| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Dec 2023 18:49:29 +0800
From: xingwei lee <xrivendell7@...il.com>
To: syzbot+07144c543a5c002c7305@...kaller.appspotmail.com
Cc: acme@...nel.org, adrian.hunter@...el.com,
alexander.shishkin@...ux.intel.com, irogers@...gle.com, jolsa@...nel.org,
linux-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org,
mark.rutland@....com, mingo@...hat.com, namhyung@...nel.org,
netdev@...r.kernel.org, peterz@...radead.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [perf?] WARNING in perf_event_open
Hello, I reproduced this bug with repro.c and repro.txt with the same
configure in syzbot and comfiled this bug in the lastest
mainline/net/bpf
bpd-next kernel: 441c725ed592cb22f2a82f2827dccd045356cc81
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
and I also notice it maybe the same bug as
https://lore.kernel.org/all/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/
Anyway
=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }
static uint64_t current_time_ms(void) {
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \
*(type*)(addr) = \
htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
(((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1) return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status) {
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent) break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test() {
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void) {
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0) exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
sleep_ms(1);
if (current_time_ms() - start < 5000) continue;
kill_and_wait(pid, &status);
break;
}
}
}
void execute_one(void) {
*(uint32_t*)0x2001d000 = 1;
*(uint32_t*)0x2001d004 = 0x80;
*(uint8_t*)0x2001d008 = 0;
*(uint8_t*)0x2001d009 = 0;
*(uint8_t*)0x2001d00a = 0;
*(uint8_t*)0x2001d00b = 0;
*(uint32_t*)0x2001d00c = 0;
*(uint64_t*)0x2001d010 = 0x7f;
*(uint64_t*)0x2001d018 = 0;
*(uint64_t*)0x2001d020 = 0;
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
*(uint32_t*)0x2001d030 = 0;
*(uint32_t*)0x2001d034 = 0;
*(uint64_t*)0x2001d038 = 0;
*(uint64_t*)0x2001d040 = 0;
*(uint64_t*)0x2001d048 = 0;
*(uint64_t*)0x2001d050 = 0;
*(uint32_t*)0x2001d058 = 0;
*(uint32_t*)0x2001d05c = 0;
*(uint64_t*)0x2001d060 = 0;
*(uint32_t*)0x2001d068 = 0;
*(uint16_t*)0x2001d06c = 0;
*(uint16_t*)0x2001d06e = 0;
*(uint32_t*)0x2001d070 = 0;
*(uint32_t*)0x2001d074 = 0;
*(uint64_t*)0x2001d078 = 0;
syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
/*group=*/-1, /*flags=*/0ul);
}
int main(void) {
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
=* repro.txt =*
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff,
0x0)
and also https://gist.github.com/xrivendell7/128e198d8ff27d003998b4f0cc19bb74
I hope it helps.
Thanks!
Best regards.
xingwei Lee
Powered by blists - more mailing lists