On Sat, Sep 05, 2009 at 08:41:26PM +0700, Antoine Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I reported this bug a while ago but no-one picked up on it. > Just launch any UML 32-bit kernel on a 64-bit KVM guest: > > test $ ./kernel32-2.6.16.62 > Checking that ptrace can change system call numbers...OK > Checking syscall emulation patch for ptrace...OK > Trace/breakpoint trap > test@localhost ~ $ Kernel panic - not syncing: Attempted to kill init! > Kernel panic - not syncing: Attempted to kill init! > > > You can find some pre-built binaries here: > http://uml.devloop.org.uk/kernels.html > > Since then, I've bisected it down to: > d4d67150165df8bf1cc05e532f6efca96f907cab is first bad commit > Author: Roland McGrath <roland@xxxxxxxxxx> > Date: Wed Jul 9 02:38:07 2008 -0700 > Subject: x86 ptrace: unify syscall tracing > > It looks exploitable at first sight (ptrace generally is), but this is > beyond me (I am not a kernel hacker) > > QEMU without KVM is not affected. > > I've added some printf in a test UML kernel to see more precisely where > it dies in arch/um/os-Linux/startup.c: in check_sysemu(): > non_fatal("Before singlestep\n"); > if (ptrace(PTRACE_SYSEMU_SINGLESTEP, pid, 0, 0) < 0) > goto fail; > non_fatal("Before waitpid\n"); > (also added a non_fatal() in fail) > > It prints these two statements 30 times from the while(1) loop and stops on: > Before singlestep > > Whatever the fix is, this should be queued for stable too. Is this an AMD host? Works for me on Intel: [root@guest ~]# ./kernel32-2.6.29.6 Locating the bottom of the address space ... 0x0 Locating the top of the address space ... 0xffffd000 Core dump limits : soft - 0 hard - NONE Checking that ptrace can change system call numbers...OK Checking syscall emulation patch for ptrace...OK Checking advanced syscall emulation patch for ptrace...OK Checking for tmpfs mount on /dev/shm...OK Checking PROT_EXEC mmap in /dev/shm/...OK Checking for the skas3 patch in the host: - /proc/mm...not found: No such file or directory - PTRACE_FAULTINFO...not found - PTRACE_LDT...not found UML running in SKAS0 mode [ 0.000000] Linux version 2.6.29.6 (root@xxxxxxxxxxxxxxxxxxxxx) (gcc version 4.3.2 (Gentoo 4.3.2-r3 p1.6, pie-10.1.5) ) #1 Wed Jul 29 08:29:46 BST 2009 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128 [ 0.000000] Kernel command line: root=98:0 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
