lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABOYnLzNFD_mf5cY1h8iLnVcTz9Bx14Z6t=9+nbQCPSsTC-5ag@mail.gmail.com>
Date: Wed, 20 Dec 2023 18:49:29 +0800
From: xingwei lee <xrivendell7@...il.com>
To: syzbot+07144c543a5c002c7305@...kaller.appspotmail.com
Cc: acme@...nel.org, adrian.hunter@...el.com, 
	alexander.shishkin@...ux.intel.com, irogers@...gle.com, jolsa@...nel.org, 
	linux-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org, 
	mark.rutland@....com, mingo@...hat.com, namhyung@...nel.org, 
	netdev@...r.kernel.org, peterz@...radead.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [perf?] WARNING in perf_event_open

Hello, I reproduced this bug with repro.c and repro.txt with the same
configure in syzbot and comfiled this bug in the lastest
mainline/net/bpf

bpd-next kernel: 441c725ed592cb22f2a82f2827dccd045356cc81
kernel config: https://syzkaller.appspot.com/x/.config?x=8f565e10f0b1e1fc
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
and I also notice it maybe the same bug as
https://lore.kernel.org/all/ZXpm6gQ%2Fd59jGsuW@xpf.sh.intel.com/

Anyway

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
 struct timespec ts;
 if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
 return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

#define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off))
#define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len)     \
 *(type*)(addr) =                                                   \
     htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \
           (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len))))

static bool write_file(const char* file, const char* what, ...) {
 char buf[1024];
 va_list args;
 va_start(args, what);
 vsnprintf(buf, sizeof(buf), what, args);
 va_end(args);
 buf[sizeof(buf) - 1] = 0;
 int len = strlen(buf);
 int fd = open(file, O_WRONLY | O_CLOEXEC);
 if (fd == -1) return false;
 if (write(fd, buf, len) != len) {
   int err = errno;
   close(fd);
   errno = err;
   return false;
 }
 close(fd);
 return true;
}

static void kill_and_wait(int pid, int* status) {
 kill(-pid, SIGKILL);
 kill(pid, SIGKILL);
 for (int i = 0; i < 100; i++) {
   if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
   usleep(1000);
 }
 DIR* dir = opendir("/sys/fs/fuse/connections");
 if (dir) {
   for (;;) {
     struct dirent* ent = readdir(dir);
     if (!ent) break;
     if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
       continue;
     char abort[300];
     snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
              ent->d_name);
     int fd = open(abort, O_WRONLY);
     if (fd == -1) {
       continue;
     }
     if (write(fd, abort, 1) < 0) {
     }
     close(fd);
   }
   closedir(dir);
 } else {
 }
 while (waitpid(-1, status, __WALL) != pid) {
 }
}

static void setup_test() {
 prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
 setpgrp();
 write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
 int iter = 0;
 for (;; iter++) {
   int pid = fork();
   if (pid < 0) exit(1);
   if (pid == 0) {
     setup_test();
     execute_one();
     exit(0);
   }
   int status = 0;
   uint64_t start = current_time_ms();
   for (;;) {
     if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
     sleep_ms(1);
     if (current_time_ms() - start < 5000) continue;
     kill_and_wait(pid, &status);
     break;
   }
 }
}

void execute_one(void) {
 *(uint32_t*)0x2001d000 = 1;
 *(uint32_t*)0x2001d004 = 0x80;
 *(uint8_t*)0x2001d008 = 0;
 *(uint8_t*)0x2001d009 = 0;
 *(uint8_t*)0x2001d00a = 0;
 *(uint8_t*)0x2001d00b = 0;
 *(uint32_t*)0x2001d00c = 0;
 *(uint64_t*)0x2001d010 = 0x7f;
 *(uint64_t*)0x2001d018 = 0;
 *(uint64_t*)0x2001d020 = 0;
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 0, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 1, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 2, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 3, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 4, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 5, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 6, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 7, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 8, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 9, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 10, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 11, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 12, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 13, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 14, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 15, 2);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 17, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 18, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 19, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 20, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 21, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 22, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 23, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 24, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 25, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 26, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 27, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 28, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 29, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 30, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 31, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 32, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 33, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 34, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 35, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 36, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 37, 1);
 STORE_BY_BITMASK(uint64_t, , 0x2001d028, 0, 38, 26);
 *(uint32_t*)0x2001d030 = 0;
 *(uint32_t*)0x2001d034 = 0;
 *(uint64_t*)0x2001d038 = 0;
 *(uint64_t*)0x2001d040 = 0;
 *(uint64_t*)0x2001d048 = 0;
 *(uint64_t*)0x2001d050 = 0;
 *(uint32_t*)0x2001d058 = 0;
 *(uint32_t*)0x2001d05c = 0;
 *(uint64_t*)0x2001d060 = 0;
 *(uint32_t*)0x2001d068 = 0;
 *(uint16_t*)0x2001d06c = 0;
 *(uint16_t*)0x2001d06e = 0;
 *(uint32_t*)0x2001d070 = 0;
 *(uint32_t*)0x2001d074 = 0;
 *(uint64_t*)0x2001d078 = 0;
 syscall(__NR_perf_event_open, /*attr=*/0x2001d000ul, /*pid=*/0, /*cpu=*/-1,
         /*group=*/-1, /*flags=*/0ul);
}
int main(void) {
 syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
         /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
 loop();
 return 0;
}

=* repro.txt =*
perf_event_open(&(0x7f000001d000)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0,
0x7f, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff,
0x0)

and also https://gist.github.com/xrivendell7/128e198d8ff27d003998b4f0cc19bb74

I hope it helps.
Thanks!
Best regards.
xingwei Lee

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ