lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAH1hT1L5=TKiWZ+6kmcUQUGEzvk0ZZR-oYaDvbDtLgQMckfBFQ@mail.gmail.com>
Date: Thu, 25 May 2023 15:01:40 -0400
From: Shuangpeng Bai <bb993561614@...il.com>
To: syzkaller <syzkaller@...glegroups.com>, 
	"krzysztof.kozlowski@...aro.org" <krzysztof.kozlowski@...aro.org>, davem@...emloft.net, edumazet@...gle.com, 
	kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org
Subject: KASAN: slab-use-after-free in nfc_alloc_send_skb

Hi Kernel Maintainers,

Our tool found a new kernel bug KASAN: slab-use-after-free in
nfc_alloc_send_skb. Please see the details below.

Kenrel commit: v6.3
Kernel config: see attachment
C/Syz reproducer: see attachment
Full log: see attachment

Best,
Shuangpeng Bai

[   98.231331][ T8037]
==================================================================
[ 98.239909][ T8037] BUG: KASAN: slab-use-after-free in nfc_alloc_send_skb
(linux/net/nfc/core.c:722)
[   98.240741][ T8037] Read of size 4 at addr ffff88804608f548 by task
a.out/8037
[   98.242313][ T8037]
[   98.242859][ T8037] CPU: 0 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty
#8
[   98.244257][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[   98.246565][ T8037] Call Trace:
[   98.247334][ T8037]  <TASK>
[ 98.247932][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.248966][ T8037] print_report (linux/mm/kasan/report.c:320
linux/mm/kasan/report.c:430)
[ 98.250113][ T8037] ? __virt_addr_valid (linux/arch/x86/mm/physaddr.c:66)
[ 98.252299][ T8037] ? __phys_addr (linux/arch/x86/mm/physaddr.c:32
(discriminator 4))
[ 98.254249][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.255322][ T8037] kasan_report (linux/mm/kasan/report.c:538)
[ 98.257417][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.258595][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.259689][ T8037] nfc_llcp_send_ui_frame
(linux/net/nfc/llcp_commands.c:761)
[ 98.260828][ T8037] ? nfc_llcp_send_i_frame
(linux/net/nfc/llcp_commands.c:724)
[ 98.262018][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.263166][ T8037] ? __local_bh_enable_ip
(linux/./arch/x86/include/asm/irqflags.h:42
linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.264346][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.265469][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.266783][ T8037] sock_sendmsg (linux/net/socket.c:727
linux/net/socket.c:747)
[ 98.267774][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.268804][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.269827][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.270837][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.271834][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.272717][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.273785][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805
linux/mm/page_ext.c:192)
[ 98.274675][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.275554][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.309854][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.310772][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.311774][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.312695][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.313694][ T8037] ? __up_read
(linux/./arch/x86/include/asm/preempt.h:104
linux/kernel/locking/rwsem.c:1354)
[ 98.314568][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.315379][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.316306][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.317258][ T8037] ? syscall_enter_from_user_mode
(linux/./arch/x86/include/asm/irqflags.h:42
linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.318383][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50
linux/arch/x86/entry/common.c:80)
[ 98.319242][ T8037] entry_SYSCALL_64_after_hwframe
(linux/arch/x86/entry/entry_64.S:120)
[   98.320425][ T8037] RIP: 0033:0x7fef082e4469
[ 98.321304][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
   0: 00 f3                 add    %dh,%bl
   2: c3                   ret
   3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
   a: 00 00 00
   d: 0f 1f 40 00           nopl   0x0(%rax)
  11: 48 89 f8             mov    %rdi,%rax
  14: 48 89 f7             mov    %rsi,%rdi
  17: 48 89 d6             mov    %rdx,%rsi
  1a: 48 89 ca             mov    %rcx,%rdx
  1d: 4d 89 c2             mov    %r8,%r10
  20: 4d 89 c8             mov    %r9,%r8
  23: 4c 8b 4c 24 08       mov    0x8(%rsp),%r9
  28: 0f 05                 syscall
  2a:* 48 3d 01 f0 ff ff     cmp    $0xfffffffffffff001,%rax <-- trapping
instruction
  30: 73 01                 jae    0x33
  32: c3                   ret
  33: 48 8b 0d ff 49 2b 00 mov    0x2b49ff(%rip),%rcx        # 0x2b4a39
  3a: f7 d8                 neg    %eax
  3c: 64 89 01             mov    %eax,%fs:(%rcx)
  3f: 48                   rex.W

Code starting with the faulting instruction
===========================================
   0: 48 3d 01 f0 ff ff     cmp    $0xfffffffffffff001,%rax
   6: 73 01                 jae    0x9
   8: c3                   ret
   9: 48 8b 0d ff 49 2b 00 mov    0x2b49ff(%rip),%rcx        # 0x2b4a0f
  10: f7 d8                 neg    %eax
  12: 64 89 01             mov    %eax,%fs:(%rcx)
  15: 48                   rex.W
[   98.325023][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287
ORIG_RAX: 0000000000000133
[   98.341308][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fef082e4469
[   98.342845][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI:
0000000000000004
[   98.344299][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09:
00007fff84a9f390
[   98.345876][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12:
000055fee44005e0
[   98.347400][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15:
0000000000000000
[   98.348934][ T8037]  </TASK>
[   98.349545][ T8037]
[   98.350010][ T8037] Allocated by task 8037:
[ 98.351087][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.352451][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.353698][ T8037] __kasan_kmalloc (linux/mm/kasan/common.c:374
linux/mm/kasan/common.c:333 linux/mm/kasan/common.c:383)
[ 98.354588][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066
linux/net/nfc/core.c:1051)
[ 98.355946][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.356925][ T8037] virtual_ncidev_open
(linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.358047][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.359104][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.360001][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.360951][ T8037] path_openat (linux/fs/namei.c:3561
linux/fs/namei.c:3715)
[ 98.361844][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.362757][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[ 98.378238][ T8037] __x64_sys_openat (linux/fs/open.c:1375)
[ 98.379246][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50
linux/arch/x86/entry/common.c:80)
[ 98.380140][ T8037] entry_SYSCALL_64_after_hwframe
(linux/arch/x86/entry/entry_64.S:120)
[   98.381357][ T8037]
[   98.381815][ T8037] Freed by task 8037:
[ 98.382613][ T8037] kasan_save_stack (linux/mm/kasan/common.c:46)
[ 98.383587][ T8037] kasan_set_track (linux/mm/kasan/common.c:52)
[ 98.384493][ T8037] kasan_save_free_info (linux/mm/kasan/generic.c:523)
[ 98.397617][ T8037] ____kasan_slab_free (linux/mm/kasan/common.c:238
linux/mm/kasan/common.c:200)
[ 98.398597][ T8037] __kmem_cache_free (linux/mm/slab.c:3390
linux/mm/slab.c:3577 linux/mm/slab.c:3584)
[ 98.399538][ T8037] device_release (linux/drivers/base/core.c:2440)
[ 98.400474][ T8037] kobject_put (linux/lib/kobject.c:685
linux/lib/kobject.c:712 linux/./include/linux/kref.h:65
linux/lib/kobject.c:729)
[ 98.401359][ T8037] put_device (linux/drivers/base/core.c:3698)
[ 98.402184][ T8037] nci_free_device (linux/net/nfc/nci/core.c:1205)
[ 98.403073][ T8037] virtual_ncidev_close
(linux/drivers/nfc/virtual_ncidev.c:165)
[ 98.404022][ T8037] __fput (linux/fs/file_table.c:322)
[ 98.404798][ T8037] task_work_run (linux/kernel/task_work.c:181
(discriminator 1))
[ 98.405700][ T8037] exit_to_user_mode_prepare
(linux/./include/linux/resume_user_mode.h:49
linux/kernel/entry/common.c:171 linux/kernel/entry/common.c:204)
[ 98.406698][ T8037] syscall_exit_to_user_mode
(linux/kernel/entry/common.c:130 linux/kernel/entry/common.c:299)
[ 98.407625][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:87)
[ 98.408393][ T8037] entry_SYSCALL_64_after_hwframe
(linux/arch/x86/entry/entry_64.S:120)
[   98.422429][ T8037]
[   98.422904][ T8037] The buggy address belongs to the object at
ffff88804608f000
[   98.422904][ T8037]  which belongs to the cache kmalloc-2k of size 2048
[   98.425650][ T8037] The buggy address is located 1352 bytes inside of
[   98.425650][ T8037]  freed 2048-byte region [ffff88804608f000,
ffff88804608f800)
[   98.428327][ T8037]
[   98.428804][ T8037] The buggy address belongs to the physical page:
[   98.430062][ T8037] page:ffffea00011823c0 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x4608f
[   98.432017][ T8037] flags:
0x4fff00000000200(slab|node=1|zone=1|lastcpupid=0x7ff)
[   98.433516][ T8037] raw: 04fff00000000200 ffff888012440800
ffffea0001236a90 ffffea00011617d0
[   98.435224][ T8037] raw: 0000000000000000 ffff88804608f000
0000000100000001 0000000000000000
[   98.436849][ T8037] page dumped because: kasan: bad access detected
[   98.438104][ T8037] page_owner tracks the page as allocated
[   98.439179][ T8037] page last allocated via order 0, migratetype
Unmovable, gfp_mask
0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid
8037, tgid 8037 (a.out), ts 98112854772, free_ts 98092146308
[ 98.442924][ T8037] post_alloc_hook (linux/./include/linux/page_owner.h:31
linux/mm/page_alloc.c:2546)
[ 98.443871][ T8037] get_page_from_freelist (linux/mm/page_alloc.c:2555
linux/mm/page_alloc.c:4326)
[ 98.444956][ T8037] __alloc_pages (linux/mm/page_alloc.c:5593)
[ 98.445902][ T8037] cache_grow_begin (linux/mm/slab.c:1361
linux/mm/slab.c:2570)
[ 98.446920][ T8037] cache_alloc_refill (linux/mm/slab.c:394
linux/mm/slab.c:2949)
[ 98.448635][ T8037] __kmem_cache_alloc_node (linux/mm/slab.c:3019
linux/mm/slab.c:3002 linux/mm/slab.c:3202 linux/mm/slab.c:3250
linux/mm/slab.c:3541)
[ 98.470085][ T8037] kmalloc_trace (linux/mm/slab_common.c:1064)
[ 98.471586][ T8037] nfc_allocate_device (linux/net/nfc/core.c:1066
linux/net/nfc/core.c:1051)
[ 98.473392][ T8037] nci_allocate_device (linux/net/nfc/nci/core.c:1174)
[ 98.475061][ T8037] virtual_ncidev_open
(linux/drivers/nfc/virtual_ncidev.c:136)
[ 98.476718][ T8037] misc_open (linux/drivers/char/misc.c:165)
[ 98.478182][ T8037] chrdev_open (linux/fs/char_dev.c:415)
[ 98.479553][ T8037] do_dentry_open (linux/fs/open.c:921)
[ 98.481107][ T8037] path_openat (linux/fs/namei.c:3561
linux/fs/namei.c:3715)
[ 98.482591][ T8037] do_filp_open (linux/fs/namei.c:3743)
[ 98.484038][ T8037] do_sys_openat2 (linux/fs/open.c:1349)
[   98.485512][ T8037] page last free stack trace:
[ 98.486996][ T8037] free_pcp_prepare
(linux/./include/linux/page_owner.h:24 linux/mm/page_alloc.c:1454
linux/mm/page_alloc.c:1504)
[ 98.488490][ T8037] free_unref_page_list (linux/mm/page_alloc.c:3388
linux/mm/page_alloc.c:3529)
[ 98.490202][ T8037] release_pages (linux/mm/swap.c:961)
[ 98.492085][ T8037] tlb_batch_pages_flush (linux/mm/mmu_gather.c:98
(discriminator 1))
[ 98.494165][ T8037] tlb_finish_mmu (linux/mm/mmu_gather.c:111
linux/mm/mmu_gather.c:394)
[ 98.495963][ T8037] exit_mmap (linux/mm/mmap.c:3047)
[ 98.497493][ T8037] __mmput (linux/kernel/fork.c:1209)
[ 98.499017][ T8037] mmput (linux/kernel/fork.c:1231)
[ 98.500386][ T8037] begin_new_exec (linux/fs/exec.c:1297)
[ 98.502304][ T8037] load_elf_binary (linux/fs/binfmt_elf.c:1002)
[ 98.504152][ T8037] bprm_execve (linux/fs/exec.c:1738 linux/fs/exec.c:1778
linux/fs/exec.c:1853 linux/fs/exec.c:1809)
[ 98.505935][ T8037] do_execveat_common.isra.0 (linux/fs/exec.c:1960)
[ 98.508201][ T8037] __x64_sys_execve (linux/fs/exec.c:2105)
[ 98.510065][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50
linux/arch/x86/entry/common.c:80)
[ 98.511798][ T8037] entry_SYSCALL_64_after_hwframe
(linux/arch/x86/entry/entry_64.S:120)
[   98.514060][ T8037]
[   98.514970][ T8037] Memory state around the buggy address:
[   98.517202][ T8037]  ffff88804608f400: fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb fb
[   98.520174][ T8037]  ffff88804608f480: fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb fb
[   98.523195][ T8037] >ffff88804608f500: fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb fb
[   98.525974][ T8037]                                               ^
[   98.528088][ T8037]  ffff88804608f580: fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb fb
[   98.530832][ T8037]  ffff88804608f600: fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb fb
[   98.533565][ T8037]
==================================================================
[   98.679377][ T8037] Kernel panic - not syncing: KASAN: panic_on_warn set
...
[   98.695828][ T8037] CPU: 1 PID: 8037 Comm: a.out Not tainted 6.3.0-dirty
#8
[   98.698228][ T8037] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[   98.701149][ T8037] Call Trace:
[   98.702263][ T8037]  <TASK>
[ 98.703224][ T8037] dump_stack_lvl (linux/lib/dump_stack.c:107)
[ 98.704754][ T8037] panic (linux/kernel/panic.c:340)
[ 98.706148][ T8037] ? panic_smp_self_stop+0x90/0x90
[ 98.707896][ T8037] ? preempt_schedule_thunk
(linux/arch/x86/entry/thunk_64.S:34)
[ 98.709633][ T8037] ? preempt_schedule_common
(linux/./arch/x86/include/asm/preempt.h:85 linux/kernel/sched/core.c:6796)
[ 98.711356][ T8037] check_panic_on_warn (linux/kernel/panic.c:236)
[ 98.712944][ T8037] end_report (linux/mm/kasan/report.c:190)
[ 98.714313][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.716027][ T8037] kasan_report (linux/./arch/x86/include/asm/smap.h:56
linux/mm/kasan/report.c:541)
[ 98.717363][ T8037] ? nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.718990][ T8037] nfc_alloc_send_skb (linux/net/nfc/core.c:722)
[ 98.720565][ T8037] nfc_llcp_send_ui_frame
(linux/net/nfc/llcp_commands.c:761)
[ 98.722166][ T8037] ? nfc_llcp_send_i_frame
(linux/net/nfc/llcp_commands.c:724)
[ 98.723719][ T8037] ? llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.725118][ T8037] ? __local_bh_enable_ip
(linux/./arch/x86/include/asm/irqflags.h:42
linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/softirq.c:401)
[ 98.726592][ T8037] llcp_sock_sendmsg (linux/net/nfc/llcp_sock.c:807)
[ 98.727966][ T8037] ? llcp_sock_bind (linux/net/nfc/llcp_sock.c:775)
[ 98.729367][ T8037] sock_sendmsg (linux/net/socket.c:727
linux/net/socket.c:747)
[ 98.730861][ T8037] ____sys_sendmsg (linux/net/socket.c:2506)
[ 98.732436][ T8037] ? kernel_sendmsg (linux/net/socket.c:2448)
[ 98.734089][ T8037] ? __copy_msghdr (linux/net/socket.c:2428)
[ 98.735446][ T8037] ___sys_sendmsg (linux/net/socket.c:2557)
[ 98.736958][ T8037] ? do_recvmmsg (linux/net/socket.c:2544)
[ 98.738487][ T8037] ? find_held_lock (linux/kernel/locking/lockdep.c:5159)
[ 98.740067][ T8037] ? page_ext_put (linux/./include/linux/rcupdate.h:805
linux/mm/page_ext.c:192)
[ 98.741510][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.742935][ T8037] ? lock_downgrade (linux/kernel/locking/lockdep.c:5677)
[ 98.744287][ T8037] ? __fget_light (linux/fs/file.c:1027)
[ 98.745587][ T8037] ? sockfd_lookup_light (linux/net/socket.c:565)
[ 98.747041][ T8037] __sys_sendmmsg (linux/net/socket.c:2644)
[ 98.748362][ T8037] ? __ia32_sys_sendmsg (linux/net/socket.c:2602)
[ 98.749825][ T8037] ? __up_read
(linux/./arch/x86/include/asm/preempt.h:104
linux/kernel/locking/rwsem.c:1354)
[ 98.751091][ T8037] ? up_write (linux/kernel/locking/rwsem.c:1339)
[ 98.752314][ T8037] ? handle_mm_fault (linux/mm/memory.c:5230)
[ 98.753668][ T8037] __x64_sys_sendmmsg (linux/net/socket.c:2667)
[ 98.755021][ T8037] ? syscall_enter_from_user_mode
(linux/./arch/x86/include/asm/irqflags.h:42
linux/./arch/x86/include/asm/irqflags.h:77 linux/kernel/entry/common.c:111)
[ 98.756678][ T8037] do_syscall_64 (linux/arch/x86/entry/common.c:50
linux/arch/x86/entry/common.c:80)
[ 98.757957][ T8037] entry_SYSCALL_64_after_hwframe
(linux/arch/x86/entry/entry_64.S:120)
[   98.759589][ T8037] RIP: 0033:0x7fef082e4469
[ 98.760853][ T8037] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40
00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ff 49 2b 00 f7 d8 64 89 01 48
All code
========
   0: 00 f3                 add    %dh,%bl
   2: c3                   ret
   3: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
   a: 00 00 00
   d: 0f 1f 40 00           nopl   0x0(%rax)
  11: 48 89 f8             mov    %rdi,%rax
  14: 48 89 f7             mov    %rsi,%rdi
  17: 48 89 d6             mov    %rdx,%rsi
  1a: 48 89 ca             mov    %rcx,%rdx
  1d: 4d 89 c2             mov    %r8,%r10
  20: 4d 89 c8             mov    %r9,%r8
  23: 4c 8b 4c 24 08       mov    0x8(%rsp),%r9
  28: 0f 05                 syscall
  2a:* 48 3d 01 f0 ff ff     cmp    $0xfffffffffffff001,%rax <-- trapping
instruction
  30: 73 01                 jae    0x33
  32: c3                   ret
  33: 48 8b 0d ff 49 2b 00 mov    0x2b49ff(%rip),%rcx        # 0x2b4a39
  3a: f7 d8                 neg    %eax
  3c: 64 89 01             mov    %eax,%fs:(%rcx)
  3f: 48                   rex.W

Code starting with the faulting instruction
===========================================
   0: 48 3d 01 f0 ff ff     cmp    $0xfffffffffffff001,%rax
   6: 73 01                 jae    0x9
   8: c3                   ret
   9: 48 8b 0d ff 49 2b 00 mov    0x2b49ff(%rip),%rcx        # 0x2b4a0f
  10: f7 d8                 neg    %eax
  12: 64 89 01             mov    %eax,%fs:(%rcx)
  15: 48                   rex.W
[   98.766391][ T8037] RSP: 002b:00007fff84a9f298 EFLAGS: 00000287
ORIG_RAX: 0000000000000133
[   98.768820][ T8037] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007fef082e4469
[   98.770744][ T8037] RDX: 000000000000000a RSI: 0000000020008a80 RDI:
0000000000000004
[   98.772649][ T8037] RBP: 00007fff84a9f2b0 R08: 00007fff84a9f390 R09:
00007fff84a9f390
[   98.774495][ T8037] R10: 0000000000000004 R11: 0000000000000287 R12:
000055fee44005e0
[   98.776383][ T8037] R13: 00007fff84a9f390 R14: 0000000000000000 R15:
0000000000000000
[   98.778258][ T8037]  </TASK>
[   98.779056][ T8037] Kernel Offset: disabled
[   98.780043][ T8037] Rebooting in 86400 seconds..

Content of type "text/html" skipped

Download attachment "report.log" of type "application/octet-stream" (18337 bytes)

Download attachment ".config" of type "application/octet-stream" (242331 bytes)

Download attachment "repro.cprog" of type "application/octet-stream" (4341 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ