general protection fault in ebitmap_destroy
11 views
Skip to first unread message
syzbot
Apr 10, 2019, 12:14:08 PM4/10/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 3c207c88 ANDROID: sched/fair: correct pelt load informatio..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12708d80c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c184a4faf24e0c0c
dashboard link: https://syzkaller.appspot.com/bug?extid=941c07cbec90b63c9a89
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c0aa07400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+941c07...@syzkaller.appspotmail.com
random: cc1: uninitialized urandom read (8 bytes read)
audit: type=1400 audit(1547044327.664:9): avc: denied { map } for
pid=1805 comm="syz-execprog" path="/root/syzkaller-shm404128313" dev="sda1"
ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
SELinux: failed to load policy
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 1 PID: 1968 Comm: syz-executor0 Not tainted 4.14.91+ #3
task: ffff8881ccd0af00 task.stack: ffff8881cb8a8000
RIP: 0010:ebitmap_destroy+0x2d/0xe0 security/selinux/ss/ebitmap.c:334
RSP: 0018:ffff8881cb8af658 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff11039715ed4 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 00000000ffffffff RDI: 0000000000000008
RBP: ffff8881cf2b1c40 R08: ffffffff8b2e888e R09: ffffffff8b2e888a
R10: 000000000002853f R11: 000000000001c033 R12: 0000000000000008
R13: ffff8881cf3ca270 R14: 00000000ffffffea R15: ffff8881cce3eee8
FS: 00007f032f49d700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000073c000 CR3: 00000001c5376001 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sens_destroy+0x44/0x90 security/selinux/ss/policydb.c:733
sens_read+0x1c1/0x340 security/selinux/ss/policydb.c:1625
policydb_read+0xc44/0x2240 security/selinux/ss/policydb.c:2406
Code: 41 54 49 89 fc 55 53 e8 f2 49 8f ff 4d 85 e4 0f 84 9b 00 00 00 e8 e4
49 8f ff 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 97 00 00 00 49 bd 00 00 00 00 00 fc ff df 49
RIP: ebitmap_destroy+0x2d/0xe0 security/selinux/ss/ebitmap.c:334 RSP:
ffff8881cb8af658
---[ end trace 0d94355ff223ec59 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x7800000 from 0xffffffff81000000 (relocation range:
0xffffffff80000000-0xffffffffbfffffff)
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 3c207c88 ANDROID: sched/fair: correct pelt load informatio..
git tree: android-4.14
console output: https://syzkaller.appspot.com/x/log.txt?x=12708d80c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c184a4faf24e0c0c
dashboard link: https://syzkaller.appspot.com/bug?extid=941c07cbec90b63c9a89
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c0aa07400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+941c07...@syzkaller.appspotmail.com
random: cc1: uninitialized urandom read (8 bytes read)
audit: type=1400 audit(1547044327.664:9): avc: denied { map } for
pid=1805 comm="syz-execprog" path="/root/syzkaller-shm404128313" dev="sda1"
ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1
SELinux: failed to load policy
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 1 PID: 1968 Comm: syz-executor0 Not tainted 4.14.91+ #3
task: ffff8881ccd0af00 task.stack: ffff8881cb8a8000
RIP: 0010:ebitmap_destroy+0x2d/0xe0 security/selinux/ss/ebitmap.c:334
RSP: 0018:ffff8881cb8af658 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff11039715ed4 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 00000000ffffffff RDI: 0000000000000008
RBP: ffff8881cf2b1c40 R08: ffffffff8b2e888e R09: ffffffff8b2e888a
R10: 000000000002853f R11: 000000000001c033 R12: 0000000000000008
R13: ffff8881cf3ca270 R14: 00000000ffffffea R15: ffff8881cce3eee8
FS: 00007f032f49d700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000073c000 CR3: 00000001c5376001 CR4: 00000000001606a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sens_destroy+0x44/0x90 security/selinux/ss/policydb.c:733
sens_read+0x1c1/0x340 security/selinux/ss/policydb.c:1625
policydb_read+0xc44/0x2240 security/selinux/ss/policydb.c:2406
Code: 41 54 49 89 fc 55 53 e8 f2 49 8f ff 4d 85 e4 0f 84 9b 00 00 00 e8 e4
49 8f ff 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 97 00 00 00 49 bd 00 00 00 00 00 fc ff df 49
RIP: ebitmap_destroy+0x2d/0xe0 security/selinux/ss/ebitmap.c:334 RSP:
ffff8881cb8af658
---[ end trace 0d94355ff223ec59 ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x7800000 from 0xffffffff81000000 (relocation range:
0xffffffff80000000-0xffffffffbfffffff)
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 11, 2019, 4:44:38 AM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 8fe42840 Merge 4.9.141 into android-4.9
syzbot found the following crash on:
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1363b7bb400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22a5ba9f73b6da1d
dashboard link: https://syzkaller.appspot.com/bug?extid=2c8dd047d66cbaae0ae2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130db3ab400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1084fbbb400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 4340 Comm: syz-executor388 Not tainted 4.9.141+ #1
task: ffff8801cce5af80 task.stack: ffff8801cb1b0000
RIP: 0010:[<ffffffff81a17f12>] [<ffffffff81a17f12>]
ebitmap_destroy+0x32/0x100 security/selinux/ss/ebitmap.c:331
RSP: 0018:ffff8801cb1b73e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801cbaa3240 RCX: ffffed00399cb705
RDX: 0000000000000001 RSI: ffffffff81a17f01 RDI: 0000000000000008
RBP: ffff8801cb1b7408 R08: ffff8801cce5b830 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 1ffff10039636e89 R14: 0000000000000008 R15: ffff8801cb1b74a8
FS: 00007faf93ad4700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006dd0a0 CR3: 00000001cd368000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
ffff8801cbaa3240 0000000000000000 1ffff10039636e89 00000000ffffffea
ffff8801cb1b7428 ffffffff81a20997 ffff8801cb1b7908 ffff8801cbaa3240
ffff8801cb1b74d0 ffffffff81a2124e ffff8801cbaf1ea0 0000000000000004
Call Trace:
[<ffffffff81a20997>] sens_destroy+0x47/0x90
security/selinux/ss/policydb.c:729
[<ffffffff81a2124e>] sens_read+0x1de/0x360
security/selinux/ss/policydb.c:1630
[<ffffffff81a2b1ea>] policydb_read+0xdba/0x2390
security/selinux/ss/policydb.c:2367
[<ffffffff81a3ba84>] security_load_policy+0x264/0x9b0
security/selinux/ss/services.c:2067
[<ffffffff81a1233b>] sel_write_load+0x19b/0xfa0
security/selinux/selinuxfs.c:522
[<ffffffff81508085>] __vfs_write+0x115/0x580 fs/read_write.c:507
[<ffffffff8150ab97>] vfs_write+0x187/0x520 fs/read_write.c:557
[<ffffffff8150e9c9>] SYSC_write fs/read_write.c:604 [inline]
[<ffffffff8150e9c9>] SyS_write+0xd9/0x1c0 fs/read_write.c:596
[<ffffffff810056ef>] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285
[<ffffffff82817893>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 89 fe 41 55 41 54 53 e8 6d 3b 90 ff 4d 85 f6 0f 84 a6 00 00 00 e8 5f
3b 90 ff 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 a5 00 00 00 49 8b 1e 48 85 db 74 32 49 bd 00
RIP [<ffffffff81a17f12>] ebitmap_destroy+0x32/0x100
security/selinux/ss/ebitmap.c:331
RSP <ffff8801cb1b73e8>
---[ end trace 6fa09ee25ed1a4e3 ]---
syzbot
Apr 12, 2019, 8:01:16 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d08574b6 ANDROID: cuttlefish_defconfig: Enable VIRTIO_INPUT
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15f7ad80c00000
kernel config: https://syzkaller.appspot.com/x/.config?x=39bc4256ec37590
dashboard link: https://syzkaller.appspot.com/bug?extid=d5dbd076fa402dd14b31
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14b8fbd7400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1376307f400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral
protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
task: ffff8800b4f0c740 task.stack: ffff8801d1c80000
RIP: 0010:[<ffffffff8197dcf2>] [<ffffffff8197dcf2>]
ebitmap_destroy+0x32/0xe0 security/selinux/ss/ebitmap.c:331
RSP: 0018:ffff8801d1c87658 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 1ffff1003a390ed7 RCX: ffff8800b4f0d008
RDX: 0000000000000001 RSI: ffffffff8197dce1 RDI: 0000000000000008
RBP: ffff8801d1c87678 R08: 0000000000000003 R09: ffff8800b4f0d078
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801d27aff60
R13: 0000000000000008 R14: 00000000ffffffea R15: ffff8801d1c87718
FS: 00007f2db97e0700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efcf032c000 CR3: 00000000b4c3b000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
1ffff1003a390ed7 ffff8801d27aff60 0000000000000000 00000000ffffffea
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d1c87698 ffffffff81986a69 ffff8801d1c87a40 ffff8801d27aff60
ffff8801d1c87740 ffffffff8198732d ffff8801d2634ab0 0000000000000004
Call Trace:
[<ffffffff81986a69>] sens_destroy+0x49/0xa0
security/selinux/ss/policydb.c:729
[<ffffffff8198732d>] sens_read+0x1dd/0x360
security/selinux/ss/policydb.c:1627
[<ffffffff8199122b>] policydb_read+0xc3b/0x2280
security/selinux/ss/policydb.c:2364
[<ffffffff819a197c>] security_load_policy+0x23c/0x9c0
security/selinux/ss/services.c:2073
[<ffffffff81978705>] sel_write_load+0x175/0xf90
security/selinux/selinuxfs.c:535
[<ffffffff814962e6>] __vfs_write+0x116/0x3d0 fs/read_write.c:489
[<ffffffff81497fe2>] vfs_write+0x182/0x4e0 fs/read_write.c:538
[<ffffffff8149a61c>] SYSC_write fs/read_write.c:585 [inline]
[<ffffffff8149a61c>] SyS_write+0xdc/0x1c0 fs/read_write.c:577
[<ffffffff827153a1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
Code: 55 49 89 fd 41 54 53 e8 2d b7 98 ff 4d 85 ed 0f 84 92 00 00 00 e8 1f
b7 98 ff 4c 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00
0f 85 91 00 00 00 49 be 00 00 00 00 00 fc ff df 4d
RIP [<ffffffff8197dcf2>] ebitmap_destroy+0x32/0xe0
security/selinux/ss/ebitmap.c:331
RSP <ffff8801d1c87658>
---[ end trace 325e214f888ddfa3 ]---
Reply all
Reply to author
Forward
0 new messages