| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c6333ada-aa38-4876-9e57-881b3774397b.bugreport@valiantsec.com>
Date: Mon, 05 Aug 2024 10:18:00 +0800
From: "Ubisectech Sirius" <bugreport@...iantsec.com>
To: "linux-trace-kernel" <linux-trace-kernel@...r.kernel.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>
Cc: "peterz" <peterz@...radead.org>,
"mingo" <mingo@...hat.com>,
"acme" <acme@...nel.org>,
"namhyung" <namhyung@...nel.org>
Subject: WARNING in free_event
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.8. Attached to the email were a PoC file of the issue.
Stack dump:
------------[ cut here ]------------
unexpected event refcount: 2; ptr=ffff888019589820
WARNING: CPU: 0 PID: 13593 at kernel/events/core.c:5254 free_event+0xa3/0xc0 kernel/events/core.c:5254
Modules linked in:
CPU: 0 PID: 13593 Comm: syz.3.346 Not tainted 6.8.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:free_event+0xa3/0xc0 kernel/events/core.c:5254
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 25 48 8b b5 38 02 00 00 48 89 ea 48 c7 c7 00 03 d7 8a e8 3e a9 9a ff 90 <0f> 0b 90 90 5d 41 5c 41 5d e9 bf ed d5 ff 4c 89 ef e8 77 b1 2d 00
RSP: 0018:ffffc90001b379c8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff814f699a
RDX: ffff88801e7b4980 RSI: ffffffff814f69a7 RDI: 0000000000000001
RBP: ffff888019589820 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000002
R13: ffff888019589a58 R14: ffff888019589b00 R15: ffff888019589820
FS: 0000000000000000(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f507464c360 CR3: 0000000053fa4000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
perf_event_release_kernel+0x5d4/0x8f0 kernel/events/core.c:5421
perf_release+0x37/0x50 kernel/events/core.c:5442
__fput+0x282/0xbc0 fs/file_table.c:376
task_work_run+0x16a/0x260 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xaf0/0x2a40 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
get_signal+0x2440/0x2630 kernel/signal.c:2893
arch_do_signal_or_restart+0x81/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
irqentry_exit_to_user_mode+0x13c/0x280 kernel/entry/common.c:225
exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1557
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7fd5ec9958d5
Code: Unable to access opcode bytes at 0x7fd5ec9958ab.
RSP: 002b:0000000000000050 EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007fd5ecb33f60 RCX: 00007fd5ec9958cd
RDX: 0000000000000000 RSI: 0000000000000050 RDI: 0000000000000280
RBP: 00007fd5eca1bb06 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 000000000000000b R14: 00007fd5ecb33f60 R15: 00007fd5ed77a000
</TASK>
Thank you for taking the time to read this email and we look forward to working with you further.
Download attachment "poc.c" of type "application/octet-stream" (7468 bytes)
Powered by blists - more mailing lists