general protection fault in string
16 views
Skip to first unread message
syzbot
Dec 1, 2017, 11:10:05 AM12/1/17
to linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
Hello,
syzkaller hit the following crash on
a4f586bceda49b0e43a3606905582e5104052e4b
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor2'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 7516 Comm: syz-executor0 Not tainted 4.15.0-rc1-mm1+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c31e2280 task.stack: ffff8801c4160000
RIP: 0010:string+0xb4/0x200 lib/vsprintf.c:593
RSP: 0018:ffff8801c4167780 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: fffffffffffffffe RCX: ffffffff8513a70f
RDX: 000dccad8dce4e8e RSI: ffffc900017b6000 RDI: ffff8801c41677a0
RBP: ffff8801c41677d0 R08: ffffed0038e3604e R09: ffffed0038e3604e
R10: 0000000000000002 R11: ffffed0038e3604d R12: 006e656c6e727474
R13: 006e656c6e727473 R14: ffffffffffffffff R15: ffff8801c71b0269
FS: 00007f4511f06700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002097a000 CR3: 00000001c79b2000 CR4: 00000000001406f0
DR0: 0000000020000000 DR1: 0000000020001000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
vsnprintf+0x863/0x1900 lib/vsprintf.c:2184
seq_vprintf+0xe3/0x1a0 fs/seq_file.c:397
seq_printf+0xb3/0xe0 fs/seq_file.c:412
show_timer+0x1ee/0x2b0 fs/proc/base.c:2303
traverse+0x248/0xa00 fs/seq_file.c:111
seq_read+0x96a/0x13d0 fs/seq_file.c:189
do_loop_readv_writev fs/read_write.c:673 [inline]
do_iter_read+0x3db/0x5b0 fs/read_write.c:897
vfs_readv+0x121/0x1c0 fs/read_write.c:959
do_preadv+0x11b/0x1a0 fs/read_write.c:1043
SYSC_preadv fs/read_write.c:1093 [inline]
SyS_preadv+0x30/0x40 fs/read_write.c:1088
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007f4511f05c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9
RDX: 0000000000000005 RSI: 0000000020c1bfb0 RDI: 0000000000000013
RBP: 00000000000000ae R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000056 R11: 0000000000000212 R12: 00000000006ee0f0
R13: 00000000ffffffff R14: 00007f4511f066d4 R15: 0000000000000000
Code: 01 00 00 e8 af 84 5c fc 4d 85 f6 0f 84 10 01 00 00 e8 a1 84 5c fc 4c
89 ea 48 b8 00 00 00 00 00 fc ff df 4d 8d 65 01 48 c1 ea 03 <0f> b6 04 02
4c 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 ec 00 00
RIP: string+0xb4/0x200 lib/vsprintf.c:593 RSP: ffff8801c4167780
---[ end trace 98c39d0e9bf0ccaa ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
a4f586bceda49b0e43a3606905582e5104052e4b
git://git.cmpxchg.org/linux-mmots.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
netlink: 13 bytes leftover after parsing attributes in process
`syz-executor2'.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 7516 Comm: syz-executor0 Not tainted 4.15.0-rc1-mm1+ #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c31e2280 task.stack: ffff8801c4160000
RIP: 0010:string+0xb4/0x200 lib/vsprintf.c:593
RSP: 0018:ffff8801c4167780 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: fffffffffffffffe RCX: ffffffff8513a70f
RDX: 000dccad8dce4e8e RSI: ffffc900017b6000 RDI: ffff8801c41677a0
RBP: ffff8801c41677d0 R08: ffffed0038e3604e R09: ffffed0038e3604e
R10: 0000000000000002 R11: ffffed0038e3604d R12: 006e656c6e727474
R13: 006e656c6e727473 R14: ffffffffffffffff R15: ffff8801c71b0269
FS: 00007f4511f06700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002097a000 CR3: 00000001c79b2000 CR4: 00000000001406f0
DR0: 0000000020000000 DR1: 0000000020001000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
vsnprintf+0x863/0x1900 lib/vsprintf.c:2184
seq_vprintf+0xe3/0x1a0 fs/seq_file.c:397
seq_printf+0xb3/0xe0 fs/seq_file.c:412
show_timer+0x1ee/0x2b0 fs/proc/base.c:2303
traverse+0x248/0xa00 fs/seq_file.c:111
seq_read+0x96a/0x13d0 fs/seq_file.c:189
do_loop_readv_writev fs/read_write.c:673 [inline]
do_iter_read+0x3db/0x5b0 fs/read_write.c:897
vfs_readv+0x121/0x1c0 fs/read_write.c:959
do_preadv+0x11b/0x1a0 fs/read_write.c:1043
SYSC_preadv fs/read_write.c:1093 [inline]
SyS_preadv+0x30/0x40 fs/read_write.c:1088
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007f4511f05c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 00000000004529d9
RDX: 0000000000000005 RSI: 0000000020c1bfb0 RDI: 0000000000000013
RBP: 00000000000000ae R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000056 R11: 0000000000000212 R12: 00000000006ee0f0
R13: 00000000ffffffff R14: 00007f4511f066d4 R15: 0000000000000000
Code: 01 00 00 e8 af 84 5c fc 4d 85 f6 0f 84 10 01 00 00 e8 a1 84 5c fc 4c
89 ea 48 b8 00 00 00 00 00 fc ff df 4d 8d 65 01 48 c1 ea 03 <0f> b6 04 02
4c 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 ec 00 00
RIP: string+0xb4/0x200 lib/vsprintf.c:593 RSP: ffff8801c4167780
---[ end trace 98c39d0e9bf0ccaa ]---
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot
Dec 3, 2017, 12:10:02 AM12/3/17
to linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
syzkaller has found reproducer for the following crash on
2db767d9889cef087149a5eaa35c1497671fa40f
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3075 Comm: syzkaller531375 Not tainted 4.15.0-rc1+ #205
RIP: 0010:string+0xb4/0x200 lib/vsprintf.c:595
RSP: 0018:ffff8801cc637868 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: fffffffffffffffe RCX: ffffffff85135fbf
RDX: 06c7240eabebe406 RSI: 1ffff100398c6f01 RDI: ffff8801cc637888
RBP: ffff8801cc6378b8 R08: ffffed00398a5566 R09: ffffed00398a5566
R10: 0000000000000002 R11: ffffed00398a5565 R12: 363920755f5f2034
R13: 363920755f5f2033 R14: ffffffffffffffff R15: ffff8801cc52ab2a
FS: 0000000001a75880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vsnprintf+0x863/0x1900 lib/vsprintf.c:2282
seq_read+0x385/0x13d0 fs/seq_file.c:234
RSP: 002b:00007fff96d72b08 EFLAGS: 00000213 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fff96d72b10 RCX: 0000000000440149
RDX: 0000000000000001 RSI: 00000000205e2ff0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000011 R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a10
R13: 0000000000401aa0 R14: 0000000000000000 R15: 0000000000000000
Code: 01 00 00 e8 7f 98 5c fc 4d 85 f6 0f 84 10 01 00 00 e8 71 98 5c fc 4c
---[ end trace 3570c98033660e3f ]---
2db767d9889cef087149a5eaa35c1497671fa40f
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: 00000000523f1e90 task.stack: 00000000c2d38485
Google 01/01/2011
RIP: 0010:string+0xb4/0x200 lib/vsprintf.c:595
RSP: 0018:ffff8801cc637868 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: fffffffffffffffe RCX: ffffffff85135fbf
RDX: 06c7240eabebe406 RSI: 1ffff100398c6f01 RDI: ffff8801cc637888
RBP: ffff8801cc6378b8 R08: ffffed00398a5566 R09: ffffed00398a5566
R10: 0000000000000002 R11: ffffed00398a5565 R12: 363920755f5f2034
R13: 363920755f5f2033 R14: ffffffffffffffff R15: ffff8801cc52ab2a
FS: 0000000001a75880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205e2ff0 CR3: 00000001cc470000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
vsnprintf+0x863/0x1900 lib/vsprintf.c:2282
seq_vprintf+0xe3/0x1a0 fs/seq_file.c:397
seq_printf+0xb3/0xe0 fs/seq_file.c:412
show_timer+0x1ee/0x2b0 fs/proc/base.c:2274
seq_printf+0xb3/0xe0 fs/seq_file.c:412
seq_read+0x385/0x13d0 fs/seq_file.c:234
do_loop_readv_writev fs/read_write.c:673 [inline]
do_iter_read+0x3db/0x5b0 fs/read_write.c:897
vfs_readv+0x121/0x1c0 fs/read_write.c:959
do_preadv+0x11b/0x1a0 fs/read_write.c:1043
SYSC_preadv fs/read_write.c:1093 [inline]
SyS_preadv+0x30/0x40 fs/read_write.c:1088
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x440149
do_iter_read+0x3db/0x5b0 fs/read_write.c:897
vfs_readv+0x121/0x1c0 fs/read_write.c:959
do_preadv+0x11b/0x1a0 fs/read_write.c:1043
SYSC_preadv fs/read_write.c:1093 [inline]
SyS_preadv+0x30/0x40 fs/read_write.c:1088
entry_SYSCALL_64_fastpath+0x1f/0x96
RSP: 002b:00007fff96d72b08 EFLAGS: 00000213 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fff96d72b10 RCX: 0000000000440149
RDX: 0000000000000001 RSI: 00000000205e2ff0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000011 R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a10
R13: 0000000000401aa0 R14: 0000000000000000 R15: 0000000000000000
Code: 01 00 00 e8 7f 98 5c fc 4d 85 f6 0f 84 10 01 00 00 e8 71 98 5c fc 4c
89 ea 48 b8 00 00 00 00 00 fc ff df 4d 8d 65 01 48 c1 ea 03 <0f> b6 04 02
4c 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 ec 00 00
RIP: string+0xb4/0x200 lib/vsprintf.c:595 RSP: ffff8801cc637868
4c 89 ea 83 e2 07 38 d0 7f 08 84 c0 0f 85 ec 00 00
---[ end trace 3570c98033660e3f ]---
Eric Biggers
Dec 11, 2017, 6:03:09 PM12/11/17
to syzbot, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, tg...@linutronix.de
[+Cc tg...@linutronix.de ]
The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
any value, but show_timer() assumes that it has one of a specific set of values.
Here's a simplified reproducer:
#include <fcntl.h>
#include <signal.h>
#include <time.h>
#include <unistd.h>
int main()
{
struct sigevent e = {
.sigev_signo = 0x1c,
.sigev_notify = 0x100000,
};
timer_t t;
int fd;
char buf[64];
timer_create(CLOCK_MONOTONIC, &e, &t);
fd = open("/proc/self/timers", O_RDONLY);
read(fd, buf, sizeof(buf));
}
I wonder if anything would break if we made sys_timer_create() return -EINVAL
for unrecognized values of sigev_notify? That's what it *should* do, but it
seems to be the classic "unchecked flags" bug, yet again...
Eric
any value, but show_timer() assumes that it has one of a specific set of values.
Here's a simplified reproducer:
#include <fcntl.h>
#include <signal.h>
#include <time.h>
#include <unistd.h>
int main()
{
struct sigevent e = {
.sigev_signo = 0x1c,
.sigev_notify = 0x100000,
};
timer_t t;
int fd;
char buf[64];
timer_create(CLOCK_MONOTONIC, &e, &t);
fd = open("/proc/self/timers", O_RDONLY);
read(fd, buf, sizeof(buf));
}
I wonder if anything would break if we made sys_timer_create() return -EINVAL
for unrecognized values of sigev_notify? That's what it *should* do, but it
seems to be the classic "unchecked flags" bug, yet again...
Eric
Eric Biggers
Dec 11, 2017, 6:11:32 PM12/11/17
to syzbot, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk, tg...@linutronix.de
On Mon, Dec 11, 2017 at 03:03:05PM -0800, Eric Biggers wrote:
>
> The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
> any value, but show_timer() assumes that it has one of a specific set of values.
> Here's a simplified reproducer:
>
> #include <fcntl.h>
> #include <signal.h>
> #include <time.h>
> #include <unistd.h>
>
> int main()
> {
> struct sigevent e = {
> .sigev_signo = 0x1c,
> .sigev_notify = 0x100000,
> };
> timer_t t;
> int fd;
> char buf[64];
>
> timer_create(CLOCK_MONOTONIC, &e, &t);
>
> fd = open("/proc/self/timers", O_RDONLY);
>
> read(fd, buf, sizeof(buf));
> }
>
> I wonder if anything would break if we made sys_timer_create() return -EINVAL
> for unrecognized values of sigev_notify? That's what it *should* do, but it
> seems to be the classic "unchecked flags" bug, yet again...
>
Ah, I see that this was previously reported and a fix was already sent out
>
> The bug is that sys_timer_create() allows setting ->it_sigev_notify to almost
> any value, but show_timer() assumes that it has one of a specific set of values.
> Here's a simplified reproducer:
>
> #include <fcntl.h>
> #include <signal.h>
> #include <time.h>
> #include <unistd.h>
>
> int main()
> {
> struct sigevent e = {
> .sigev_signo = 0x1c,
> .sigev_notify = 0x100000,
> };
> timer_t t;
> int fd;
> char buf[64];
>
> timer_create(CLOCK_MONOTONIC, &e, &t);
>
> fd = open("/proc/self/timers", O_RDONLY);
>
> read(fd, buf, sizeof(buf));
> }
>
> I wonder if anything would break if we made sys_timer_create() return -EINVAL
> for unrecognized values of sigev_notify? That's what it *should* do, but it
> seems to be the classic "unchecked flags" bug, yet again...
>
(https://marc.info/?l=linux-kernel&m=151204669103208&w=2). Let's mark this
report as a duplicate:
#syz dup: general protection fault in show_timer
Thomas Gleixner
Dec 12, 2017, 12:11:11 PM12/12/17
to Eric Biggers, syzbot, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
answer since than just more repeating reports.
https://marc.info/?l=linux-kernel&m=151204669103208&w=2
Thanks,
tglx
Eric Biggers
Dec 12, 2017, 12:58:51 PM12/12/17
to Thomas Gleixner, syzbot, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, vi...@zeniv.linux.org.uk
On Tue, Dec 12, 2017 at 06:11:09PM +0100, Thomas Gleixner wrote:
> >
> > I wonder if anything would break if we made sys_timer_create() return -EINVAL
> > for unrecognized values of sigev_notify? That's what it *should* do, but it
> > seems to be the classic "unchecked flags" bug, yet again...
>
> So this is the 5th time this comes up and I sent a patch the first time. No
> answer since than just more repeating reports.
>
> https://marc.info/?l=linux-kernel&m=151204669103208&w=2
>
> Thanks,
>
> tglx
Are you expecting an answer from syzbot? It is just a bot so it cannot review
> >
> > I wonder if anything would break if we made sys_timer_create() return -EINVAL
> > for unrecognized values of sigev_notify? That's what it *should* do, but it
> > seems to be the classic "unchecked flags" bug, yet again...
>
> So this is the 5th time this comes up and I sent a patch the first time. No
> answer since than just more repeating reports.
>
> https://marc.info/?l=linux-kernel&m=151204669103208&w=2
>
> Thanks,
>
> tglx
or apply patches. There is a way to ask it to test a patch (see
https://github.com/google/syzkaller/blob/master/docs/syzbot.md) though it only
works for bugs with reproducers, and when fixing bugs I've personally found it
easier (and often necessary to debug the problem in the first place) to just run
the reproducer myself. Note that syzbot *did* provide a C reproducer for this
report, and also a C reproducer for the original report after a short delay, so
you could run those as well as my simplified reproducer to verify the bug is
fixed -- though given my investigation your patch very likely does fix the bug.
Keep in mind that you can't expect that a human "behind the scenes" will quickly
step in and help review/test the fixes for syzbot bugs either. Ideally that
*would* happen, but there are simply too many open bugs (200+) and syzbot is
operated primarily by just one person, Dmitry Vyukov. I've been helping out
with some bugs I am interested in and I will get to as many as I can but there
are far too many for even 2 people. So the community needs to help out. Again,
see the docs at https://github.com/google/syzkaller/blob/master/docs/syzbot.md
for how to communicate with the bot and tell it when a bug is a dup, when a bug
is fixed, or how to test a patch, etc.
Eric
Reply all
Reply to author
Forward
0 new messages