| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220425083302.GD21864@xsang-OptiPlex-9020>
Date: Mon, 25 Apr 2022 16:33:02 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Julius Hemanth Pitti <jpitti@...co.com>
Cc: Johannes Weiner <hannes@...xchg.org>,
Kees Cook <keescook@...omium.org>,
Iurii Zaikin <yzaikin@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Ingo Molnar <mingo@...e.hu>, Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [proc/sysctl] 1dd38979b2:
BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 1dd38979b2f04a9b7261e05961999024059b3db2 ("proc/sysctl: make protected_* world readable")
url: https://github.com/intel-lab-lkp/linux/commits/Randy-Dunlap/hugetlb-use-mm-h-instead-of-mm_types-h/20220421-094935
in testcase: trinity
version: trinity-static-i386-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
group: group-03
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8
[ 132.843457][ T3644] #PF: supervisor read access in kernel mode
[ 132.844654][ T3644] #PF: error_code(0x0000) - not-present page
[ 132.845813][ T3644] PGD 8000000176d99067 P4D 8000000176d99067 PUD 176d9a067 PMD 0
[ 132.847313][ T3644] Oops: 0000 [#1] PTI
[ 132.848075][ T3644] CPU: 0 PID: 3644 Comm: trinity-c2 Not tainted 5.18.0-rc2-mm1-00223-g1dd38979b2f0 #1 1590c2cb69aaeb6333e1eb9fb467faf90eeaf6bc
[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271)
[ 132.851625][ T3644] Code: cc 0f 1f 00 e8 1b 6c 33 ff 55 48 89 d5 53 48 89 fb 48 8d 7f 78 e8 fa 02 57 ff 48 8b 5b 78 48 8d bb f8 00 00 00 e8 6a ff 56 ff <8b> 93 f8 00 00 00 48 89 ef 48 c7 c6 2f 03 f0 a1 e8 95 b2 82 ff 5b
All code
========
0: cc int3
1: 0f 1f 00 nopl (%rax)
4: e8 1b 6c 33 ff callq 0xffffffffff336c24
9: 55 push %rbp
a: 48 89 d5 mov %rdx,%rbp
d: 53 push %rbx
e: 48 89 fb mov %rdi,%rbx
11: 48 8d 7f 78 lea 0x78(%rdi),%rdi
15: e8 fa 02 57 ff callq 0xffffffffff570314
1a: 48 8b 5b 78 mov 0x78(%rbx),%rbx
1e: 48 8d bb f8 00 00 00 lea 0xf8(%rbx),%rdi
25: e8 6a ff 56 ff callq 0xffffffffff56ff94
2a:* 8b 93 f8 00 00 00 mov 0xf8(%rbx),%edx <-- trapping instruction
30: 48 89 ef mov %rbp,%rdi
33: 48 c7 c6 2f 03 f0 a1 mov $0xffffffffa1f0032f,%rsi
3a: e8 95 b2 82 ff callq 0xffffffffff82b2d4
3f: 5b pop %rbx
Code starting with the faulting instruction
===========================================
0: 8b 93 f8 00 00 00 mov 0xf8(%rbx),%edx
6: 48 89 ef mov %rbp,%rdi
9: 48 c7 c6 2f 03 f0 a1 mov $0xffffffffa1f0032f,%rsi
10: e8 95 b2 82 ff callq 0xffffffffff82b2aa
15: 5b pop %rbx
[ 132.854983][ T3644] RSP: 0000:ffffc90005a47b50 EFLAGS: 00010246
[ 132.856171][ T3644] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 132.857723][ T3644] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 132.859332][ T3644] RBP: ffff888174621000 R08: 0000000000000000 R09: 0000000000000000
[ 132.860824][ T3644] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811a26a000
[ 132.862346][ T3644] R13: ffff888174621000 R14: ffff88811b781a50 R15: 0000000000000000
[ 132.863895][ T3644] FS: 0000000000000000(0000) GS:ffffffffa22ba000(0063) knlGS:0000000008acb840
[ 132.865587][ T3644] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 132.866872][ T3644] CR2: 00000000000000f8 CR3: 0000000176c86000 CR4: 00000000000406b0
[ 132.868298][ T3644] Call Trace:
[ 132.868893][ T3644] <TASK>
[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094)
[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59)
[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088)
[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164)
[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230)
[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041)
[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238)
[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1))
[ 132.876319][ T3644] kernel_read (fs/read_write.c:459)
[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94)
[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186)
[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207)
[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189)
[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419)
[ 132.882718][ T3644] RIP: 0023:0x80a3392
[ 132.883398][ T3644] Code: 89 c8 c3 90 8d 74 26 00 85 c0 c7 01 01 00 00 00 75 d8 a1 c8 a9 ac 08 eb d1 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 10 a3 f0 a9 ac 08 85
All code
========
0: 89 c8 mov %ecx,%eax
2: c3 retq
3: 90 nop
4: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
8: 85 c0 test %eax,%eax
a: c7 01 01 00 00 00 movl $0x1,(%rcx)
10: 75 d8 jne 0xffffffffffffffea
12: a1 c8 a9 ac 08 eb d1 movabs 0x9066d1eb08aca9c8,%eax
19: 66 90
1b: 66 90 xchg %ax,%ax
1d: 66 90 xchg %ax,%ax
1f: 66 90 xchg %ax,%ax
21: 66 90 xchg %ax,%ax
23: 66 90 xchg %ax,%ax
25: 66 90 xchg %ax,%ax
27: 90 nop
28: cd 80 int $0x80
2a:* c3 retq <-- trapping instruction
2b: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
31: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
38: 8b 10 mov (%rax),%edx
3a: a3 .byte 0xa3
3b: f0 lock
3c: a9 .byte 0xa9
3d: ac lods %ds:(%rsi),%al
3e: 08 .byte 0x8
3f: 85 .byte 0x85
Code starting with the faulting instruction
===========================================
0: c3 retq
1: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
7: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
e: 8b 10 mov (%rax),%edx
10: a3 .byte 0xa3
11: f0 lock
12: a9 .byte 0xa9
13: ac lods %ds:(%rsi),%al
14: 08 .byte 0x8
15: 85 .byte 0x85
[ 132.886851][ T3644] RSP: 002b:00000000ffef5ee8 EFLAGS: 00000292 ORIG_RAX: 000000000000015e
[ 132.888199][ T3644] RAX: ffffffffffffffda RBX: 000000000000002c RCX: 0000000000000004
[ 132.889512][ T3644] RDX: 0000000000000002 RSI: 00000000fffffffa RDI: 0000000000000100
[ 132.891017][ T3644] RBP: 00000000ffff0000 R08: 0000000000000000 R09: 0000000000000000
[ 132.892490][ T3644] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 132.893858][ T3644] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 132.895243][ T3644] </TASK>
[ 132.895744][ T3644] Modules linked in: uvesafb ppdev crct10dif_pclmul crc32_pclmul parport_pc parport
[ 132.897456][ T3644] CR2: 00000000000000f8
[ 132.898187][ T3644] ---[ end trace 0000000000000000 ]---
[ 132.899104][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271)
[ 132.900224][ T3644] Code: cc 0f 1f 00 e8 1b 6c 33 ff 55 48 89 d5 53 48 89 fb 48 8d 7f 78 e8 fa 02 57 ff 48 8b 5b 78 48 8d bb f8 00 00 00 e8 6a ff 56 ff <8b> 93 f8 00 00 00 48 89 ef 48 c7 c6 2f 03 f0 a1 e8 95 b2 82 ff 5b
All code
========
0: cc int3
1: 0f 1f 00 nopl (%rax)
4: e8 1b 6c 33 ff callq 0xffffffffff336c24
9: 55 push %rbp
a: 48 89 d5 mov %rdx,%rbp
d: 53 push %rbx
e: 48 89 fb mov %rdi,%rbx
11: 48 8d 7f 78 lea 0x78(%rdi),%rdi
15: e8 fa 02 57 ff callq 0xffffffffff570314
1a: 48 8b 5b 78 mov 0x78(%rbx),%rbx
1e: 48 8d bb f8 00 00 00 lea 0xf8(%rbx),%rdi
25: e8 6a ff 56 ff callq 0xffffffffff56ff94
2a:* 8b 93 f8 00 00 00 mov 0xf8(%rbx),%edx <-- trapping instruction
30: 48 89 ef mov %rbp,%rdi
33: 48 c7 c6 2f 03 f0 a1 mov $0xffffffffa1f0032f,%rsi
3a: e8 95 b2 82 ff callq 0xffffffffff82b2d4
3f: 5b pop %rbx
Code starting with the faulting instruction
===========================================
0: 8b 93 f8 00 00 00 mov 0xf8(%rbx),%edx
6: 48 89 ef mov %rbp,%rdi
9: 48 c7 c6 2f 03 f0 a1 mov $0xffffffffa1f0032f,%rsi
10: e8 95 b2 82 ff callq 0xffffffffff82b2aa
15: 5b pop %rbx
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc2-mm1-00223-g1dd38979b2f0 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc2-mm1-00223-g1dd38979b2f0" of type "text/plain" (178080 bytes)
View attachment "job-script" of type "text/plain" (4549 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (15504 bytes)
Powered by blists - more mailing lists