| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z1MR6dCIKajNS6nU@krava> Date: Fri, 6 Dec 2024 16:02:01 +0100 From: Jiri Olsa <olsajiri@...il.com> To: syzbot <syzbot+2e0d2840414ce817aaac@...kaller.appspotmail.com> Cc: andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, eddyz87@...il.com, haoluo@...gle.com, john.fastabend@...il.com, kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev, netdev@...r.kernel.org, sdf@...ichev.me, song@...nel.org, syzkaller-bugs@...glegroups.com, yonghong.song@...ux.dev Subject: Re: [syzbot] [bpf?] general protection fault in bpf_prog_array_delete_safe On Fri, Dec 06, 2024 at 05:47:21AM -0800, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: e2cf913314b9 Merge branch 'fixes-for-stack-with-allow_ptr_.. > git tree: bpf > console+strace: https://syzkaller.appspot.com/x/log.txt?x=13b5ede8580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=fb680913ee293bcc > dashboard link: https://syzkaller.appspot.com/bug?extid=2e0d2840414ce817aaac > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=132a2020580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1291d0f8580000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/487d8ef2aead/disk-e2cf9133.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/899f2234c9d5/vmlinux-e2cf9133.xz > kernel image: https://storage.googleapis.com/syzbot-assets/ea8993a0dfd6/bzImage-e2cf9133.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+2e0d2840414ce817aaac@...kaller.appspotmail.com > > Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI > KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] > CPU: 0 UID: 0 PID: 5849 Comm: syz-executor326 Not tainted 6.12.0-syzkaller-09099-ge2cf913314b9 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 > RIP: 0010:bpf_prog_array_delete_safe+0x2d/0xc0 kernel/bpf/core.c:2583 > Code: 00 41 57 41 56 41 55 41 54 53 49 89 f7 49 89 fd 49 bc 00 00 00 00 00 fc ff df e8 ce 84 f0 ff 4d 8d 75 10 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 54 6b 5b 00 49 8b 1e 48 85 db 74 > RSP: 0018:ffffc90003807970 EFLAGS: 00010202 > RAX: 0000000000000002 RBX: 1ffff92000700f38 RCX: ffff888034eb8000 > RDX: 0000000000000000 RSI: ffffc90000abe000 RDI: 0000000000000000 > RBP: ffffc90003807a48 R08: ffffffff81a1aa9e R09: 1ffffffff203c816 > R10: dffffc0000000000 R11: fffffbfff203c817 R12: dffffc0000000000 > R13: 0000000000000000 R14: 0000000000000010 R15: ffffc90000abe000 > FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000000e738000 CR4: 00000000003526f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > perf_event_detach_bpf_prog+0x2b0/0x330 kernel/trace/bpf_trace.c:2255 > perf_event_free_bpf_prog kernel/events/core.c:10801 [inline] > _free_event+0xb04/0xf60 kernel/events/core.c:5352 > put_event kernel/events/core.c:5454 [inline] > perf_event_release_kernel+0x7c1/0x850 kernel/events/core.c:5579 > perf_release+0x38/0x40 kernel/events/core.c:5589 > __fput+0x23c/0xa50 fs/file_table.c:450 > task_work_run+0x24f/0x310 kernel/task_work.c:239 > exit_task_work include/linux/task_work.h:43 [inline] > do_exit+0xa2f/0x28e0 kernel/exit.c:938 > do_group_exit+0x207/0x2c0 kernel/exit.c:1087 > __do_sys_exit_group kernel/exit.c:1098 [inline] > __se_sys_exit_group kernel/exit.c:1096 [inline] > __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1096 > x64_sys_call+0x26a8/0x26b0 arch/x86/include/generated/asm/syscalls_64.h:232 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f ugh, it's because of the: 0ee288e69d03 bpf,perf: Fix perf_event_detach_bpf_prog error handling I'll send the fix thanks, jirka > RIP: 0033:0x7f9408276e09 > Code: Unable to access opcode bytes at 0x7f9408276ddf. > RSP: 002b:00007fffe6c98ad8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9408276e09 > RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 > RBP: 00007f94082f22b0 R08: ffffffffffffffb8 R09: 0000000000000006 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007f94082f22b0 > R13: 0000000000000000 R14: 00007f94082f2d00 R15: 00007f9408248040 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:bpf_prog_array_delete_safe+0x2d/0xc0 kernel/bpf/core.c:2583 > Code: 00 41 57 41 56 41 55 41 54 53 49 89 f7 49 89 fd 49 bc 00 00 00 00 00 fc ff df e8 ce 84 f0 ff 4d 8d 75 10 4c 89 f0 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 f7 e8 54 6b 5b 00 49 8b 1e 48 85 db 74 > RSP: 0018:ffffc90003807970 EFLAGS: 00010202 > RAX: 0000000000000002 RBX: 1ffff92000700f38 RCX: ffff888034eb8000 > RDX: 0000000000000000 RSI: ffffc90000abe000 RDI: 0000000000000000 > RBP: ffffc90003807a48 R08: ffffffff81a1aa9e R09: 1ffffffff203c816 > R10: dffffc0000000000 R11: fffffbfff203c817 R12: dffffc0000000000 > R13: 0000000000000000 R14: 0000000000000010 R15: ffffc90000abe000 > FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 000000007f382000 CR4: 00000000003526f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > ---------------- > Code disassembly (best guess): > 0: 00 41 57 add %al,0x57(%rcx) > 3: 41 56 push %r14 > 5: 41 55 push %r13 > 7: 41 54 push %r12 > 9: 53 push %rbx > a: 49 89 f7 mov %rsi,%r15 > d: 49 89 fd mov %rdi,%r13 > 10: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12 > 17: fc ff df > 1a: e8 ce 84 f0 ff call 0xfff084ed > 1f: 4d 8d 75 10 lea 0x10(%r13),%r14 > 23: 4c 89 f0 mov %r14,%rax > 26: 48 c1 e8 03 shr $0x3,%rax > * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction > 2f: 74 08 je 0x39 > 31: 4c 89 f7 mov %r14,%rdi > 34: e8 54 6b 5b 00 call 0x5b6b8d > 39: 49 8b 1e mov (%r14),%rbx > 3c: 48 85 db test %rbx,%rbx > 3f: 74 .byte 0x74 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@...glegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup
Powered by blists - more mailing lists