| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251226192506.88593-1-za4emsu@gmail.com>
Date: Fri, 26 Dec 2025 22:25:05 +0300
From: Artur Sultangirov <za4emsu@...il.com>
To: peterz@...radead.org,
mingo@...hat.com
Cc: Artur Sultangirov <za4emsu@...il.com>,
mathieu.desnoyers@...icios.com,
juri.lelli@...hat.com,
vincent.guittot@...aro.org,
linux-kernel@...r.kernel.org
Subject: [BUG] sched/mm_cid: NULL pointer dereference in sched_mm_cid_fork on ARM64
Hi,
I encountered a kernel panic on ARM64 (Apple M4 via QEMU in TCG mode) when executing a binary with a wrong architecture (x86_64 on aarch64).
Instead of returning -ENOEXEC and exiting gracefully, the kernel crashes with a NULL pointer dereference in mutex_lock(), called from sched_mm_cid_fork().
**Analysis:**
The crash happens because `sched_mm_cid_fork()` checks for `!mm` using `WARN_ON_ONCE()`, but does NOT return if `mm` is NULL. It proceeds to dereference `mm` to access `mm->mm_cid.mutex`, leading to a panic.
Code snippet (kernel/sched/core.c:10572):
WARN_ON_ONCE(!mm || t->mm_cid.cid != MM_CID_UNSET);
guard(mutex)(&mm->mm_cid.mutex); // <--- Dereference happens here
**Steps to reproduce:**
1. Boot an ARM64 kernel (reproduced on 6.19-rc2, master branch).
2. Attempt to execute an x86_64 binary as init (or via execve).
3. The execve fails, `mm` becomes NULL (or uninitialized), but the scheduler hook is called.
**Stack trace:**
[ 0.911926] Run /bad_init as init process
[ 0.916411] ------------[ cut here ]------------
[ 0.916480] WARNING: kernel/sched/core.c:10569 at sched_mm_cid_fork+0x3c/0x35c, CPU#3: swapper/0/1
[ 0.917233] Modules linked in:
[ 0.917704] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-rc2-00055-gccd1cdca5cd4-dirty #7 PREEMPT
[ 0.917866] Hardware name: linux,dummy-virt (DT)
[ 0.918118] pc : sched_mm_cid_fork+0x3c/0x35c
[ 0.918185] lr : sched_mm_cid_after_execve+0x10/0x1c
...
[ 0.919284] Call trace:
[ 0.919387] sched_mm_cid_fork+0x3c/0x35c (P)
[ 0.919522] sched_mm_cid_after_execve+0x10/0x1c
[ 0.919588] bprm_execve+0x32c/0x470
[ 0.919641] kernel_execve+0x25c/0x274
...
[ 0.920548] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e0
[ 0.921346] Internal error: Oops: 000000009600006b [#1] SMP
...
[ 0.923475] Call trace:
[ 0.923503] mutex_lock+0x18/0x54 (P)
[ 0.923552] sched_mm_cid_fork+0x4c/0x35c
[ 0.923610] sched_mm_cid_after_execve+0x10/0x1c
[ 0.923662] bprm_execve+0x32c/0x470
...
[ 0.925595] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
**Suggestion:**
The function should probably return immediately if `mm` is NULL, similar to how it is handled in other scheduler hooks.
Best regards,
Artur Sultangirov
Powered by blists - more mailing lists