| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJg=8jwFexnoTfPLg=Yd44WFVn05wAn0UgH6=baipc53mDxgyQ@mail.gmail.com> Date: Fri, 19 Apr 2024 21:39:53 -0700 From: Marius Fleischer <fleischermarius@...il.com> To: Tejun Heo <tj@...nel.org>, Jens Axboe <axboe@...nel.dk>, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org Cc: syzkaller@...glegroups.com, harrisonmichaelgreen@...il.com Subject: general protection fault in bio_associate_blkg_from_css Hi, We would like to report the following bug which has been found by our modified version of syzkaller. ====================================================== description: general protection fault in bio_associate_blkg_from_css affected file: block/blk-cgroup.c kernel version: 5.15.156 kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd git tree: upstream kernel config: attached crash reproducer: attached ====================================================== Crash log: general protection fault, probably for non-canonical address 0xdffffc00000000ba: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000005d0-0x00000000000005d7] CPU: 1 PID: 6609 Comm: syz-executor.3 Not tainted 5.15.156 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:blkg_tryget_closest block/blk-cgroup.c:1831 [inline] RIP: 0010:bio_associate_blkg_from_css+0x134/0x1050 block/blk-cgroup.c:1865 Code: 80 3c 02 00 0f 85 f0 0d 00 00 48 8b 04 24 48 8b 58 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb d0 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d0 0d 00 00 48 8b 9b d0 05 00 00 48 b8 00 00 00 RSP: 0018:ffffc90001b9fa40 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83c79b2c RDX: 00000000000000ba RSI: ffffffff83c78fd1 RDI: 00000000000005d0 RBP: ffff88802077bb40 R08: 0000000000000000 R09: ffffffff8fd95a27 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88804cb71000 R13: ffff888090f74000 R14: 0000000000000000 R15: ffff88804cb71000 FS: 000055555585b480(0000) GS:ffff888135c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8452584000 CR3: 00000000363bf000 CR4: 0000000000750ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> bio_associate_blkg+0xcd/0x410 block/blk-cgroup.c:1893 lbmStartIO+0x1eb/0x430 fs/jfs/jfs_logmgr.c:2130 lbmWrite+0x2ea/0x420 fs/jfs/jfs_logmgr.c:2079 lmNextPage.isra.0+0x285/0x720 fs/jfs/jfs_logmgr.c:624 lmWriteRecord+0xa90/0x1140 fs/jfs/jfs_logmgr.c:537 lmLogSync+0x155/0x780 fs/jfs/jfs_logmgr.c:977 jfs_syncpt+0x89/0xa0 fs/jfs/jfs_logmgr.c:1049 jfs_sync_fs+0x80/0xa0 fs/jfs/super.c:690 sync_filesystem fs/sync.c:56 [inline] sync_filesystem+0x105/0x280 fs/sync.c:30 generic_shutdown_super+0x70/0x380 fs/super.c:448 kill_block_super+0x97/0xf0 fs/super.c:1414 deactivate_locked_super+0x94/0x160 fs/super.c:335 deactivate_super+0xad/0xd0 fs/super.c:366 cleanup_mnt+0x3a2/0x540 fs/namespace.c:1143 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:181 [inline] exit_to_user_mode_prepare+0x253/0x280 kernel/entry/common.c:214 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:307 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7ff1dd48674b Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 90 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 c7 c2 b0 ff ff ff f7 d8 RSP: 002b:00007fffe4a91848 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007ff1dd48674b RDX: 00007ff1dd41e280 RSI: 000000000000000a RDI: 00007fffe4a91900 RBP: 00007fffe4a91900 R08: 0000000000000000 R09: 00007fffe4a916d0 R10: 000055555585ca63 R11: 0000000000000246 R12: 00007ff1dd4e5312 R13: 00007fffe4a929e0 R14: 000055555585c970 R15: 00007fffe4a929d0 </TASK> Modules linked in: ---[ end trace 4d6e710b0359a28f ]--- RIP: 0010:blkg_tryget_closest block/blk-cgroup.c:1831 [inline] RIP: 0010:bio_associate_blkg_from_css+0x134/0x1050 block/blk-cgroup.c:1865 Code: 80 3c 02 00 0f 85 f0 0d 00 00 48 8b 04 24 48 8b 58 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb d0 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 d0 0d 00 00 48 8b 9b d0 05 00 00 48 b8 00 00 00 RSP: 0018:ffffc90001b9fa40 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83c79b2c RDX: 00000000000000ba RSI: ffffffff83c78fd1 RDI: 00000000000005d0 RBP: ffff88802077bb40 R08: 0000000000000000 R09: ffffffff8fd95a27 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88804cb71000 R13: ffff888090f74000 R14: 0000000000000000 R15: ffff88804cb71000 FS: 000055555585b480(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555558a99a8 CR3: 00000000363bf000 CR4: 0000000000750ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 ---------------- Code disassembly (best guess): 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 0f 85 f0 0d 00 00 jne 0xdfa a: 48 8b 04 24 mov (%rsp),%rax e: 48 8b 58 08 mov 0x8(%rax),%rbx 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 48 8d bb d0 05 00 00 lea 0x5d0(%rbx),%rdi 23: 48 89 fa mov %rdi,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 d0 0d 00 00 jne 0xe04 34: 48 8b 9b d0 05 00 00 mov 0x5d0(%rbx),%rbx 3b: 48 rex.W 3c: b8 .byte 0xb8 3d: 00 00 add %al,(%rax) ====================================================== Wishing you a lovely day! Best, Marius Content of type "text/html" skipped Download attachment "repro.syz" of type "application/octet-stream" (32320 bytes) Download attachment "config" of type "application/octet-stream" (227013 bytes) View attachment "repro.c" of type "text/x-csrc" (128421 bytes)
Powered by blists - more mailing lists