| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AOAA*AACIqMsH7SiGMkHgaoE.1.1734695024950.Hmail.3014218099@tju.edu.cn>
Date: Fri, 20 Dec 2024 19:43:44 +0800 (GMT+08:00)
From: Haichi Wang <wanghaichi@....edu.cn>
To: dave.hansen@...ux.intel.com, brauner@...nel.org, hpa@...or.com,
viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org,
tglx@...utronix.de, bp@...en8.de, linux-bcachefs@...r.kernel.org,
linux-kernel@...r.kernel.org, luto@...nel.org, x86@...nel.org,
mingo@...hat.com, kent.overstreet@...ux.dev, jack@...e.cz
Cc: syzkaller@...glegroups.com
Subject: Kernel bug: "general protection fault in bch2_btree_path_traverse_one"
Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **general protection fault in bch2_btree_path_traverse_one**, discovered using a modified version of Syzkaller.
### Affected Files
The affected files, as obtained from the VM log, are listed below. The corresponding maintainers were identified using `./scripts/get_maintainer.pl`:
fs/bcachefs/btree_update_interior.c
fs/bcachefs/alloc_foreground.c
fs/bcachefs/btree_iter.c
fs/bcachefs/btree_trans_commit.c
fs/namespace.c
arch/x86/entry/common.c
fs/bcachefs/recovery.c
fs/bcachefs/recovery_passes.c
fs/bcachefs/super.c
fs/bcachefs/fs.c
fs/super.c
### Kernel Versions
- **Kernel Version Tested:** v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230
- **Latest Kernel Version Reproduced On:** f44d154d6e3d633d4c49a5d6a8aed0e4684ae25e
### Environment Details
- **QEMU Version:** QEMU emulator version 4.2.1 (Debian 1:4.2-3ubuntu6.29)
- **GCC Version:** gcc (Ubuntu 11.4.0-2ubuntu1~20.04) 11.4.0
- **Syzkaller Version:** 2b3ef1577cde5da4fd1f7ece079731e140351177
### Attached Files
We have attached the following files to assist in reproducing and diagnosing the bug:
- **Bug Title:** `bugtitle`
- **Bug Report:** `report`
- **Machine Information:** `machineInfo`
- **Kernel Config:** `config`
- **Compiled Kernel Image:** `vmlinux`
- **C Reproducing Program:** `repro.c`
- **VM Log for C Reproducer:** `vm_c.log`
- **Syzkaller Reproducing Program:** `repro.txt`
- **VM Log for Syzkaller Reproducer:** `vm_syz.log`
### Reproduction Instructions
To reproduce the bug, please follow the instructions below. For additional details, refer to [Syzkaller Reproducing Crashes Documentation](https://github.com/google/syzkaller/blob/master/docs/reproducing_crashes.md).
Feel free to email us if any other information are needed. Hope the provided materials will help finding and fixing the
bug.
We also provide a brief documentation for how to execute the reproducing program:
#### Prepare the Linux Kernel Image
1. Clone the Linux kernel repository and checkout the latest kernel version:
```bash
cd /path/to/linux
git checkout f44d154d6e3d633d4c49a5d6a8aed0e4684ae25e
cp /path/to/config /path/to/linux/.config
make olddefconfig
make -j$(nproc)
```
#### Prepare the Root Filesystem
Follow the setup instructions at [Setting Up Ubuntu Host QEMU VM](https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md). Ensure the root filesystem is prepared at `/path/to/rootfs`.
#### Start the Virtual Machine
Use the following QEMU command to start the VM:
```bash
# start vm
# Here port is set to 10099, change it as needed
qemu-system-x86_64 \
-m 20G -qmp unix:/tmp/qmp-sock,server,nowait \
-smp 2 \
-kernel /path/to/linux/arch/x86/boot/bzImage\
-append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \
-drive file=/path/to/rootfs/bullseye.img,format=raw \
-net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10099-:22 \
-net nic,model=e1000 \
-enable-kvm \
-nographic \
-pidfile vm.pid \
2>&1 | tee vm.log
```
#### Reproduce the Bug
- **For C Reproducing Program:**
1. Compile the reproducing program:
```bash
gcc -o repro repro.c
```
2. Transfer the program to the VM and execute it:
```bash
scp -i /path/to/rootfs/bullseye.id_rsa -P 10099 -o "StrictHostKeyChecking no" repro root@...alhost:/root/
ssh -i /path/to/rootfs/bullseye.id_rsa -p 10099 -o "StrictHostKeyChecking no" root@...alhost
cd /root && ./repro
```
- **For Syzkaller Reproducing Program:**
1. Install Syzkaller ([Setup Guide](https://github.com/google/syzkaller/blob/master/docs/linux/setup.md#go-and-syzkaller)):
```bash
git clone https://github.com/google/syzkaller
cd syzkaller
make
# if make command returns something like `cannot find package "github.com/google/syzkaller/` error, please run the following command, and try again
# go env -w GO111MODULE=on
```
2. Transfer the Syzkaller reproducing program and binary to the VM:
```bash
scp -i /path/to/rootfs/bullseye.id_rsa -P 10099 -o "StrictHostKeyChecking no" -r /path/to/repro.txt root@...alhost:/root/
scp -i /path/to/rootfs/bullseye.id_rsa -P 10099 -o "StrictHostKeyChecking no" -r /path/to/syzkaller/bin/linux_amd64/* root@...alhost:/root/
ssh -i /path/to/rootfs/bullseye.id_rsa -p 10099 -o "StrictHostKeyChecking no" root@...alhost
cd root && ./syz-execprog repro.txt
```
Feel free to reach out if additional information or clarifications are needed. We hope this report aids in identifying and fixing the bug.
Best regards,
Haichi Wang
Tianjin University
Content of type "text/html" skipped
Download attachment "vm_syz.log" of type "application/octet-stream" (64317 bytes)
Download attachment "report" of type "application/octet-stream" (7197 bytes)
View attachment "repro.txt" of type "text/plain" (97026 bytes)
Download attachment "config" of type "application/octet-stream" (148405 bytes)
Download attachment "machineInfo" of type "application/octet-stream" (2591 bytes)
Download attachment "vm_c.log" of type "application/octet-stream" (62708 bytes)
View attachment "repro.c" of type "text/plain" (341236 bytes)
Powered by blists - more mailing lists