general protection fault in sidtab_search_core
27 views
Skip to first unread message
syzbot
Dec 1, 2017, 6:18:04 AM12/1/17
to elf...@users.sourceforge.net, epa...@parisplace.org, gre...@linuxfoundation.org, james.l...@oracle.com, kste...@linuxfoundation.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, pa...@paul-moore.com, pombr...@nexb.com, s...@tycho.nsa.gov, sel...@tycho.nsa.gov, se...@hallyn.com, syzkall...@googlegroups.com
Hello,
syzkaller hit the following crash on
df8ba95c572a187ed2aa7403e97a7a7f58c01f00
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 15182 Comm: syz-executor7 Not tainted 4.15.0-rc1+ #202
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: 0000000054c6e393 task.stack: 0000000075c5eb31
RIP: 0010:sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88
RSP: 0018:ffff8801cb68fa10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffffffff8220835d
RDX: 0000000000000001 RSI: ffffc90001d69000 RDI: ffffffff874c5180
RBP: ffff8801cb68fa40 R08: ffffffff86feb5b0 R09: 000000000000277c
R10: 0000000000000000 R11: ffffffff87489d60 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS: 00007fcddd18f700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b9bc22000 CR3: 00000001c3206000 CR4: 00000000001426f0
Call Trace:
sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
security_bounded_transition+0xa8/0x4d0 security/selinux/ss/services.c:873
selinux_setprocattr+0x8d0/0xb50 security/selinux/hooks.c:6042
security_setprocattr+0x85/0xc0 security/security.c:1264
proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2545
__vfs_write+0xef/0x970 fs/read_write.c:480
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007fcddd18ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fcddd18e950 RCX: 00000000004529d9
RDX: 0000000000000008 RSI: 00000000209d9ff8 RDI: 0000000000000013
RBP: 00007fcddd18e940 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7354
R13: 00007fcddd18eac8 R14: 00000000004b7366 R15: 0000000000000000
Code: ea 03 41 83 e4 7f 80 3c 02 00 0f 85 7d 02 00 00 4c 8b 33 4d 63 e4 48
b8 00 00 00 00 00 fc ff df 4b 8d 1c e6 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 41 02 00 00 48 8b 1b 48 85 db 0f 84 8b 00 00
RIP: sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88 RSP:
ffff8801cb68fa10
---[ end trace 5954c73403821112 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller hit the following crash on
df8ba95c572a187ed2aa7403e97a7a7f58c01f00
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
Unfortunately, I don't have any reproducer for this bug yet.
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 15182 Comm: syz-executor7 Not tainted 4.15.0-rc1+ #202
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: 0000000054c6e393 task.stack: 0000000075c5eb31
RIP: 0010:sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88
RSP: 0018:ffff8801cb68fa10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffffffff8220835d
RDX: 0000000000000001 RSI: ffffc90001d69000 RDI: ffffffff874c5180
RBP: ffff8801cb68fa40 R08: ffffffff86feb5b0 R09: 000000000000277c
R10: 0000000000000000 R11: ffffffff87489d60 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS: 00007fcddd18f700(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b9bc22000 CR3: 00000001c3206000 CR4: 00000000001426f0
Call Trace:
sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
security_bounded_transition+0xa8/0x4d0 security/selinux/ss/services.c:873
selinux_setprocattr+0x8d0/0xb50 security/selinux/hooks.c:6042
security_setprocattr+0x85/0xc0 security/security.c:1264
proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2545
__vfs_write+0xef/0x970 fs/read_write.c:480
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007fcddd18ec58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fcddd18e950 RCX: 00000000004529d9
RDX: 0000000000000008 RSI: 00000000209d9ff8 RDI: 0000000000000013
RBP: 00007fcddd18e940 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7354
R13: 00007fcddd18eac8 R14: 00000000004b7366 R15: 0000000000000000
Code: ea 03 41 83 e4 7f 80 3c 02 00 0f 85 7d 02 00 00 4c 8b 33 4d 63 e4 48
b8 00 00 00 00 00 fc ff df 4b 8d 1c e6 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 41 02 00 00 48 8b 1b 48 85 db 0f 84 8b 00 00
RIP: sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88 RSP:
ffff8801cb68fa10
---[ end trace 5954c73403821112 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzk...@googlegroups.com.
Please credit me with: Reported-by: syzbot <syzk...@googlegroups.com>
syzbot will keep track of this bug report.
Once a fix for this bug is committed, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzbot
Dec 1, 2017, 12:17:02 PM12/1/17
to elf...@users.sourceforge.net, epa...@parisplace.org, gre...@linuxfoundation.org, james.l...@oracle.com, kste...@linuxfoundation.org, linux-...@vger.kernel.org, linux-secu...@vger.kernel.org, pa...@paul-moore.com, pombr...@nexb.com, s...@tycho.nsa.gov, sel...@tycho.nsa.gov, se...@hallyn.com, syzkall...@googlegroups.com, tg...@linutronix.de
syzkaller has found reproducer for the following crash on
fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
for information about syzkaller reproducers
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3103 Comm: syz-executor0 Not tainted 4.15.0-rc1-next-20171201+
#57
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffffffff8220ea3d
RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffffff874c8180
RBP: ffff8801cd787a40 R08: 0000000000000003 R09: 1ffffffff0d6b133
R10: 0000000000000000 R11: ffffffff8748cd60 R12: 0000000000000001
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
security_setprocattr+0x85/0xc0 security/security.c:1264
proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2574
RAX: ffffffffffffffda RBX: 00007fb263af2950 RCX: 00000000004529d9
RDX: 0000000000000008 RSI: 000000002035aff8 RDI: 0000000000000000
RBP: 00007fb263af2940 R08: 0000000000000000 R09: 0000000000000000
---[ end trace 397f06d7cf81ebbc ]---
fb20eb9d798d2f4c1a75b7fe981d72dfa8d7270d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
.config is attached
Raw console output is attached.
for information about syzkaller reproducers
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
#57
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: 00000000f08f89c8 task.stack: 00000000db97cdc4
Google 01/01/2011
RIP: 0010:sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88
RSP: 0018:ffff8801cd787a10 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000008 RCX: ffffffff8220ea3d
RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffffffff874c8180
RBP: ffff8801cd787a40 R08: 0000000000000003 R09: 1ffffffff0d6b133
R10: 0000000000000000 R11: ffffffff8748cd60 R12: 0000000000000001
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS: 00007fb263af3700(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004d5638 CR3: 00000001cf30e000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
security_bounded_transition+0xa8/0x4d0 security/selinux/ss/services.c:873
selinux_setprocattr+0x8d0/0xb50 security/selinux/hooks.c:6043
sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
security_bounded_transition+0xa8/0x4d0 security/selinux/ss/services.c:873
security_setprocattr+0x85/0xc0 security/security.c:1264
proc_pid_attr_write+0x1e6/0x280 fs/proc/base.c:2574
__vfs_write+0xef/0x970 fs/read_write.c:480
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RSP: 002b:00007fb263af2c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001
vfs_write+0x18f/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x4529d9
RAX: ffffffffffffffda RBX: 00007fb263af2950 RCX: 00000000004529d9
RDX: 0000000000000008 RSI: 000000002035aff8 RDI: 0000000000000000
RBP: 00007fb263af2940 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7354
R13: 00007fb263af2ac8 R14: 00000000004b7366 R15: 0000000000000000
Code: ea 03 41 83 e4 7f 80 3c 02 00 0f 85 7d 02 00 00 4c 8b 33 4d 63 e4 48
b8 00 00 00 00 00 fc ff df 4b 8d 1c e6 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 41 02 00 00 48 8b 1b 48 85 db 0f 84 8b 00 00
RIP: sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88 RSP:
ffff8801cd787a10
b8 00 00 00 00 00 fc ff df 4b 8d 1c e6 48 89 da 48 c1 ea 03 <80> 3c 02 00
0f 85 41 02 00 00 48 8b 1b 48 85 db 0f 84 8b 00 00
RIP: sidtab_search_core+0x6a/0x320 security/selinux/ss/sidtab.c:88 RSP:
---[ end trace 397f06d7cf81ebbc ]---
Paul Moore
Dec 7, 2017, 11:03:17 AM12/7/17
to syzbot, syzkall...@googlegroups.com
#syz fix: selinux: skip bounded transition processing if the policy isn't loaded
--
paul moore
www.paul-moore.com
--
paul moore
www.paul-moore.com
Reply all
Reply to author
Forward
0 new messages