lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAO4mrffA2tTwCKQ-objUH7BJ2GjSXaJdi=pq0vtqjicx8eH7wA@mail.gmail.com>
Date:   Sun, 30 Oct 2022 17:23:17 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel NULL pointer dereference in debug_check_no_obj_freed

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1AdHbN-IWDhcwHKqvdfNnePbFeJkAllIB/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 2981 Comm: systemd-journal Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:debug_check_no_obj_freed+0xa0/0x1e0
Code: 03 4c 8d a3 48 7e 2f 89 4c 89 e7 45 31 ff e8 57 db 61 02 48 89
c6 48 c7 c0 40 7e 2f 89 4c 8b 2c 18 4d 85 ed 74 70 41 83 c7 01 <4d> 8b
4d 18 4c 39 4c 24 20 4d 8b 45 00 77 52 4c 3b 4c 24 10 73 4b
RSP: 0000:ffffc900007c7a90 EFLAGS: 00010002
RAX: ffffffff892f7e40 RBX: 0000000000016890 RCX: 00000000ffffbe79
RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffffffff8930e6d8
RBP: ffff888105359000 R08: 0000000000000020 R09: 0000000000000000
R10: ffffffff8930e6f0 R11: 0000000000000000 R12: ffffffff8930e6d8
R13: 0000000000000020 R14: 0000000000000000 R15: 000000000000000e
FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000000628a000 CR4: 00000000003506e0
Call Trace:
 slab_free_freelist_hook+0xcc/0x160
 kmem_cache_free+0x8f/0x490
 unlink_anon_vmas+0x200/0x2e0
 free_pgtables+0x163/0x1b0
 exit_mmap+0x104/0x320
 mmput+0xc8/0x1e0
 do_exit+0x527/0x1430
 do_group_exit+0x6f/0x120
 get_signal+0x260/0x1520
 arch_do_signal_or_restart+0xa9/0x870
 exit_to_user_mode_prepare+0x138/0x280
 irqentry_exit_to_user_mode+0x5/0x40
 exc_page_fault+0x4a4/0x1130
 asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x7f9422a41200
Code: Unable to access opcode bytes at RIP 0x7f9422a411d6.
RSP: 002b:00007fffa498a478 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 0000564bd2afeaf0 RCX: 0000564bd2afeaf0
RDX: 0000000000000800 RSI: 0000564bd2afeb2d RDI: 0000000000000013
RBP: 0000000000000011 R08: 0000000000000008 R09: 00007fffa49a60f0
R10: 000000000008b2fc R11: 0000000000000202 R12: 0000564bd2aff370
R13: 00007fffa498a5a8 R14: 0000564bd2631958 R15: 000d715db535b416
Modules linked in:
CR2: 0000000000000038
---[ end trace d79df620a6156371 ]---
RIP: 0010:debug_check_no_obj_freed+0xa0/0x1e0
Code: 03 4c 8d a3 48 7e 2f 89 4c 89 e7 45 31 ff e8 57 db 61 02 48 89
c6 48 c7 c0 40 7e 2f 89 4c 8b 2c 18 4d 85 ed 74 70 41 83 c7 01 <4d> 8b
4d 18 4c 39 4c 24 20 4d 8b 45 00 77 52 4c 3b 4c 24 10 73 4b
RSP: 0000:ffffc900007c7a90 EFLAGS: 00010002
RAX: ffffffff892f7e40 RBX: 0000000000016890 RCX: 00000000ffffbe79
RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffffffff8930e6d8
RBP: ffff888105359000 R08: 0000000000000020 R09: 0000000000000000
R10: ffffffff8930e6f0 R11: 0000000000000000 R12: ffffffff8930e6d8
R13: 0000000000000020 R14: 0000000000000000 R15: 000000000000000e
FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 000000000628a000 CR4: 00000000003506e0
----------------
Code disassembly (best guess):
   0: 03 4c 8d a3          add    -0x5d(%rbp,%rcx,4),%ecx
   4: 48 7e 2f              rex.W jle 0x36
   7: 89 4c 89 e7          mov    %ecx,-0x19(%rcx,%rcx,4)
   b: 45 31 ff              xor    %r15d,%r15d
   e: e8 57 db 61 02        callq  0x261db6a
  13: 48 89 c6              mov    %rax,%rsi
  16: 48 c7 c0 40 7e 2f 89 mov    $0xffffffff892f7e40,%rax
  1d: 4c 8b 2c 18          mov    (%rax,%rbx,1),%r13
  21: 4d 85 ed              test   %r13,%r13
  24: 74 70                je     0x96
  26: 41 83 c7 01          add    $0x1,%r15d
* 2a: 4d 8b 4d 18          mov    0x18(%r13),%r9 <-- trapping instruction
  2e: 4c 39 4c 24 20        cmp    %r9,0x20(%rsp)
  33: 4d 8b 45 00          mov    0x0(%r13),%r8
  37: 77 52                ja     0x8b
  39: 4c 3b 4c 24 10        cmp    0x10(%rsp),%r9
  3e: 73 4b                jae    0x8b

Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ