lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Aug 2016 13:06:24 +0200 From: Vlastimil Babka <vbabka@...e.cz> To: Eric Van Hensbergen <ericvh@...il.com>, Ron Minnich <rminnich@...dia.gov>, Latchesar Ionkov <lucho@...kov.net> Cc: "David S. Miller" <davem@...emloft.net>, v9fs-developer@...ts.sourceforge.net, netdev@...r.kernel.org, LKML <linux-kernel@...r.kernel.org> Subject: Re: gpf in p9_client_read With merge window gone, ping? On 07/27/2016 11:21 AM, Vlastimil Babka wrote: > Hi, > > I was fuzzing with trinity in qemu via the virtme script, i.e. using > these opts: > > virtme-run --kdir /home/vbabka/wrk/linus.git --rwdir > /home/vbabka/tmp/trinity/ --dry-run --show-command --qemu-opts --smp 8 > -drive file=/home/vbabka/tmp/trinity.img,if=ide,format=raw,media=disk > /usr/bin/qemu-system-x86_64 -fsdev > local,id=virtfs1,path=/,security_model=none,readonly -device > virtio-9p-pci,fsdev=virtfs1,mount_tag=/dev/root -fsdev > local,id=virtfs5,path=/usr/local/share/virtme-guest-0,security_model=none,readonly > -device virtio-9p-pci,fsdev=virtfs5,mount_tag=virtme.guesttools -fsdev > local,id=virtfs9,path=/home/vbabka/tmp/trinity/,security_model=none > -device virtio-9p-pci,fsdev=virtfs9,mount_tag=virtme.initmount0 -machine > accel=kvm:tcg -watchdog i6300esb -cpu host -parallel none -net none > -echr 1 -serial none -chardev stdio,id=console,signal=off,mux=on -serial > chardev:console -mon chardev=console -vga none -display none -kernel > /home/vbabka/wrk/linus.git/arch/x86/boot/bzImage -append > 'virtme_initmount0=home/vbabka/tmp/trinity > earlyprintk=serial,ttyS0,115200 console=ttyS0 psmouse.proto=exps > "virtme_stty_con=rows 53 cols 189 iutf8" TERM=xterm rootfstype=9p > rootflags=version=9p2000.L,trans=virtio,access=any raid=noautodetect ro > init=/bin/sh -- -c "mount -t tmpfs run /run;mkdir -p > /run/virtme/guesttools;/bin/mount -n -t 9p -o > ro,version=9p2000.L,trans=virtio,access=any virtme.guesttools > /run/virtme/guesttools;exec /run/virtme/guesttools/virtme-init"' --smp 8 > -drive file=/home/vbabka/tmp/trinity.img,if=ide,format=raw,media=disk > > So the fuzzer's working directory is on ext4 created on disk backed by > trinity.img, but the rest is provided from host via virtio-9p, as virtme > does. > > Very deterministically after few minutes of fuzzing, I get OOMs followed > by this: > > general protection fault: 0000 [#1] SMP > CPU: 2 PID: 17712 Comm: trinity-c10 Not tainted 4.7.0 #45 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 > 0[m ) 178.898319] task: ffff880003a67000 ti: ffff880001984000 task.ti: > ffff880001984000 > RIP: 0010:[<ffffffff818eb530>] [<ffffffff818eb530>] > p9_client_read+0x70/0x270 > RSP: 0000:ffff880001987c48 EFLAGS: 00010246 > RAX: 559b48bf06527000 RBX: 0000000000001000 RCX: ffff880001987cdc > RDX: 0000000000001000 RSI: 000000000000c000 RDI: ffff880005e6b7c0 > RBP: ffff880001987cc8 R08: 0000000000001000 R09: 0000000000000020 > R10: ffff880001987cd0 R11: 0000000000000040 R12: ffff880005e6b780 > R13: 000000000000c000 R14: ffff880005e6b240 R15: 00000000024201ca > FS: 00007fcdb1a74700(0000) GS:ffff880007c80000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000000040c840 CR3: 00000000019fb000 CR4: 00000000001406e0 > DR0: 00007fcdb09b3000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000050602 > Stack: > ffff880001987c90 ffffffff81130f6f ffff880001987c58 ffff880001987c58 > ffff880007c91840 ffff880005e6b7c0 ffff880001987cdc ffffea0000000000 > ffff880001987cf0 0000100001987ce8 ffffffff81131621 ffffea000010abc0 > Call Trace: > [<ffffffff812afab3>] v9fs_fid_readpage+0x73/0x180 fs/9p/vfs_addr.c:69 > [<ffffffff812afbd0>] v9fs_vfs_readpage+0x10/0x20 fs/9p/vfs_addr.c:98 > [< inline >] page_cache_read mm/filemap.c:1908 > [<ffffffff81124ec5>] filemap_fault+0x335/0x4b0 mm/filemap.c:2087 > [<ffffffff8114cf91>] __do_fault+0x61/0xe0 mm/memory.c:2839 > [< inline >] do_read_fault mm/memory.c:3030 > [< inline >] do_fault mm/memory.c:3189 > [< inline >] handle_pte_fault mm/memory.c:3364 > [< inline >] __handle_mm_fault mm/memory.c:3488 > [<ffffffff81150151>] handle_mm_fault+0xd41/0x13d0 mm/memory.c:3517 > [<ffffffff8104b591>] __do_page_fault+0x1c1/0x490 arch/x86/mm/fault.c:1356 > [<ffffffff8104b86c>] do_page_fault+0xc/0x10 arch/x86/mm/fault.c:1419 > [<ffffffff818f9942>] page_fault+0x22/0x30 arch/x86/entry/entry_64.S:920 > Code: 89 c2 89 45 cc 41 8b 5e 20 41 8b 44 24 04 83 e8 18 85 db 0f 84 f8 > 00 00 00 39 c3 0f 87 f0 00 00 00 49 8b 44 24 10 39 d3 0f 4f da <48> 83 > 78 50 00 74 0c 81 fb 00 04 00 00 0f 8f ef 00 00 00 41 8b > RIP [<ffffffff818eb530>] p9_client_read+0x70/0x270 net/9p/client.c:1562 > RSP <ffff880001987c48> > ---[ end trace 0192b39ea4ee4e9b ]--- > Kernel panic - not syncing: Fatal exception > Kernel Offset: disabled > ---[ end Kernel panic - not syncing: Fatal exception > > All code > ======== > 0: 89 c2 mov %eax,%edx > 2: 89 45 cc mov %eax,-0x34(%rbp) > 5: 41 8b 5e 20 mov 0x20(%r14),%ebx > 9: 41 8b 44 24 04 mov 0x4(%r12),%eax > e: 83 e8 18 sub $0x18,%eax > 11: 85 db test %ebx,%ebx > 13: 0f 84 f8 00 00 00 je 0x111 > 19: 39 c3 cmp %eax,%ebx > 1b: 0f 87 f0 00 00 00 ja 0x111 > 21: 49 8b 44 24 10 mov 0x10(%r12),%rax > 26: 39 d3 cmp %edx,%ebx > 28: 0f 4f da cmovg %edx,%ebx > 2b:* 48 83 78 50 00 cmpq $0x0,0x50(%rax) <-- > trapping instruction > 30: 74 0c je 0x3e > 32: 81 fb 00 04 00 00 cmp $0x400,%ebx > 38: 0f 8f ef 00 00 00 jg 0x12d > 3e: 41 rex.B > 3f: 8b .byte 0x8b > > the line in question is: > > if (clnt->trans_mod->zc_request && rsize > 1024) > > trans_mod is in rax which is 559b48bf06527000, e.g. clearly bogus > clnt is in r12 which is ffff880005e6b780, I guess either it's wrong > pointer (use-after-free?), or something overwrote the struct? > > Thanks, > Vlastimil >
Powered by blists - more mailing lists