| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151123120219.GH23418@quack.suse.cz>
Date: Mon, 23 Nov 2015 13:02:19 +0100
From: Jan Kara <jack@...e.cz>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
Jan Kara <jack@...e.cz>,
syzkaller <syzkaller@...glegroups.com>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>
Subject: Re: yet another uninterruptable hang in sendfile
Hello,
On Sat 21-11-15 14:24:45, Dmitry Vyukov wrote:
> On commit 8005c49d9aea74d382f474ce11afbbc7d7130bec (Nov 15).
>
> The program is:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <syscall.h>
> #include <string.h>
> #include <stdint.h>
>
> int main()
> {
> long r0 = syscall(SYS_socket, 0x10ul, 0x2ul, 0x0ul, 0, 0, 0);
> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x1000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
> long r2 = syscall(SYS_mmap, 0x20001000ul, 0x1000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
> *(uint64_t*)0x2000153f = 0x20001f99;
> *(uint64_t*)0x20001547 = 0x67;
> *(uint64_t*)0x2000154f = 0x20001fa5;
> *(uint64_t*)0x20001557 = 0x5b;
> *(uint64_t*)0x2000155f = 0x20001000;
> *(uint64_t*)0x20001567 = 0x6;
> long r9 = syscall(SYS_readv, r0, 0x2000153ful, 0x3ul, 0, 0, 0);
> long r10 = syscall(SYS_mmap, 0x20002000ul, 0x1000ul, 0x3ul,
> 0x32ul, 0xfffffffffffffffful, 0x0ul);
> memcpy((void*)0x20002000, "\x65\x74\x68\x31\x00", 5);
> long r12 = syscall(SYS_memfd_create, 0x20002000ul, 0x1ul, 0, 0, 0, 0);
> long r13 = syscall(SYS_fallocate, r12, 0x0ul, 0x5616e07ul, 0x1ul, 0, 0);
> memcpy((void*)0x20000da2,
> "\x02\xbe\x98\x59\x88\xb1\x7b\xfd\xe6\x27\x95\xdc\x18\x4e\x04\x87\x28\x1a\xd0\x30\x52\xcd\xa5\xee\x09\x7f\xfa\x7a\x9b\x72\x17\xfa\x2a\xa1\xe1\x60\x09\xbb\xaf\xdd\x0b\x5c\xa8\x18\x81\x4b\x6d\x42\x11\x20\x4a\xd7\x9e\x86\x8b\x63\xd2\x36\xbf\x5f\xb0\x36\x13\x82\x79\xc8\x31\x3b\x3b\x1e",
> 70);
> memcpy((void*)0x200008b7,
> "\x0a\x00\x33\xe8\x3d\xe7\x4a\xcc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xbf\xce\xa1\x60",
> 28);
> long r16 = syscall(SYS_sendto, r0, 0x20000da2ul, 0x46ul,
> 0x8000ul, 0x200008b7ul, 0x1cul);
> long r17 = syscall(SYS_sendfile, r0, r12, 0x20000000ul,
> 0x4785d2c1ul, 0, 0);
> return 0;
> }
>
>
> It hangs in unkillable state. It is probably similar issue to the
> other reported issues related to sendfile:
> https://groups.google.com/forum/#!topic/syzkaller/zfuHHRXL7Zg
> https://groups.google.com/forum/#!topic/syzkaller/sjA9DrBQviw
For me this hangs interruptibly in readv(2), when I remove that call, it
finishes under a second so I cannot easily test the problem gets fixed by
my patch as well (although AFAIU what the test does it should). Can you
please test the patch in your setup? I'll send it shortly.
> However this one also blankets dmesg with zillions of:
>
> [ 1682.801412] SELinux: unrecognized netlink message: protocol=0
> nlmsg_type=0 sclass=netlink_route_socket
> [ 1682.803565] SELinux: unrecognized netlink message: protocol=0
> nlmsg_type=0 sclass=netlink_route_socket
> [ 1682.804991] SELinux: unrecognized netlink message: protocol=0
> nlmsg_type=0 sclass=netlink_route_socket
>
> The program should be killable.
I don't have SELinux configured so that may be what's making a difference.
Honza
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists