lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABOYnLx_dnqzpCW99G81DmOr+2UzdmZMk=T3uxwNxwz+R1RAwg@mail.gmail.com>
Date: Fri, 16 Aug 2024 17:44:07 +0800
From: lee bruce <xrivendell7@...il.com>
To: dave.hansen@...ux.intel.com, linux-kernel@...r.kernel.org, luto@...nel.org, 
	peterz@...radead.org
Cc: bp@...en8.de, hpa@...or.com, mingo@...hat.com, 
	Thomas Gleixner <tglx@...utronix.de>, x86@...nel.org, wang1315768607@....com, 
	syzkaller@...glegroups.com
Subject: WARNING in get_pat_info

Hello, I found a bug titled "WARNING in get_pat_info" with modified
syzkaller in the lasted upstream and lasted mm branches.

If you fix this issue, please add the following tag to the commit:
Reported-by: xingwei lee <xrivendell7@...il.com>
Reported-by: yuxin wang <wang1315768607@....com>

TITLE: WARNING in get_pat_info
------------[ cut here ]------------
WARNING: CPU: 2 PID: 12458 at arch/x86/mm/pat/memtype.c:1002
get_pat_info+0x4b6/0x5c0 arch/x86/mm/pat/memtype.c:1002
arch/x86/mm/pat/memtype.c:1002
Modules linked in:
CPU: 2 PID: 12458 Comm: syz-executor.0 Not tainted 6.10.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:get_pat_info+0x4b6/0x5c0 arch/x86/mm/pat/memtype.c:1002
arch/x86/mm/pat/memtype.c:1002
Code: 00 00 00 48 89 de e8 79 28 54 00 48 83 fb 20 75 11 48 83 7c 24
18 00 74 6e 31 ff e8 74 23 54 00 eb 0b 31 ff e8 6b 23 54 00 90 <0f> 0b
90 bb ea ff ff ff 48 c7 44 24 40 0e 36 e0 45 4b c7 44 25 00
RSP: 0018:ffffc9000f3ff2a0 EFLAGS: 00010246
RAX: ffffffff81453f35 RBX: 0000000000000000 RCX: ffffc90013051000
RDX: ffffffff81453f35 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000f3ff3b0 R08: 000000000001fcbe R09: 000000000001fcbf
R10: dffffc0000000000 R11: fffffbfff1fdc6f6 R12: 1ffff92001e7fe5c
R13: dffffc0000000000 R14: 1ffff92001e7fe64 R15: 1ffff92001e7fe68
FS: 00007fb3403356c0(0000) GS:ffff888063500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74b7104000 CR3: 000000001c1ce000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
untrack_pfn+0x338/0x660 arch/x86/mm/pat/memtype.c:1104
arch/x86/mm/pat/memtype.c:1104
unmap_single_vma+0x20c/0x2c0 mm/memory.c:1819 mm/memory.c:1819
unmap_vmas+0x3d7/0x600 mm/memory.c:1885 mm/memory.c:1885
exit_mmap+0x279/0xce0 mm/mmap.c:3341 mm/mmap.c:3341
__mmput+0x120/0x3a0 kernel/fork.c:1343 kernel/fork.c:1343
mmput kernel/fork.c:1365 [inline]
dup_mm kernel/fork.c:1687 [inline]
mmput kernel/fork.c:1365 [inline] kernel/fork.c:1720
dup_mm kernel/fork.c:1687 [inline] kernel/fork.c:1720
copy_mm+0x1a5b/0x1fe0 kernel/fork.c:1720 kernel/fork.c:1720
copy_process+0x1cc7/0x3f70 kernel/fork.c:2373 kernel/fork.c:2373
kernel_clone+0x236/0x910 kernel/fork.c:2780 kernel/fork.c:2780
__do_sys_clone kernel/fork.c:2923 [inline]
__se_sys_clone kernel/fork.c:2907 [inline]
__do_sys_clone kernel/fork.c:2923 [inline] kernel/fork.c:2907
__se_sys_clone kernel/fork.c:2907 [inline] kernel/fork.c:2907
__x64_sys_clone+0x25d/0x2b0 kernel/fork.c:2907 kernel/fork.c:2907
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_x64 arch/x86/entry/common.c:52 [inline] arch/x86/entry/common.c:83
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb33f67dde9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fb340335078 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fb33f7abf80 RCX: 00007fb33f67dde9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fb340335120 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 000000000000000b R14: 00007fb33f7abf80 R15: 00007ffd35a9fb48
</TASK>


I use the same kernel as syzbot instance
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=122bfdb8980000
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=8e5f5ae13ab96e5e
compiler: clang version 15.0.6

=* repro.c =*
#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/capability.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1) return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}

#define MAX_FDS 30

static void setup_common() {
if (mount(0, "/sys/fs/fuse/connections", "fusectl", 0, 0)) {
}
}

static void setup_binderfs() {
if (mkdir("/dev/binderfs", 0777)) {
}
if (mount("binder", "/dev/binderfs", "binder", 0, NULL)) {
}
if (symlink("/dev/binderfs", "./binderfs")) {
}
}

static void loop();

static void sandbox_common() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setsid();
struct rlimit rlim;
rlim.rlim_cur = rlim.rlim_max = (200 << 20);
setrlimit(RLIMIT_AS, &rlim);
rlim.rlim_cur = rlim.rlim_max = 32 << 20;
setrlimit(RLIMIT_MEMLOCK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 136 << 20;
setrlimit(RLIMIT_FSIZE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 1 << 20;
setrlimit(RLIMIT_STACK, &rlim);
rlim.rlim_cur = rlim.rlim_max = 128 << 20;
setrlimit(RLIMIT_CORE, &rlim);
rlim.rlim_cur = rlim.rlim_max = 256;
setrlimit(RLIMIT_NOFILE, &rlim);
if (unshare(CLONE_NEWNS)) {
}
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) {
}
if (unshare(CLONE_NEWIPC)) {
}
if (unshare(0x02000000)) {
}
if (unshare(CLONE_NEWUTS)) {
}
if (unshare(CLONE_SYSVSEM)) {
}
typedef struct {
const char* name;
const char* value;
} sysctl_t;
static const sysctl_t sysctls[] = {
{"/proc/sys/kernel/shmmax", "16777216"},
{"/proc/sys/kernel/shmall", "536870912"},
{"/proc/sys/kernel/shmmni", "1024"},
{"/proc/sys/kernel/msgmax", "8192"},
{"/proc/sys/kernel/msgmni", "1024"},
{"/proc/sys/kernel/msgmnb", "1024"},
{"/proc/sys/kernel/sem", "1024 1048576 500 1024"},
};
unsigned i;
for (i = 0; i < sizeof(sysctls) / sizeof(sysctls[0]); i++)
write_file(sysctls[i].name, sysctls[i].value);
}

static int wait_for_loop(int pid) {
if (pid < 0) exit(1);
int status = 0;
while (waitpid(-1, &status, __WALL) != pid) {
}
return WEXITSTATUS(status);
}

static void drop_caps(void) {
struct __user_cap_header_struct cap_hdr = {};
struct __user_cap_data_struct cap_data[2] = {};
cap_hdr.version = _LINUX_CAPABILITY_VERSION_3;
cap_hdr.pid = getpid();
if (syscall(SYS_capget, &cap_hdr, &cap_data)) exit(1);
const int drop = (1 << CAP_SYS_PTRACE) | (1 << CAP_SYS_NICE);
cap_data[0].effective &= ~drop;
cap_data[0].permitted &= ~drop;
cap_data[0].inheritable &= ~drop;
if (syscall(SYS_capset, &cap_hdr, &cap_data)) exit(1);
}

static int do_sandbox_none(void) {
if (unshare(CLONE_NEWPID)) {
}
int pid = fork();
if (pid != 0) return wait_for_loop(pid);
setup_common();
sandbox_common();
drop_caps();
if (unshare(CLONE_NEWNET)) {
}
write_file("/proc/sys/net/ipv4/ping_group_range", "0 65535");
setup_binderfs();
loop();
exit(1);
}

static int inject_fault(int nth) {
int fd;
fd = open("/proc/thread-self/fail-nth", O_RDWR);
if (fd == -1) exit(1);
char buf[16];
sprintf(buf, "%d", nth);
if (write(fd, buf, strlen(buf)) != (ssize_t)strlen(buf)) exit(1);
return fd;
}

static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent) break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}

static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}

static void close_fds() {
for (int fd = 3; fd < MAX_FDS; fd++) close(fd);
}

static void setup_fault() {
static struct {
const char* file;
const char* val;
bool fatal;
} files[] = {
{"/sys/kernel/debug/failslab/ignore-gfp-wait", "N", true},
{"/sys/kernel/debug/fail_futex/ignore-private", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", "N", false},
{"/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", "N", false},
{"/sys/kernel/debug/fail_page_alloc/min-order", "0", false},
};
unsigned i;
for (i = 0; i < sizeof(files) / sizeof(files[0]); i++) {
if (!write_file(files[i].file, files[i].val)) {
if (files[i].fatal) exit(1);
}
}
}

#define USLEEP_FORKED_CHILD (3 * 50 * 1000)

static long handle_clone_ret(long ret) {
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}

static long syz_clone(volatile long flags, volatile long stack,
volatile long stack_len, volatile long ptid,
volatile long ctid, volatile long tls) {
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0) exit(1);
if (pid == 0) {
setup_test();
execute_one();
close_fds();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
sleep_ms(1);
if (current_time_ms() - start < 5000) continue;
kill_and_wait(pid, &status);
break;
}
}
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void) {
intptr_t res = 0;
memcpy((void*)0x20000080, "/dev/hpet\000", 10);
res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,
/*flags=*/0ul, /*mode=*/0ul);
if (res != -1) r[0] = res;
syscall(__NR_mmap, /*addr=*/0x20ffa000ul, /*len=*/0x1000ul, /*prot=*/4ul,
/*flags=*/0x2a051ul, /*fd=*/r[0], /*offset=*/0ul);
inject_fault(32);
syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
/*childtid=*/0, /*tls=*/0);
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
setup_fault();
do_sandbox_none();
return 0;
}


=* repro.txt =*
r0 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000ffa000/0x1000)=nil, 0x1000, 0x4,
0x2a051, r0, 0x0)
syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0) (fail_nth: 32)

and see also  https://gist.github.com/xrivendell7/37a37163f25eaee5133174f2a3d507b4.

I hope it helps.
Best regards
xingwei lee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ