lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO4mrfdjv2TZf7dc=ei61NBmLePLUGCJ9WbmvWGWa8Q4o=bRkw@mail.gmail.com>
Date:   Sun, 17 Jul 2022 23:02:49 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     efremov@...ux.com, axboe@...nel.dk, linux-kernel@...r.kernel.org
Cc:     linux-block@...r.kernel.org
Subject: WARNING in floppy_interrupt

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: fc74e0a40e4f Linux 5.16-rc7
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1bTS1Khxq5ZVwEPK-QIzGMJ24DcBhlZNW/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/11TW-_hd6xARpzEv05ZzN5njdyKjPV4ku/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1vLLyr50AtjVUYr3ZFyypwB0WcNa0dloj/view?usp=sharing
kernel config: https://drive.google.com/file/d/1L16y3aFu5mPQbKNsc7eQc6RH55YRd1zd/view?usp=sharing

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

WARNING: CPU: 0 PID: 38 at drivers/block/floppy.c:1000
floppy_interrupt+0x694/0x6d0
Modules linked in:
CPU: 0 PID: 38 Comm: kworker/u2:2 Not tainted 5.16.0-rc7 #4
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: floppy floppy_work_workfn
RIP: 0010:floppy_interrupt+0x694/0x6d0
Code: 21 0c 31 ed 48 c7 c7 00 a6 f4 8a 48 c7 c2 6d c1 52 8c 48 c7 c1
e0 a4 f4 8a 31 c0 e8 9d 68 26 05 e9 e7 fd ff ff e8 1c 38 ac fc <0f> 0b
e9 63 fb ff ff 89 d9 80 e1 07 38 c1 0f 8c a6 fa ff ff 48 89
RSP: 0018:ffffc90000007d28 EFLAGS: 00010046
RAX: ffffffff84d5d9d4 RBX: 0000000000000001 RCX: ffff8880149523c0
RDX: 0000000080010000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff84d5d530 R09: fffffbfff1a56ead
R10: fffffbfff1a56ead R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffffffff84d65f30 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efe73921000 CR3: 000000000c88e000 CR4: 0000000000752ef0
DR0: 00000000200000c0 DR1: 0000000020000080 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
 <IRQ>
 __handle_irq_event_percpu+0x20a/0x6d0
 handle_irq_event+0x10a/0x300
 handle_edge_irq+0x245/0xbe0
 __common_interrupt+0xce/0x1e0
 common_interrupt+0x9f/0xc0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x1e/0x40
RIP: 0010:reset_fdc+0x36b/0x520
Code: 80 cb 80 48 8d 2c ed 70 a9 f7 90 48 89 e8 48 c1 e8 03 42 80 3c
30 00 74 08 48 89 ef e8 1e d9 f6 fc 8b 55 00 83 c2 04 89 d8 ee <e9> aa
00 00 00 e8 6b b4 ab fc 48 8d 1c ed 6d a9 f7 90 48 89 d8 48
RSP: 0018:ffffc90000cbfc28 EFLAGS: 00000202
RAX: 0000000090f7a981 RBX: ffffffff90f7a981 RCX: ffff8880149523c0
RDX: 00000000000003f4 RSI: 0000000000000062 RDI: 0000000000000044
RBP: ffffffff90f7a970 R08: ffffffff84d65d27 R09: fffffbfff1ff5bd0
R10: fffffbfff1ff5bd0 R11: 0000000000000000 R12: 0000000000000000
R13: 1ffffffff21ef52f R14: dffffc0000000000 R15: ffffffff90f7a978
 process_one_work+0x853/0x1140
 worker_thread+0xac1/0x1320
 kthread+0x410/0x500
 ret_from_fork+0x1f/0x30
 </TASK>
----------------
Code disassembly (best guess):
   0: 80 cb 80              or     $0x80,%bl
   3: 48 8d 2c ed 70 a9 f7 lea    -0x6f085690(,%rbp,8),%rbp
   a: 90
   b: 48 89 e8              mov    %rbp,%rax
   e: 48 c1 e8 03          shr    $0x3,%rax
  12: 42 80 3c 30 00        cmpb   $0x0,(%rax,%r14,1)
  17: 74 08                je     0x21
  19: 48 89 ef              mov    %rbp,%rdi
  1c: e8 1e d9 f6 fc        callq  0xfcf6d93f
  21: 8b 55 00              mov    0x0(%rbp),%edx
  24: 83 c2 04              add    $0x4,%edx
  27: 89 d8                mov    %ebx,%eax
  29: ee                    out    %al,(%dx)
* 2a: e9 aa 00 00 00        jmpq   0xd9 <-- trapping instruction
  2f: e8 6b b4 ab fc        callq  0xfcabb49f
  34: 48 8d 1c ed 6d a9 f7 lea    -0x6f085693(,%rbp,8),%rbx
  3b: 90
  3c: 48 89 d8              mov    %rbx,%rax
  3f: 48                    rex.W

Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ