WARNING in x86_emulate_insn
34 views
Skip to first unread message
syzbot
Dec 5, 2017, 3:07:02 PM12/5/17
to h...@zytor.com, k...@vger.kernel.org, linux-...@vger.kernel.org, mi...@redhat.com, pbon...@redhat.com, rkr...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
Hello,
syzkaller hit the following crash on
fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
#57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
RSP: 0018:ffff8801d0fff3e8 EFLAGS: 00010293
RAX: ffff8801d17b60c0 RBX: 1ffff1003a1ffe86 RCX: ffffffff81154351
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: ffff8801d0b5b5c8
RBP: ffff8801d0fff4f8 R08: ffff8801d0b58d80 R09: ffffffff85224da0
R10: 0000000000000001 R11: ffffed003a16b6d4 R12: 00000000000000ff
R13: ffff8801d0b5b5a0 R14: 0000000000000002 R15: ffff8801d0b5b6c3
x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007f6b6b2d5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000004
RBP: 000000000000039b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2728
R13: 00000000ffffffff R14: 00007f6b6b2d66d4 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
WARNING: CPU: 1 PID: 3526 at arch/x86/kvm/emulate.c:5654
x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3526 Comm: syz-executor4 Not tainted 4.15.0-rc1-next-20171201+
#57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:1066
RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
RSP: 0018:ffff8801d0fff3e8 EFLAGS: 00010293
RAX: ffff8801d17b60c0 RBX: 1ffff1003a1ffe86 RCX: ffffffff81154351
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: ffff8801d0b5b5c8
RBP: ffff8801d0fff4f8 R08: ffff8801d0b58d80 R09: ffffffff85224da0
R10: 0000000000000001 R11: ffffed003a16b6d4 R12: 00000000000000ff
R13: ffff8801d0b5b5a0 R14: 0000000000000002 R15: ffff8801d0b5b6c3
x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5771
emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
complete_emulated_io arch/x86/kvm/x86.c:7190 [inline]
complete_emulated_pio+0xdd/0x1b0 arch/x86/kvm/x86.c:7201
kvm_arch_vcpu_ioctl_run+0x2db2/0x5c60 arch/x86/kvm/x86.c:7305
kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007f6b6b2d5c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000004
RBP: 000000000000039b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f2728
R13: 00000000ffffffff R14: 00007f6b6b2d66d4 R15: 0000000000000000
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Wanpeng Li
Dec 6, 2017, 7:44:35 PM12/6/17
to syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
2017-12-06 4:07 GMT+08:00 syzbot
<bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
Regards,
Wanpeng Li
<bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
> Hello,
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
Is there a c program to reproduce?
>
> syzkaller hit the following crash on
> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
>
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
Regards,
Wanpeng Li
Dmitry Vyukov
Dec 7, 2017, 1:25:28 AM12/7/17
to Wanpeng Li, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
On Thu, Dec 7, 2017 at 1:44 AM, Wanpeng Li <kern...@gmail.com> wrote:
> 2017-12-06 4:07 GMT+08:00 syzbot
> <bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?
No, syzbot does not hide reproducers. See the referenced doc for
> 2017-12-06 4:07 GMT+08:00 syzbot
> <bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
>> Hello,
>>
>> syzkaller hit the following crash on
>> fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>>
>
> Is there a c program to reproduce?
details: https://github.com/google/syzkaller/blob/master/docs/syzbot.md#syzkaller-reproducers
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CANRm%2BCw6u-Tvq6M%2B8hFm9UmxyTWsqvrm5L9bzfoTAvEsaeC1-w%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
蓝天宇
Dec 7, 2017, 2:49:52 AM12/7/17
to Dmitry Vyukov, Wanpeng Li, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
Hi Dmitry:
I tried to reproduce the issue via syz-execprog with attached
reproducer on latest linux-next but it causes VM-entry failure due to
invalid guest state...
--
Best regards
Tianyu Lan
I tried to reproduce the issue via syz-execprog with attached
reproducer on latest linux-next but it causes VM-entry failure due to
invalid guest state...
Best regards
Tianyu Lan
Wanpeng Li
Dec 7, 2017, 2:52:22 AM12/7/17
to 蓝天宇, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
2017-12-07 15:49 GMT+08:00 蓝天宇 <lantia...@gmail.com>:
> Hi Dmitry:
> I tried to reproduce the issue via syz-execprog with attached
> reproducer on latest linux-next but it causes VM-entry failure due to
> invalid guest state...
Because rflags is 0 in his program. You can set ept=0 and retry.
> Hi Dmitry:
> I tried to reproduce the issue via syz-execprog with attached
> reproducer on latest linux-next but it causes VM-entry failure due to
> invalid guest state...
Regards,
Wanpeng Li
Wanpeng Li
Dec 7, 2017, 5:40:37 AM12/7/17
to 蓝天宇, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
2017-12-07 15:52 GMT+08:00 Wanpeng Li <kern...@gmail.com>:
> 2017-12-07 15:49 GMT+08:00 蓝天宇 <lantia...@gmail.com>:
>> Hi Dmitry:
>> I tried to reproduce the issue via syz-execprog with attached
>> reproducer on latest linux-next but it causes VM-entry failure due to
>> invalid guest state...
>
> Because rflags is 0 in his program. You can set ept=0 and retry.
In addition, you can apply this commit
> 2017-12-07 15:49 GMT+08:00 蓝天宇 <lantia...@gmail.com>:
>> Hi Dmitry:
>> I tried to reproduce the issue via syz-execprog with attached
>> reproducer on latest linux-next but it causes VM-entry failure due to
>> invalid guest state...
>
> Because rflags is 0 in his program. You can set ept=0 and retry.
https://lkml.org/lkml/2017/12/7/144 before testing.
Jim Mattson
Dec 7, 2017, 4:25:20 PM12/7/17
to Wanpeng Li, 蓝天宇, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
Try disabling the module parameter, "unrestricted_guest." Make sure
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.
that the module parameter, "emulate_invalid_guest_state" is enabled.
This combination allows userspace to feed invalid guest state into the
in-kernel emulator.
syzbot
Dec 7, 2017, 10:22:01 PM12/7/17
to dvy...@google.com, h...@zytor.com, jmat...@google.com, kern...@gmail.com, k...@vger.kernel.org, lantia...@gmail.com, linux-...@vger.kernel.org, mi...@redhat.com, pbon...@redhat.com, rkr...@redhat.com, syzkall...@googlegroups.com, tg...@linutronix.de, x...@kernel.org
syzkaller has found reproducer for the following crash on
968edbd93c0cbb40ab48aca972392d377713a0c3
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
RAX: ffff8801c62d2080 RBX: 1ffff10038adee69 RCX: ffffffff81154231
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: ffff8801c55da888
RBP: ffff8801c56f7410 R08: ffff8801c55d8040 R09: ffffffff85224dc0
R10: 0000000000000002 R11: ffffed0038abb551 R12: 00000000000000ff
R13: ffff8801c55da860 R14: 0000000000000002 R15: ffff8801c55da983
x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769
emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline]
vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826
vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline]
vcpu_run arch/x86/kvm/x86.c:7144 [inline]
kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312
RSP: 002b:00007ffde2bdf2c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004402e9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401c50
R13: 0000000000401ce0 R14: 0000000000000000 R15: 0000000000000000
968edbd93c0cbb40ab48aca972392d377713a0c3
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
WARNING: CPU: 0 PID: 3153 at arch/x86/kvm/emulate.c:5654
for information about syzkaller reproducers
kvm: KVM_SET_TSS_ADDR need to be called before entering vcpu
x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3153 Comm: syzkaller990902 Not tainted 4.15.0-rc2+ #212
Kernel panic - not syncing: panic_on_warn set ...
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:930
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x211/0x2d0 lib/bug.c:184
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:177
fixup_bug arch/x86/kernel/traps.c:246 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:295
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
RIP: 0010:x86_emulate_insn+0xd01/0x3cf0 arch/x86/kvm/emulate.c:5654
RSP: 0018:ffff8801c56f7300 EFLAGS: 00010293
RAX: ffff8801c62d2080 RBX: 1ffff10038adee69 RCX: ffffffff81154231
RDX: 0000000000000000 RSI: ffffffffffffffff RDI: ffff8801c55da888
RBP: ffff8801c56f7410 R08: ffff8801c55d8040 R09: ffffffff85224dc0
R10: 0000000000000002 R11: ffffed0038abb551 R12: 00000000000000ff
R13: ffff8801c55da860 R14: 0000000000000002 R15: ffff8801c55da983
x86_emulate_instruction+0x411/0x1ad0 arch/x86/kvm/x86.c:5769
emulate_instruction arch/x86/include/asm/kvm_host.h:1164 [inline]
handle_invalid_guest_state arch/x86/kvm/vmx.c:6606 [inline]
vmx_handle_exit+0x6e3/0x1ce0 arch/x86/kvm/vmx.c:8826
vcpu_enter_guest arch/x86/kvm/x86.c:7082 [inline]
vcpu_run arch/x86/kvm/x86.c:7144 [inline]
kvm_arch_vcpu_ioctl_run+0x1cb4/0x5c60 arch/x86/kvm/x86.c:7312
kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2574
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4402e9
vfs_ioctl fs/ioctl.c:46 [inline]
do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:686
SYSC_ioctl fs/ioctl.c:701 [inline]
SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
entry_SYSCALL_64_fastpath+0x1f/0x96
RSP: 002b:00007ffde2bdf2c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00000000004402e9
RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401c50
R13: 0000000000401ce0 R14: 0000000000000000 R15: 0000000000000000
Wanpeng Li
Dec 7, 2017, 10:33:35 PM12/7/17
to syzbot, Dmitry Vyukov, H. Peter Anvin, Jim Mattson, kvm, 蓝天宇, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
2017-12-08 11:22 GMT+08:00 syzbot
<bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
Regards,
Wanpeng Li
<bot+75375385991b4f8c59...@syzkaller.appspotmail.com>:
> syzkaller has found reproducer for the following crash on
> 968edbd93c0cbb40ab48aca972392d377713a0c3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
I will have a look.
> 968edbd93c0cbb40ab48aca972392d377713a0c3
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
Regards,
Wanpeng Li
Tianyu Lan
Dec 8, 2017, 3:28:31 AM12/8/17
to Jim Mattson, Wanpeng Li, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
Hi Jim&Wanpeng:
Thanks for your help.
2017-12-08 5:25 GMT+08:00 Jim Mattson <jmat...@google.com>:
> Try disabling the module parameter, "unrestricted_guest." Make sure
> that the module parameter, "emulate_invalid_guest_state" is enabled.
> This combination allows userspace to feed invalid guest state into the
> in-kernel emulator.
Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.
I find this is pop instruction emulation issue. According "SDM VOL2,
chapter INSTRUCTION
SET REFERENCE. POP—Pop a Value from the Stack"
Protected Mode Exceptions
#GP(0) If attempt is made to load SS register with NULL segment selector.
This test case hits it but current code doesn't check such case.
The following patch can fix the issue.
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f7..e2ac5cc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
int rc;
struct segmented_address addr;
+ if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
+ return emulate_gp(ctxt, 0);
+
addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
addr.seg = VCPU_SREG_SS;
rc = segmented_read(ctxt, addr, dest, len);
Thanks for your help.
2017-12-08 5:25 GMT+08:00 Jim Mattson <jmat...@google.com>:
> Try disabling the module parameter, "unrestricted_guest." Make sure
> that the module parameter, "emulate_invalid_guest_state" is enabled.
> This combination allows userspace to feed invalid guest state into the
> in-kernel emulator.
I find this is pop instruction emulation issue. According "SDM VOL2,
chapter INSTRUCTION
SET REFERENCE. POP—Pop a Value from the Stack"
Protected Mode Exceptions
#GP(0) If attempt is made to load SS register with NULL segment selector.
This test case hits it but current code doesn't check such case.
The following patch can fix the issue.
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f7..e2ac5cc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
int rc;
struct segmented_address addr;
+ if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
+ return emulate_gp(ctxt, 0);
+
addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
addr.seg = VCPU_SREG_SS;
rc = segmented_read(ctxt, addr, dest, len);
Ingo Molnar
Dec 8, 2017, 3:44:09 AM12/8/17
to Tianyu Lan, Jim Mattson, Wanpeng Li, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers, Andrew Jones
/if (!get_segment_selector
I think it would also be nice to convert the syzkaller testcase to a new KVM unit
test:
git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git
There's a test_pop() function in kvm-unit-tests/x86/emulator.c.
Thanks,
Ingo
Tianyu Lan
Dec 8, 2017, 3:48:18 AM12/8/17
to Ingo Molnar, Jim Mattson, Wanpeng Li, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers, Andrew Jones
>
> I think it would also be nice to convert the syzkaller testcase to a new KVM unit
> test:
>
> git://git.kernel.org/pub/scm/virt/kvm/kvm-unit-tests.git
>
> There's a test_pop() function in kvm-unit-tests/x86/emulator.c.
>
> Thanks,
>
> Ingo
Wanpeng Li
Dec 8, 2017, 4:27:12 AM12/8/17
to Tianyu Lan, Jim Mattson, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
2017-12-08 16:28 GMT+08:00 Tianyu Lan <lantia...@gmail.com>:
> Hi Jim&Wanpeng:
> Thanks for your help.
>
> 2017-12-08 5:25 GMT+08:00 Jim Mattson <jmat...@google.com>:
>> Try disabling the module parameter, "unrestricted_guest." Make sure
>> that the module parameter, "emulate_invalid_guest_state" is enabled.
>> This combination allows userspace to feed invalid guest state into the
>> in-kernel emulator.
>
> Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.
I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
> Hi Jim&Wanpeng:
> Thanks for your help.
>
> 2017-12-08 5:25 GMT+08:00 Jim Mattson <jmat...@google.com>:
>> Try disabling the module parameter, "unrestricted_guest." Make sure
>> that the module parameter, "emulate_invalid_guest_state" is enabled.
>> This combination allows userspace to feed invalid guest state into the
>> in-kernel emulator.
>
> Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.
report. Do you figure out the reason?
Regards,
Wanpeng Li
Lan, Tianyu
Dec 9, 2017, 12:44:07 AM12/9/17
to Wanpeng Li, Tianyu Lan, Jim Mattson, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Paolo Bonzini, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
On 12/8/2017 5:27 PM, Wanpeng Li wrote:
> 2017-12-08 16:28 GMT+08:00 Tianyu Lan <lantia...@gmail.com>:
>> Hi Jim&Wanpeng:
>> Thanks for your help.
>>
>> 2017-12-08 5:25 GMT+08:00 Jim Mattson <jmat...@google.com>:
>>> Try disabling the module parameter, "unrestricted_guest." Make sure
>>> that the module parameter, "emulate_invalid_guest_state" is enabled.
>>> This combination allows userspace to feed invalid guest state into the
>>> in-kernel emulator.
>>
>> Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.
>
> I can observe ctxt->exception.vector == 0xff which triggers Dmitry's
> report. Do you figure out the reason?
>
not emulate exception and not set exception vector.
ctxt->exception.vector is default to be 0xff in emulate instruction code
path.
Paolo Bonzini
Dec 11, 2017, 5:46:02 PM12/11/17
to Tianyu Lan, Jim Mattson, Wanpeng Li, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
On 08/12/2017 09:28, Tianyu Lan wrote:
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
>
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
This is not what the testcase is testing; this is already covered by
> I find this is pop instruction emulation issue. According "SDM VOL2,
> chapter INSTRUCTION
> SET REFERENCE. POP—Pop a Value from the Stack"
>
> Protected Mode Exceptions
> #GP(0) If attempt is made to load SS register with NULL segment selector.
__load_segment_descriptor:
if (null_selector) {
if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
goto exception;
if (seg == VCPU_SREG_SS) {
if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
goto exception;
...
}
Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
ctxt->exception.vector and/or without going through emulate_exception?
I don't think it's possible to write a test in kvm-unit-tests, because the
state has "impossible" segment descriptor cache contents.
Paolo
Lan Tianyu
Dec 12, 2017, 4:00:14 AM12/12/17
to Paolo Bonzini, Tianyu Lan, Jim Mattson, Wanpeng Li, Dmitry Vyukov, syzbot, H. Peter Anvin, kvm, linux-...@vger.kernel.org, Ingo Molnar, Radim Krcmar, syzkall...@googlegroups.com, Thomas Gleixner, the arch/x86 maintainers
On 2017年12月12日 06:45, Paolo Bonzini wrote:
> On 08/12/2017 09:28, Tianyu Lan wrote:
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
>
> This is not what the testcase is testing; this is already covered by
> __load_segment_descriptor:
>
> if (null_selector) {
> if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
> goto exception;
>
> if (seg == VCPU_SREG_SS) {
> if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
> goto exception;
> ...
> }
Yes, __load_segment_descriptor() does such check. I find em_pop doesn't
> On 08/12/2017 09:28, Tianyu Lan wrote:
>> I find this is pop instruction emulation issue. According "SDM VOL2,
>> chapter INSTRUCTION
>> SET REFERENCE. POP—Pop a Value from the Stack"
>>
>> Protected Mode Exceptions
>> #GP(0) If attempt is made to load SS register with NULL segment selector.
>
> This is not what the testcase is testing; this is already covered by
> __load_segment_descriptor:
>
> if (null_selector) {
> if (seg == VCPU_SREG_CS || seg == VCPU_SREG_TR)
> goto exception;
>
> if (seg == VCPU_SREG_SS) {
> if (ctxt->mode != X86EMUL_MODE_PROT64 || rpl != cpl)
> goto exception;
> ...
> }
load SS segment. SS isn't loaded before calling em_pop in the test case.
Should this be fixed?
>
> Is there a path that can return X86EMUL_PROPAGATE_FAULT without setting
> ctxt->exception.vector and/or without going through emulate_exception?
>
> I don't think it's possible to write a test in kvm-unit-tests, because the
> state has "impossible" segment descriptor cache contents.
https://marc.info/?l=kvm&m=151306208214733&w=2
>
> Paolo
>
>> This test case hits it but current code doesn't check such case.
>> The following patch can fix the issue.
>>
>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
>> index abe74f7..e2ac5cc 100644
>> --- a/arch/x86/kvm/emulate.c
>> +++ b/arch/x86/kvm/emulate.c
>> @@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
>> int rc;
>> struct segmented_address addr;
>>
>> + if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
>> + return emulate_gp(ctxt, 0);
>> +
>> addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
>> addr.seg = VCPU_SREG_SS;
>> rc = segmented_read(ctxt, addr, dest, len);
>
Reply all
Reply to author
Forward
0 new messages