lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAO4mrfeJQi5K3R1RfXnZ+K81koj-Tq_bp+J4K7mqXPJdEfSu9Q@mail.gmail.com>
Date:   Sun, 30 Oct 2022 18:16:11 +0800
From:   Wei Chen <harperchen1110@...il.com>
To:     linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel NULL pointer dereference in stack_depot_save

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was triggered:

HEAD commit: 64570fbc14f8 Linux 5.15-rc5
git tree: upstream
compiler: gcc 8.0.1
console output:
https://drive.google.com/file/d/1tiImsOLsgUyTS1wPbI1psiX7HtBTNhj9/view?usp=share_link
kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@...il.com>

BUG: kernel NULL pointer dereference, address: 0000000000000028
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 13792 Comm: systemd Not tainted 5.15.0-rc5 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
RIP: 0010:stack_depot_save+0x136/0x520
Code: ff ff 0f 00 4c 8d 34 c8 4d 8b 2e 4d 85 ed 0f 84 b4 00 00 00 8d
75 ff 48 c1 e6 03 eb 0d 4d 8b 6d 00 4d 85 ed 0f 84 9e 00 00 00 <41> 39
5d 08 75 ed 41 3b 6d 0c 75 e7 49 8b 04 24 49 39 45 18 75 dd
RSP: 0018:ffffc9000abeb0b0 EFLAGS: 00010206
RAX: ffff88813d000000 RBX: 00000000d05577a2 RCX: 00000000000577a2
RDX: 0000000000012c50 RSI: 0000000000000078 RDI: 00000000f0f1e45b
RBP: 0000000000000010 R08: 00000000b6dd3736 R09: ffffffff86c43dd4
R10: ffffffff86c43dd0 R11: 0000000000000000 R12: ffffc9000abeb120
R13: 0000000000000020 R14: ffff88813d2bbd10 R15: 0000000000000000
FS:  00007f721246a500(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000010886f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 save_stack+0xa2/0xe0
 __set_page_owner+0x45/0x100
 prep_new_page+0xbd/0x100
 get_page_from_freelist+0x12fc/0x17e0
 __alloc_pages+0x1c8/0x420
 alloc_pages+0xbf/0x160
 new_slab+0x309/0x4c0
 ___slab_alloc.part.92+0x7b7/0xfc0
 __slab_alloc.isra.93+0x4f/0xa0
 kmem_cache_alloc+0x2f8/0x310
 alloc_buffer_head+0x1d/0xb0
 alloc_page_buffers+0x1df/0x4a0
 create_empty_buffers+0x26/0x450
 ext4_block_write_begin+0x938/0xc60
 ext4_da_write_begin+0x24f/0x5d0
 generic_perform_write+0x15d/0x290
 ext4_buffered_write_iter+0xc9/0x1d0
 ext4_file_write_iter+0xb1/0xbb0
 __kernel_write+0x22f/0x4c0
 __dump_emit+0xaf/0xf0
 dump_emit+0x107/0x1a0
 dump_user_range+0x5a/0x1f0
 elf_core_dump+0x1804/0x1aa0
 do_coredump+0x10da/0x1bf0
 get_signal+0xa5d/0x1520
 arch_do_signal_or_restart+0xa9/0x870
 exit_to_user_mode_prepare+0x138/0x280
 syscall_exit_to_user_mode+0x19/0x60
 do_syscall_64+0x40/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f721098c317
Code: 44 00 00 48 8b 15 81 5b 36 00 f7 d8 64 89 02 b8 ff ff ff ff c3
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 b8 3e 00 00 00 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 8b 0d 51 5b 36 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe5d132438 EFLAGS: 00000213 ORIG_RAX: 000000000000003e
RAX: 0000000000000000 RBX: 00007ffe5d1324e0 RCX: 00007f721098c317
RDX: 00007f7210a350d7 RSI: 000000000000000b RDI: 00000000000035e0
RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000000000
R13: 0000000000000000 R14: 0000557657079838 R15: 00007ffe5d1333d0
Modules linked in:
CR2: 0000000000000028
---[ end trace c2c81c11bafb869c ]---
RIP: 0010:stack_depot_save+0x136/0x520
Code: ff ff 0f 00 4c 8d 34 c8 4d 8b 2e 4d 85 ed 0f 84 b4 00 00 00 8d
75 ff 48 c1 e6 03 eb 0d 4d 8b 6d 00 4d 85 ed 0f 84 9e 00 00 00 <41> 39
5d 08 75 ed 41 3b 6d 0c 75 e7 49 8b 04 24 49 39 45 18 75 dd
RSP: 0018:ffffc9000abeb0b0 EFLAGS: 00010206
RAX: ffff88813d000000 RBX: 00000000d05577a2 RCX: 00000000000577a2
RDX: 0000000000012c50 RSI: 0000000000000078 RDI: 00000000f0f1e45b
RBP: 0000000000000010 R08: 00000000b6dd3736 R09: ffffffff86c43dd4
R10: ffffffff86c43dd0 R11: 0000000000000000 R12: ffffc9000abeb120
R13: 0000000000000020 R14: ffff88813d2bbd10 R15: 0000000000000000
FS:  00007f721246a500(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 000000010886f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0: ff 0f                decl   (%rdi)
   2: 00 4c 8d 34          add    %cl,0x34(%rbp,%rcx,4)
   6: c8 4d 8b 2e          enterq $0x8b4d,$0x2e
   a: 4d 85 ed              test   %r13,%r13
   d: 0f 84 b4 00 00 00    je     0xc7
  13: 8d 75 ff              lea    -0x1(%rbp),%esi
  16: 48 c1 e6 03          shl    $0x3,%rsi
  1a: eb 0d                jmp    0x29
  1c: 4d 8b 6d 00          mov    0x0(%r13),%r13
  20: 4d 85 ed              test   %r13,%r13
  23: 0f 84 9e 00 00 00    je     0xc7
* 29: 41 39 5d 08          cmp    %ebx,0x8(%r13) <-- trapping instruction
  2d: 75 ed                jne    0x1c
  2f: 41 3b 6d 0c          cmp    0xc(%r13),%ebp
  33: 75 e7                jne    0x1c
  35: 49 8b 04 24          mov    (%r12),%rax
  39: 49 39 45 18          cmp    %rax,0x18(%r13)
  3d: 75 dd                jne    0x1c

Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ