lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 30 Oct 2022 17:39:59 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     tj@...nel.org, axboe@...nel.dk
Cc:     cgroups@...r.kernel.org, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel NULL pointer dereference in bio_associate_blkg_from_css

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1ec016fbMgmvittn6-wHxp8V_9adDCRrY/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

loop0: detected capacity change from 0 to 61456
BUG: kernel NULL pointer dereference, address: 00000000000005d0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 107f59067 P4D 107f59067 PUD 109722067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 17581 Comm: syz-executor.0 Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:bio_associate_blkg_from_css+0x331/0xb90
Code: fe 48 c7 c6 79 f7 54 82 48 c7 c7 e0 de 41 86 e8 75 04 db fe 48
8b 45 d0 49 89 46 48 e9 ec 00 00 00 e8 b3 7b e8 fe 49 8b 46 08 <48> 8b
80 d0 05 00 00 48 8b 80 90 00 00 00 4c 8b a0 f0 04 00 00 e8
RSP: 0018:ffffc90003de7b10 EFLAGS: 00010212
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc9000b9f1000 RSI: ffff88810b5f9b80 RDI: 0000000000000002
RBP: ffffc90003de7b60 R08: ffffffff8254f7ad R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000001 R12: ffffffff892f6f60
R13: ffff88810717fc00 R14: ffff888107d38700 R15: 0000000000000046
FS:  00007fc6ebc98700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000005d0 CR3: 000000012f494000 CR4: 00000000003506e0
Call Trace:
 bio_associate_blkg+0x94/0x2c0
 lbmStartIO+0xb6/0x160
 lbmWrite+0x18b/0x210
 lmNextPage+0xb6/0x1d0
 lmWriteRecord+0x4ca/0x630
 lmLog+0x1a3/0x3e0
 jfs_mount_rw+0x1fb/0x230
 jfs_fill_super+0x379/0x480
 mount_bdev+0x23d/0x280
 legacy_get_tree+0x2e/0x90
 vfs_get_tree+0x29/0x100
 path_mount+0x58e/0x10a0
 do_mount+0x9b/0xb0
 __x64_sys_mount+0x13a/0x150
 do_syscall_64+0x34/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x46abda
Code: 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f
84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc6ebc97a48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fc6ebc97af0 RCX: 000000000046abda
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fc6ebc97ab0
RBP: 0000000020000000 R08: 00007fc6ebc97af0 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000100
R13: 00007fc6ebc97ab0 R14: 0000000000000001 R15: 0000000020000140
Modules linked in:
CR2: 00000000000005d0
---[ end trace 00146354a78b09b6 ]---
RIP: 0010:bio_associate_blkg_from_css+0x331/0xb90
Code: fe 48 c7 c6 79 f7 54 82 48 c7 c7 e0 de 41 86 e8 75 04 db fe 48
8b 45 d0 49 89 46 48 e9 ec 00 00 00 e8 b3 7b e8 fe 49 8b 46 08 <48> 8b
80 d0 05 00 00 48 8b 80 90 00 00 00 4c 8b a0 f0 04 00 00 e8
RSP: 0018:ffffc90003de7b10 EFLAGS: 00010212
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc9000b9f1000 RSI: ffff88810b5f9b80 RDI: 0000000000000002
RBP: ffffc90003de7b60 R08: ffffffff8254f7ad R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000001 R12: ffffffff892f6f60
R13: ffff88810717fc00 R14: ffff888107d38700 R15: 0000000000000046
FS:  00007fc6ebc98700(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000005d0 CR3: 000000012f494000 CR4: 00000000003506e0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0: 48 c7 c6 79 f7 54 82 mov    $0xffffffff8254f779,%rsi
   7: 48 c7 c7 e0 de 41 86 mov    $0xffffffff8641dee0,%rdi
   e: e8 75 04 db fe        callq  0xfedb0488
  13: 48 8b 45 d0          mov    -0x30(%rbp),%rax
  17: 49 89 46 48          mov    %rax,0x48(%r14)
  1b: e9 ec 00 00 00        jmpq   0x10c
  20: e8 b3 7b e8 fe        callq  0xfee87bd8
  25: 49 8b 46 08          mov    0x8(%r14),%rax
* 29: 48 8b 80 d0 05 00 00 mov    0x5d0(%rax),%rax <-- trapping instruction
  30: 48 8b 80 90 00 00 00 mov    0x90(%rax),%rax
  37: 4c 8b a0 f0 04 00 00 mov    0x4f0(%rax),%r12
  3e: e8                    .byte 0xe8

Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ