lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000004453bd06190bc5d0@google.com>
Date: Wed, 22 May 2024 07:30:05 -0700
From: syzbot <syzbot+d2125fcb6aa8c4276fd2@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fs?] general protection fault in iter_file_splice_write

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

] Freeing unused kernel image (initmem) memory: 26000K
[   21.902015][    T1] Write protecting the kernel read-only data: 204800k
[   21.915990][    T1] Freeing unused kernel image (rodata/data gap) memory: 1740K
[   22.001150][    T1] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[   22.010555][    T1] Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found
[   22.014380][    T1] Run /sbin/init as init process
[   22.270925][    T1] SELinux:  Class mctp_socket not defined in policy.
[   22.273265][    T1] SELinux:  Class anon_inode not defined in policy.
[   22.275479][    T1] SELinux:  Class io_uring not defined in policy.
[   22.277605][    T1] SELinux:  Class user_namespace not defined in policy.
[   22.279958][    T1] SELinux: the above unknown classes and permissions will be denied
[   22.376641][    T1] SELinux:  policy capability network_peer_controls=1
[   22.379248][    T1] SELinux:  policy capability open_perms=1
[   22.381279][    T1] SELinux:  policy capability extended_socket_class=1
[   22.383632][    T1] SELinux:  policy capability always_check_network=0
[   22.386099][    T1] SELinux:  policy capability cgroup_seclabel=1
[   22.388512][    T1] SELinux:  policy capability nnp_nosuid_transition=1
[   22.391006][    T1] SELinux:  policy capability genfs_seclabel_symlinks=0
[   22.393353][    T1] SELinux:  policy capability ioctl_skip_cloexec=0
[   22.395753][    T1] SELinux:  policy capability userspace_initial_context=0
[   22.493592][   T39] audit: type=1403 audit(1716387584.398:2): auid=4294967295 ses=4294967295 lsm=selinux res=1
[   22.539716][ T4655] mount (4655) used greatest stack depth: 23344 bytes left
[   22.566408][ T4656] EXT4-fs (sda1): re-mounted 5941fea2-f5fa-4b4e-b5ef-9af118b27b95 r/w. Quota mode: none.
mount: mounting smackfs on /sys/fs/smackfs failed: No such file or directory
[   22.681935][ T4659] mount (4659) used greatest stack depth: 23128 bytes left
Starting syslogd: [   22.942320][   T39] audit: type=1400 audit(1716387584.848:3): avc:  denied  { read write } for  pid=4672 comm="syslogd" path="/dev/null" dev="devtmpfs" ino=5 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
OK
[   22.970689][   T39] audit: type=1400 audit(1716387584.878:4): avc:  denied  { read } for  pid=4672 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[   22.979560][   T39] audit: type=1400 audit(1716387584.878:5): avc:  denied  { search } for  pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   22.987816][   T39] audit: type=1400 audit(1716387584.878:6): avc:  denied  { write } for  pid=4672 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
Starting acpid: [   22.996353][   T39] audit: type=1400 audit(1716387584.878:7): avc:  denied  { add_name } for  pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   23.005839][   T39] audit: type=1400 audit(1716387584.878:8): avc:  denied  { create } for  pid=4672 comm="syslogd" name="messages" scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.013760][   T39] audit: type=1400 audit(1716387584.878:9): avc:  denied  { append open } for  pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.022478][   T39] audit: type=1400 audit(1716387584.878:10): avc:  denied  { getattr } for  pid=4672 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=2 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   23.032435][   T39] audit: type=1400 audit(1716387584.938:11): avc:  denied  { use } for  pid=4674 comm="acpid" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:acpid_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
OK
Starting klogd: OK
Running sysctl: OK
Populating /dev using udev: [   23.362610][ T4689] udevd[4689]: starting version 3.2.11
[   23.521131][ T4690] udevd[4690]: starting eudev-3.2.11
[   23.522449][ T4689] udevd (4689) used greatest stack depth: 21488 bytes left
done
Starting system message bus: [   30.837568][   T39] kauditd_printk_skb: 13 callbacks suppressed
[   30.837584][   T39] audit: type=1400 audit(1716387592.738:25): avc:  denied  { use } for  pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:system_r:kernel_t tclass=fd permissive=1
[   30.851952][   T39] audit: type=1400 audit(1716387592.738:26): avc:  denied  { read write } for  pid=4894 comm="dbus-daemon" path="/dev/console" dev="rootfs" ino=1039 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:root_t tclass=chr_file permissive=1
[   30.880042][   T39] audit: type=1400 audit(1716387592.788:27): avc:  denied  { search } for  pid=4894 comm="dbus-daemon" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.893529][   T39] audit: type=1400 audit(1716387592.798:28): avc:  denied  { write } for  pid=4894 comm="dbus-daemon" name="dbus" dev="tmpfs" ino=1471 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.902587][   T39] audit: type=1400 audit(1716387592.798:29): avc:  denied  { add_name } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[   30.911419][   T39] audit: type=1400 audit(1716387592.798:30): avc:  denied  { create } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
done[   30.920385][   T39] audit: type=1400 audit(1716387592.798:31): avc:  denied  { setattr } for  pid=4894 comm="dbus-daemon" name="system_bus_socket" dev="tmpfs" ino=1472 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=sock_file permissive=1
[   30.930297][   T39] audit: type=1400 audit(1716387592.808:32): avc:  denied  { create } for  pid=4894 comm="dbus-daemon" name="messagebus.pid" scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1

[   30.939028][   T39] audit: type=1400 audit(1716387592.808:33): avc:  denied  { write open } for  pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[   30.948572][   T39] audit: type=1400 audit(1716387592.808:34): avc:  denied  { getattr } for  pid=4894 comm="dbus-daemon" path="/run/messagebus.pid" dev="tmpfs" ino=1473 scontext=system_u:system_r:system_dbusd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
Starting iptables: OK
Starting network: OK
Starting dhcpcd...
dhcpcd-9.4.1 starting
dev: loaded udev
[   31.870098][ T4918] ret: 114, nbufs: 16,  buf len: 114, n: 0, iter_file_splice_write
[   31.872828][ T4918] ret: 0, nbufs: 16,  buf len: 114, n: 1, iter_file_splice_write
[   31.875479][ T4918] ------------[ cut here ]------------
[   31.877625][ T4918] kernel BUG at fs/splice.c:772!
[   31.879642][ T4918] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[   31.882144][ T4918] CPU: 2 PID: 4918 Comm: cat Not tainted 6.9.0-syzkaller-07370-g33e02dc69afb-dirty #0
[   31.886067][ T4918] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   31.890166][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[   31.892847][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[   31.900759][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[   31.903148][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[   31.906429][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[   31.909550][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[   31.912529][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[   31.915665][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[   31.918807][ T4918] FS:  00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[   31.921822][ T4918] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.924602][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[   31.927480][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   31.930220][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   31.933091][ T4918] Call Trace:
[   31.934542][ T4918]  <TASK>
[   31.935639][ T4918]  ? show_regs+0x8c/0xa0
[   31.937245][ T4918]  ? die+0x36/0xa0
[   31.938912][ T4918]  ? do_trap+0x232/0x430
[   31.940376][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.942133][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.944212][ T4918]  ? do_error_trap+0xf4/0x230
[   31.946283][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.948819][ T4918]  ? handle_invalid_op+0x34/0x40
[   31.950675][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.952589][ T4918]  ? exc_invalid_op+0x2e/0x50
[   31.954493][ T4918]  ? asm_exc_invalid_op+0x1a/0x20
[   31.956421][ T4918]  ? page_cache_pipe_buf_release+0x110/0x2f0
[   31.958569][ T4918]  ? iter_file_splice_write+0x1039/0x1180
[   31.960765][ T4918]  ? __pfx_iter_file_splice_write+0x10/0x10
[   31.963016][ T4918]  ? __pfx_lock_acquire+0x10/0x10
[   31.964920][ T4918]  ? __pfx_iter_file_splice_write+0x10/0x10
[   31.967141][ T4918]  direct_splice_actor+0x19b/0x6d0
[   31.969069][ T4918]  splice_direct_to_actor+0x346/0xa40
[   31.971093][ T4918]  ? __pfx_direct_splice_actor+0x10/0x10
[   31.973209][ T4918]  ? __pfx_splice_direct_to_actor+0x10/0x10
[   31.975456][ T4918]  ? __fsnotify_parent+0x27d/0x9d0
[   31.977400][ T4918]  ? __pfx___might_resched+0x10/0x10
[   31.979416][ T4918]  do_splice_direct+0x17e/0x250
[   31.981880][ T4918]  ? __pfx_do_splice_direct+0x10/0x10
[   31.983926][ T4918]  ? avc_policy_seqno+0x9/0x20
[   31.985751][ T4918]  ? __pfx_direct_file_splice_eof+0x10/0x10
[   31.987982][ T4918]  do_sendfile+0xaa8/0xdb0
[   31.989672][ T4918]  ? __pfx_do_sendfile+0x10/0x10
[   31.991574][ T4918]  ? do_user_addr_fault+0x6d7/0x1010
[   31.993526][ T4918]  __x64_sys_sendfile64+0x1da/0x220
[   31.995516][ T4918]  ? __pfx___x64_sys_sendfile64+0x10/0x10
[   31.997677][ T4918]  do_syscall_64+0xcf/0x260
[   31.999401][ T4918]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   32.001652][ T4918] RIP: 0033:0x7f39affffefa
[   32.003356][ T4918] Code: ff 76 13 83 f8 a1 74 03 f7 d8 c3 4c 89 d2 4c 89 c6 e9 49 fe ff ff 31 c0 c3 0f 1f 80 00 00 00 00 49 89 ca b8 28 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d fe 6e 0d 00 f7 d8 64 89 01 48
[   32.010454][ T4918] RSP: 002b:00007fffa16e8068 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
[   32.013594][ T4918] RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f39affffefa
[   32.016570][ T4918] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
[   32.019528][ T4918] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   32.022555][ T4918] R10: 0000000001000000 R11: 0000000000000246 R12: 0000000000000003
[   32.025553][ T4918] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   32.028586][ T4918]  </TASK>
[   32.029791][ T4918] Modules linked in:
[   32.031452][ T4918] ---[ end trace 0000000000000000 ]---
[   32.033862][ T4918] RIP: 0010:iter_file_splice_write+0x1039/0x1180
[   32.036610][ T4918] Code: c1 ea 03 83 c3 01 0f b6 14 02 48 89 c8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 8b 00 00 00 48 8b 04 24 89 98 34 01 00 00 90 <0f> 0b 48 89 cf e8 8d 0e e0 ff e9 38 f3 ff ff e8 83 0e e0 ff e9 ea
[   32.045466][ T4918] RSP: 0018:ffffc900039af930 EFLAGS: 00010246
[   32.048320][ T4918] RAX: ffff8880254fec00 RBX: 0000000000000001 RCX: ffff8880254fed34
[   32.050899][ T4918] RDX: 0000000000000000 RSI: ffffffff82098b90 RDI: ffff88802ea30818
[   32.054095][ T4918] RBP: 0000000000000072 R08: 0000000000000001 R09: 0000000000000000
[   32.057263][ T4918] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802ea30800
[   32.060607][ T4918] R13: 0000000000000072 R14: 0000000000000072 R15: ffff88802ea3080c
[   32.063406][ T4918] FS:  00007f39afea8500(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
[   32.066421][ T4918] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   32.068828][ T4918] CR2: 00007f39b016e5c4 CR3: 000000002b4a6000 CR4: 0000000000350ef0
[   32.071717][ T4918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   32.074503][ T4918] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   32.077572][ T4918] Kernel panic - not syncing: Fatal exception
[   32.080225][ T4918] Kernel Offset: disabled
[   32.081708][ T4918] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4079149403=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at ef5d53ed7
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef5d53ed7e3c7d30481a88301f680e37a5cc4775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240515-155216'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -std=c++11 -I. -Iexecutor/_include -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ef5d53ed7e3c7d30481a88301f680e37a5cc4775\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=164efe44980000


Tested on:

commit:         33e02dc6 Merge tag 'sound-6.10-rc1' of git://git.kerne..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=25544a2faf4bae65
dashboard link: https://syzkaller.appspot.com/bug?extid=d2125fcb6aa8c4276fd2
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=179a8cec980000


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ