lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6778c6a8.050a0220.3b53b0.0047.GAE@google.com>
Date: Fri, 03 Jan 2025 21:27:04 -0800
From: syzbot <syzbot+2e65930fda17880da336@...kaller.appspotmail.com>
To: eadavis@...com, linux-kernel@...r.kernel.org, 
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

write buf: .., count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
write buf: .., count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6578 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g224ab98542f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6c3438498a
Code: Unable to access opcode bytes at 0x7f6c34384960.
RSP: 002b:00007ffe74966a30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6c3438498a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffe74966a7c R08: 00007ffe7496637c R09: 0079746972756365
R10: 00007ffe749663e0 R11: 0000000000000293 R12: 0000000000000032
R13: 00000000000276a7 R14: 00007ffe74966ad0 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	00 4d 8b             	add    %cl,-0x75(%rbp)
   5:	7f 08                	jg     0xf
   7:	e8 28 b1 fe ff       	call   0xfffeb134
   c:	48 8b 04 24          	mov    (%rsp),%rax
  10:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  17:	fc ff df
  1a:	48 2d 80 8d 02 90    	sub    $0xffffffff90028d80,%rax
  20:	4c 01 f8             	add    %r15,%rax
  23:	48 89 c2             	mov    %rax,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 0c 32          	movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
  2e:	48 8d 50 40          	lea    0x40(%rax),%rdx
  32:	48 89 d7             	mov    %rdx,%rdi
  35:	48 c1 ef 03          	shr    $0x3,%rdi
  39:	0f b6 34 37          	movzbl (%rdi,%rsi,1),%esi
  3d:	48 89 c7             	mov    %rax,%rdi


Tested on:

commit:         224ab985 utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=106b38b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ