Re: general protection fault in copy_user_generic_unrolled (2)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 22, 2017 at 10:37 PM, syzbot
<bot+d36b5c0ca22dee8e75b34b1cdf54fd204c43e13e@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> Hello,
>
> syzkaller hit the following crash on
> 1291a0d5049dbc06baaaf66a9ff3f53db493b19b
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> Unfortunately, I don't have any reproducer for this bug yet.
>
>
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> handle_userfault: 120 callbacks suppressed
> FAULT_FLAG_ALLOW_RETRY missing 30
> CPU: 1 PID: 16647 Comm: syz-executor2 Not tainted 4.15.0-rc4+ #227
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:17 [inline]
>  dump_stack+0x194/0x257 lib/dump_stack.c:53
>  handle_userfault+0x12fa/0x24c0 fs/userfaultfd.c:427
>  do_anonymous_page mm/memory.c:3121 [inline]
>  handle_pte_fault mm/memory.c:3935 [inline]
>  __handle_mm_fault+0x32a3/0x3ce0 mm/memory.c:4061
>  handle_mm_fault+0x334/0x8d0 mm/memory.c:4098
>  __do_page_fault+0x5c9/0xc90 arch/x86/mm/fault.c:1429
>  do_page_fault+0xee/0x720 arch/x86/mm/fault.c:1504
>  page_fault+0x22/0x30 arch/x86/entry/entry_64.S:1094
> RIP: 0010:copy_user_generic_unrolled+0x86/0xc0
> arch/x86/lib/copy_user_64.S:65
> RSP: 0018:ffff8801ca287950 EFLAGS: 00010202
> RAX: fffff520003c0207 RBX: 0000000020012ff0 RCX: 0000000000000001
> RDX: 0000000000000000 RSI: 0000000020012ff0 RDI: ffffc90001e01030
> RBP: ffff8801ca287980 R08: fffff520003c0207 R09: fffff520003c0207
> R10: 0000000000000001 R11: fffff520003c0206 R12: 0000000000000008
> R13: ffffc90001e01030 R14: 00007ffffffff000 R15: 0000000020012ff8
>  copy_from_user include/linux/uaccess.h:147 [inline]
>  bpf_prog_create_from_user+0x10b/0x2b0 net/core/filter.c:1182
>  seccomp_prepare_filter kernel/seccomp.c:386 [inline]
>  seccomp_prepare_user_filter kernel/seccomp.c:421 [inline]
>  seccomp_set_mode_filter kernel/seccomp.c:856 [inline]
>  do_seccomp+0x8a7/0x21f0 kernel/seccomp.c:929
>  SYSC_seccomp kernel/seccomp.c:943 [inline]
>  SyS_seccomp+0x24/0x30 kernel/seccomp.c:940
>  entry_SYSCALL_64_fastpath+0x1f/0x96
> RIP: 0033:0x452a09
> RSP: 002b:00007f28b7863c58 EFLAGS: 00000212 ORIG_RAX: 000000000000013d
> RAX: ffffffffffffffda RBX: 00007f28b7864700 RCX: 0000000000452a09
> RDX: 0000000020000ff0 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
> R13: 0000000000a2f7ff R14: 00007f28b78649c0 R15: 0000000000000000
> Modules linked in:
> CPU: 0 PID: 16649 Comm: syz-executor5 Not tainted 4.15.0-rc4+ #227
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76
> RSP: 0018:ffff8801bc007058 EFLAGS: 00010093
> RAX: ffff8801d8f1a1c0 RBX: 00000000001606f0 RCX: ffffffff811a2a92
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606f0
> RBP: ffff8801bc007058 R08: 1ffff10037800d67 R09: 0000000000000004
> R10: ffff8801bc006fc8 R11: 0000000000000004 R12: 0000000000000093
> R13: ffff8801d8f1a1c0 R14: ffff8801db414850 R15: ffff8801db414850
> FS:  00007fd960528700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020134000 CR3: 0000000005e22003 CR4: 00000000001626f0
> Call Trace:
>  __write_cr4 arch/x86/include/asm/paravirt.h:76 [inline]
>  __cr4_set arch/x86/include/asm/tlbflush.h:180 [inline]
>  cr4_clear_bits arch/x86/include/asm/tlbflush.h:203 [inline]
>  kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3582 [inline]
>  hardware_disable+0x34a/0x4b0 arch/x86/kvm/vmx.c:3588
>  kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:7982
>  hardware_disable_nolock+0x30/0x40
> arch/x86/kvm/../../../virt/kvm/kvm_main.c:3310
>  on_each_cpu+0xca/0x1b0 kernel/smp.c:604
>  hardware_disable_all_nolock+0x3e/0x50
> arch/x86/kvm/../../../virt/kvm/kvm_main.c:3328
>  hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3334
> [inline]
>  kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:742 [inline]
>  kvm_put_kvm+0x956/0xdf0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:755
>  kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:766
>  __fput+0x327/0x7e0 fs/file_table.c:210
>  ____fput+0x15/0x20 fs/file_table.c:244
>  task_work_run+0x199/0x270 kernel/task_work.c:113
>  exit_task_work include/linux/task_work.h:22 [inline]
>  do_exit+0x9bb/0x1ad0 kernel/exit.c:865
>  do_group_exit+0x149/0x400 kernel/exit.c:968
>  get_signal+0x73f/0x16c0 kernel/signal.c:2335
>  do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:809
>  exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
>  prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
>  syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
>  entry_SYSCALL_64_fastpath+0x94/0x96
> RIP: 0033:0x452a09
> RSP: 002b:00007fd960527c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
> RAX: 0000000000000001 RBX: 000000000071c010 RCX: 0000000000452a09
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000071c03c
> RBP: 00000000000003f4 R08: 0000000000000000 R09: 00000000000003f4
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006f2f80
> R13: 00000000ffffffff R14: 00007fd9605286d4 R15: 0000000000000008
> Code: 0f 1f 80 00 00 00 00 55 48 89 e5 0f 20 d8 5d c3 0f 1f 80 00 00 00 00
> 55 48 89 e5 0f 22 df 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 <0f> 22 e7 5d c3
> 0f 1f 80 00 00 00 00 55 48 89 e5 44 0f 20 c0 5d
> RIP: native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:76 RSP:
> ffff8801bc007058
> ---[ end trace 826fc7eb0c12f2d4 ]---


Let's assume this is invalid free in pcrypt which caused a bunch of
random consequences:

#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)


> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@xxxxxxxxxxxxxxxx.
> Please credit me with: Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
>
> syzbot will keep track of this bug report.
> Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug
> report.
> Note: all commands must start from beginning of the line in the email body.
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@xxxxxxxxxxxxxxxx.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/001a1143fd00ff9f4c0560f49d08%40google.com.
> For more options, visit https://groups.google.com/d/optout.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux