: 1 PID: 64 Comm: kworker/u4:1 Not tainted 5.13.0-rc3-00008-ged4e648f7e1f #1
[ 4.044864] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 4.046004] EIP: begin_new_exec (arch/x86/include/asm/atomic.h:123 include/asm-generic/atomic-instrumented.h:749 include/linux/sched/mm.h:47 fs/exec.c:1018 fs/exec.c:1271)
[ 4.046620] Code: 76 00 31 d2 89 f0 e8 c7 f7 fb ff e9 54 fd ff ff 66 90 b9 01 00 00 00 31 d2 89 f0 e8 22 f8 fb ff e9 6c fc ff ff 8d 74 26 00 90 <f0> ff 0d 30 00 00 00 0f 85 85 fd ff ff 31 c0 e8 e4 e3 e8 ff e9 79
All code
========
0: 76 00 jbe 0x2
2: 31 d2 xor %edx,%edx
4: 89 f0 mov %esi,%eax
6: e8 c7 f7 fb ff callq 0xfffffffffffbf7d2
b: e9 54 fd ff ff jmpq 0xfffffffffffffd64
10: 66 90 xchg %ax,%ax
12: b9 01 00 00 00 mov $0x1,%ecx
17: 31 d2 xor %edx,%edx
19: 89 f0 mov %esi,%eax
1b: e8 22 f8 fb ff callq 0xfffffffffffbf842
20: e9 6c fc ff ff jmpq 0xfffffffffffffc91
25: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
29: 90 nop
2a:* f0 ff 0d 30 00 00 00 lock decl 0x30(%rip) # 0x61 <-- trapping instruction
31: 0f 85 85 fd ff ff jne 0xfffffffffffffdbc
37: 31 c0 xor %eax,%eax
39: e8 e4 e3 e8 ff callq 0xffffffffffe8e422
3e: e9 .byte 0xe9
3f: 79 .byte 0x79
Code starting with the faulting instruction
===========================================
0: f0 ff 0d 30 00 00 00 lock decl 0x30(%rip) # 0x37
7: 0f 85 85 fd ff ff jne 0xfffffffffffffd92
d: 31 c0 xor %eax,%eax
f: e8 e4 e3 e8 ff callq 0xffffffffffe8e3f8
14: e9 .byte 0xe9
15: 79 .byte 0x79
[ 4.049005] EAX: da166000 EBX: da0d6e00 ECX: db792720 EDX: 00000000
[ 4.049852] ESI: 00000000 EDI: c118b840 EBP: da165eb4 ESP: da165e94
[ 4.050687] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010246
[ 4.051730] CR0: 80050033 CR2: 00000030 CR3: 1a0d0000 CR4: 000406d0
[ 4.052576] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 4.053406] DR6: fffe0ff0 DR7: 00000400
[ 4.053967] Call Trace:
[ 4.054377] load_elf_binary (fs/binfmt_elf.c:1001)
[ 4.055114] ? security_file_permission (include/linux/fsnotify.h:68 include/linux/fsnotify.h:90 include/linux/fsnotify.h:115 include/linux/fsnotify.h:94 security/security.c:1509)
[ 4.055803] ? bm_entry_write (include/linux/fs.h:774 fs/binfmt_misc.c:622)
[ 4.056359] exec_binprm (fs/exec.c:1704 fs/exec.c:1745)
[ 4.056889] bprm_execve (fs/exec.c:1814 fs/exec.c:1776)
[ 4.057432] ? __cond_resched (kernel/sched/core.c:7003)
[ 4.057999] kernel_execve (fs/exec.c:1957)
[ 4.058557] call_usermodehelper_exec_async (kernel/umh.c:116)
[ 4.059332] ? umh_complete (kernel/umh.c:67)
[ 4.059885] ret_from_fork (arch/x86/entry/entry_32.S:775)
[ 4.060406] Modules linked in:
[ 4.060872] CR2: 0000000000000030
[ 4.061446] ---[ end trace ab993f93c1cc7df5 ]---
[ 4.062108] EIP: begin_new_exec (arch/x86/include/asm/atomic.h:123 include/asm-generic/atomic-instrumented.h:749 include/linux/sched/mm.h:47 fs/exec.c:1018 fs/exec.c:1271)
[ 4.062745] Code: 76 00 31 d2 89 f0 e8 c7 f7 fb ff e9 54 fd ff ff 66 90 b9 01 00 00 00 31 d2 89 f0 e8 22 f8 fb ff e9 6c fc ff ff 8d 74 26 00 90 <f0> ff 0d 30 00 00 00 0f 85 85 fd ff ff 31 c0 e8 e4 e3 e8 ff e9 79
All code
========
0: 76 00 jbe 0x2
2: 31 d2 xor %edx,%edx
4: 89 f0 mov %esi,%eax
6: e8 c7 f7 fb ff callq 0xfffffffffffbf7d2
b: e9 54 fd ff ff jmpq 0xfffffffffffffd64
10: 66 90 xchg %ax,%ax
12: b9 01 00 00 00 mov $0x1,%ecx
17: 31 d2 xor %edx,%edx
19: 89 f0 mov %esi,%eax
1b: e8 22 f8 fb ff callq 0xfffffffffffbf842
20: e9 6c fc ff ff jmpq 0xfffffffffffffc91
25: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
29: 90 nop
2a:* f0 ff 0d 30 00 00 00 lock decl 0x30(%rip) # 0x61 <-- trapping instruction
31: 0f 85 85 fd ff ff jne 0xfffffffffffffdbc
37: 31 c0 xor %eax,%eax
39: e8 e4 e3 e8 ff callq 0xffffffffffe8e422
3e: e9 .byte 0xe9
3f: 79 .byte 0x79
Code starting with the faulting instruction
===========================================
0: f0 ff 0d 30 00 00 00 lock decl 0x30(%rip) # 0x37
7: 0f 85 85 fd ff ff jne 0xfffffffffffffd92
d: 31 c0 xor %eax,%eax
f: e8 e4 e3 e8 ff callq 0xffffffffffe8e3f8
14: e9 .byte 0xe9
15: 79 .byte 0x79
To reproduce:
# build kernel
cd linux
cp config-5.13.0-rc3-00008-ged4e648f7e1f .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Rong Chen
View attachment "config-5.13.0-rc3-00008-ged4e648f7e1f" of type "text/plain" (125975 bytes)
View attachment "job-script" of type "text/plain" (3964 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (10880 bytes)
Powered by blists - more mailing lists