lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABOYnLyHJjv7bZ3CcXo4zAxZ-o49FO9OsWpQrY4tTLNqCbA4Mw@mail.gmail.com>
Date:   Tue, 5 Dec 2023 10:07:03 +0800
From:   xingwei lee <xrivendell7@...il.com>
To:     syzbot+f2c4e7bfcca6c6d6324c@...kaller.appspotmail.com
Cc:     jstultz@...gle.com, linux-kernel@...r.kernel.org, sboyd@...nel.org,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de
Subject: Re: [syzbot] [kernel?] possible deadlock in alarm_handle_timer

Hello
I reproduced this bug with repro.c

=* repro.txt =*
r0 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r0)
timer_create(0x9, 0x0, &(0x7f0000000500))
timer_settime(0x0, 0x0, &(0x7f000006b000)={{0x0, 0x8}, {0x0, 0x9}}, 0x0)

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <endian.h>
#include <sched.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

#define USLEEP_FORKED_CHILD (3 * 50 * 1000)

static long handle_clone_ret(long ret) {
  if (ret != 0) {
    return ret;
  }
  usleep(USLEEP_FORKED_CHILD);
  syscall(__NR_exit, 0);
  while (1) {
  }
}

static long syz_clone(volatile long flags, volatile long stack,
                      volatile long stack_len, volatile long ptid,
                      volatile long ctid, volatile long tls) {
  long sp = (stack + stack_len) & ~15;
  long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
  return handle_clone_ret(ret);
}

uint64_t r[1] = {0x0};

int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  intptr_t res = 0;
  res = -1;
  res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
                  /*childtid=*/0, /*tls=*/0);
  if (res != -1) r[0] = res;
  syscall(__NR_ptrace, /*req=*/0x10ul, /*pid=*/r[0], 0, 0);
  syscall(__NR_timer_create, /*id=*/9ul, /*ev=*/0ul, /*timerid=*/0x20000500ul);
  *(uint64_t*)0x2006b000 = 0;
  *(uint64_t*)0x2006b008 = 8;
  *(uint64_t*)0x2006b010 = 0;
  *(uint64_t*)0x2006b018 = 9;
  syscall(__NR_timer_settime, /*timerid=*/0, /*flags=*/0ul,
          /*new=*/0x2006b000ul, /*old=*/0ul);
  return 0;
}

see also https://gist.github.com/dracary7/55a1fc1c839289a1abe01293fe82aa8e

Thanks.
xingwei lee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ