lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <927dbea2-fc14-0105-8ead-d9e15eb3fd83@oracle.com>
Date:   Mon, 21 Nov 2022 08:34:33 -0800
From:   Sidhartha Kumar <sidhartha.kumar@...cle.com>
To:     Wei Chen <harperchen1110@...il.com>, mike.kravetz@...cle.com,
        songmuchun@...edance.com, akpm@...ux-foundation.org,
        nathan@...nel.org, ndesaulniers@...gle.com, trix@...hat.com,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        llvm@...ts.linux.dev, John Hubbard <jhubbard@...dia.com>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in
 alloc_buddy_hugetlb_folio


On 11/21/22 6:21 AM, Wei Chen wrote:
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered.
>
> HEAD commit: 147307c69ba
> git tree: upstream
> compiler: clang 12.0.0
> console output:
> https://drive.google.com/file/d/1b2z08RYnxoR5I8UiwqaMpG9E-dYgDTcL/view?usp=share_link
> kernel config: https://drive.google.com/file/d/1NAf4S43d9VOKD52xbrqw-PUP1Mbj8z-S/view?usp=share_link
> Syz reproducer:
> https://drive.google.com/file/d/18vNqAHwkVoyx5Db2qnswcaiT-prLx_rx/view?usp=share_link
>
> Unfortunately, if we transform the syz reproducer to C reproducer with
> syz-prog2c, the crash would not happen. Please consider to use
> syz-execprog and syz-executor to reproduce the crash.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <harperchen1110@...il.com>
>
> BUG: kernel NULL pointer dereference, address: 0000000000000008

It looks like this is caused by what John mentioned here[1]. I will send 
out a new version of this patch with the fix.

Thanks,

Sidhartha Kumar

[1] 
https://lore.kernel.org/linux-mm/03ca2e41-28d3-c546-4347-5dee7b7dca9b@oracle.com/T/#m6312d55610697df44d00c41d60fa8af9d3239891

> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD a9b2067 P4D a9b2067 PUD ab02067 PMD 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 0 PID: 30461 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
> RIP: 0010:_compound_head include/linux/page-flags.h:250 [inline]
> RIP: 0010:alloc_buddy_hugetlb_folio+0x1bd/0x2b0 mm/hugetlb.c:2009
> Code: ff 74 16 8b 04 24 34 01 75 0f e8 ae 04 d8 ff 49 63 c5 3e 49 0f
> ab 07 eb 05 e8 9f 04 d8 ff 45 31 f6 49 8d 7e 08 e8 23 84 eb ff <49> 8b
> 5e 08 48 89 de 48 83 e6 01 31 ff e8 31 09 d8 ff 48 89 d8 48
> RSP: 0018:ffffc90002823bd0 EFLAGS: 00010246
> RAX: ffffffff814fad41 RBX: 0000000000000009 RCX: 0000000000040000
> RDX: ffffc90000afd000 RSI: 0000000000000ab3 RDI: 0000000000000008
> RBP: 0000000000146cca R08: 0001ffffffffffff R09: 0000000000000000
> R10: 0001ffffffffffff R11: ffff88812663a000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007f7190641700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000008 CR3: 000000000ab00000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   alloc_fresh_hugetlb_folio+0x73/0x370 mm/hugetlb.c:2030
>   alloc_surplus_huge_page+0xb6/0x1a0 mm/hugetlb.c:2245
>   alloc_buddy_huge_page_with_mpol mm/hugetlb.c:2321 [inline]
>   alloc_huge_page+0x9d6/0x1620 mm/hugetlb.c:2937
>   hugetlbfs_fallocate+0x57f/0xd70 fs/hugetlbfs/inode.c:865
>   vfs_fallocate+0x486/0x710 fs/open.c:323
>   ksys_fallocate fs/open.c:346 [inline]
>   __do_sys_fallocate fs/open.c:354 [inline]
>   __se_sys_fallocate fs/open.c:352 [inline]
>   __x64_sys_fallocate+0x75/0xc0 fs/open.c:352
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x4697f9
> Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f7190640c48 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
> RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
> RBP: 00007f7190640c80 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000008800000 R11: 0000000000000246 R12: 0000000000000005
> R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffcccf17d70
>   </TASK>
> Modules linked in:
> CR2: 0000000000000008
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:_compound_head include/linux/page-flags.h:250 [inline]
> RIP: 0010:alloc_buddy_hugetlb_folio+0x1bd/0x2b0 mm/hugetlb.c:2009
> Code: ff 74 16 8b 04 24 34 01 75 0f e8 ae 04 d8 ff 49 63 c5 3e 49 0f
> ab 07 eb 05 e8 9f 04 d8 ff 45 31 f6 49 8d 7e 08 e8 23 84 eb ff <49> 8b
> 5e 08 48 89 de 48 83 e6 01 31 ff e8 31 09 d8 ff 48 89 d8 48
> RSP: 0018:ffffc90002823bd0 EFLAGS: 00010246
> RAX: ffffffff814fad41 RBX: 0000000000000009 RCX: 0000000000040000
> RDX: ffffc90000afd000 RSI: 0000000000000ab3 RDI: 0000000000000008
> RBP: 0000000000146cca R08: 0001ffffffffffff R09: 0000000000000000
> R10: 0001ffffffffffff R11: ffff88812663a000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007f7190641700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000008 CR3: 000000000ab00000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
>     0: ff 74 16 8b          pushq  -0x75(%rsi,%rdx,1)
>     4: 04 24                add    $0x24,%al
>     6: 34 01                xor    $0x1,%al
>     8: 75 0f                jne    0x19
>     a: e8 ae 04 d8 ff        callq  0xffd804bd
>     f: 49 63 c5              movslq %r13d,%rax
>    12: 3e 49 0f ab 07        bts    %rax,%ds:(%r15)
>    17: eb 05                jmp    0x1e
>    19: e8 9f 04 d8 ff        callq  0xffd804bd
>    1e: 45 31 f6              xor    %r14d,%r14d
>    21: 49 8d 7e 08          lea    0x8(%r14),%rdi
>    25: e8 23 84 eb ff        callq  0xffeb844d
> * 2a: 49 8b 5e 08          mov    0x8(%r14),%rbx <-- trapping instruction
>    2e: 48 89 de              mov    %rbx,%rsi
>    31: 48 83 e6 01          and    $0x1,%rsi
>    35: 31 ff                xor    %edi,%edi
>    37: e8 31 09 d8 ff        callq  0xffd8096d
>    3c: 48 89 d8              mov    %rbx,%rax
>    3f: 48                    rex.W
>
> Best,
> Wei
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ