Hello,
syzbot found the following issue on:
HEAD commit: a1ed62b580c9 x509_vfy: another function pointer argument c..
git tree: openbsd
console output:
https://syzkaller.appspot.com/x/log.txt?x=14b89b56580000
kernel config:
https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link:
https://syzkaller.appspot.com/bug?extid=bad63ef5afb1c6f01fd5
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/fbc0e1228757/disk-a1ed62b5.raw.xz
bsd.gdb:
https://storage.googleapis.com/syzbot-assets/d44187b5d09a/bsd-a1ed62b5.gdb.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/0f1c7b6d8c3c/kernel-a1ed62b5.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+bad63e...@syzkaller.appspotmail.com
5kernel:XIag0e a
uStopped at savectx+0xae: movl $0,%gs:0x688
TID PID UID PRFLAGS PFLAGS CPU COMMAND
* 49849 95940 0 0x2 0 0 arp
431878 92294 0 0 0x4000000 1K syz-executor
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7f376a02e688, count: 14
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports. Insufficient info makes it difficult to find and fix bugs.
ddb{0}>
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu1: uvm_fault(0xfffff0006c4a57b0, 0x98, 0, 1) -> e
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7f376a02e688, count: -1
ddb{0}> show registers
rdi 0
rsi 0
rbp 0xffff80002a370090
rbx 0
rdx 0
rcx 0xffff80003c3bfcb0
rax 0x3b
r8 0xffff80002a36ffc0
r9 0xffff80002a36fca0
r10 0x349d0980fdc201e8
r11 0x9a380b0463be365d
r12 0
r13 0
r14 0xffff80003c3bfcb0
r15 0
rip 0xffffffff821503ee savectx+0xae
cs 0x8
rflags 0x46
rsp 0xffff80002a370010
ss 0x10
savectx+0xae: movl $0,%gs:0x688
ddb{0}> show proc
PROC (arp) tid=49849 pid=95940 tcnt=1 stat=onproc
flags process=2<EXEC> proc=0
runpri=80, usrpri=80, slppri=32, nice=20
wchan=0x0, wmesg=, ps_single=0x0 scnt=0 ecnt=0
forw=0xffffffffffffffff, list=0xffff80003c3be2c0,0xffff80003c3be568
process=0xffff80003c3c26a0 user=0xffff80002a36b000, vmspace=0xfffff0006d03a7a8
estcpu=36, cpticks=1, pctcpu=0.0, user=0, sys=1, intr=0
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
72135 334141 8141 0 2 0 syz-executor
72135 206406 8141 0 2 0x4000000 syz-executor
72135 288961 8141 0 2 0x4000000 syz-executor
*95940 49849 58788 0 7 0x2 arp
58788 355998 94613 0 3 0x10008a sigsusp sh
73033 417840 24282 0 2 0 syz-executor
73033 383358 24282 0 3 0x4000080 fsleep syz-executor
92294 347164 44480 0 2 0 syz-executor
92294 431878 44480 0 7 0x4000000 syz-executor
36418 71385 66766 0 2 0 syz-executor
36418 103330 66766 0 3 0x4000080 fsleep syz-executor
36418 483507 66766 0 3 0x4000080 fsleep syz-executor
36418 22055 66766 0 3 0x4000080 fsleep syz-executor
4306 134081 64857 0 2 0 syz-executor
4306 499383 64857 0 3 0x4000080 fsleep syz-executor
4306 128419 64857 0 3 0x4000080 fsleep syz-executor
98287 496540 48885 0 2 0 syz-executor
98287 152622 48885 0 3 0x4000080 fsleep syz-executor
98287 75983 48885 0 3 0x4000080 fsleep syz-executor
94613 320960 63322 0 3 0x82 wait syz-executor
48885 75611 63322 0 3 0x82 nanoslp syz-executor
61077 463503 65348 0 3 0x100082 sbwait arp
65348 94782 70223 0 3 0x10008a sigsusp sh
66766 353101 63322 0 3 0x82 nanoslp syz-executor
8141 150051 63322 0 3 0x82 nanoslp syz-executor
44480 504574 63322 0 3 0x82 nanoslp syz-executor
24282 406971 63322 0 3 0x82 nanoslp syz-executor
64857 464067 63322 0 3 0x82 nanoslp syz-executor
70223 471483 63322 0 3 0x82 wait syz-executor
63322 150659 1 0 3 0x82 kqread syz-executor
35304 198789 0 0 3 0x14200 bored smr
29482 146410 0 0 2 0x14200 zerothread
32959 436915 0 0 3 0x14200 aiodoned aiodoned
25158 41756 0 0 3 0x14200 syncer update
97401 263451 0 0 3 0x14200 cleaner cleaner
6542 83574 0 0 3 0x14200 reaper reaper
29468 173504 0 0 3 0x14200 pgdaemon pagedaemon
5733 415836 0 0 3 0x14200 bored viomb
32669 195793 0 0 3 0x40014200 acpi0 acpi0
6439 40527 0 0 3 0x40014200 idle1
81975 369503 0 0 3 0x14200 bored softnet1
25771 473180 0 0 3 0x14200 bored softnet0
92963 69268 0 0 3 0x14200 bored systqmp
60330 333892 0 0 3 0x14200 bored systq
65884 40772 0 0 3 0x14200 tmoslp softclockmp
4802 118806 0 0 3 0x40014200 tmoslp softclock
4923 523322 0 0 3 0x40014200 idle0
1 43976 0 0 3 0x10000082 nanoslp init
0 0 -1 0 3 0x10010200 scheduler swapper
ddb{0}> show all locks
Process 95940 (arp) thread 0xffff80003c3bfcb0 (49849)
exclusive rwlock kmmaplk r = 0 (0xffffffff83b2e2f0)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171
#3 uvm_map_extract+0x5c7 sys/uvm/uvm_map.c:4278
#4 sys_kbind+0x6e4 sys/uvm/uvm_mmap.c:1279
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#6 Xsyscall+0x128
exclusive rwlock vmmaplk r = 0 (0xfffff0006d03a8a8)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 rw_do_enter_write+0x419 sys/kern/kern_rwlock.c:320
#2 vm_map_lock_ln+0x12e sys/uvm/uvm_map.c:5171
#3 uvm_map_extract+0x17c sys/uvm/uvm_map.c:4242
#4 sys_kbind+0x6e4 sys/uvm/uvm_mmap.c:1279
#5 syscall+0xbd4 mi_syscall sys/sys/syscall_mi.h:176 [inline]
#5 syscall+0xbd4 sys/arch/amd64/amd64/trap.c:783
#6 Xsyscall+0x128
Process 92294 (syz-executor) thread 0xffff807ffffe6a80 (431878)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff83b0b900)
#0 witness_lock+0x5f1 stacktrace_save sys/sys/stacktrace.h:37 [inline]
#0 witness_lock+0x5f1 sys/kern/subr_witness.c:1160
#1 syscall+0xaf4 mi_syscall sys/sys/syscall_mi.h:175 [inline]
#1 syscall+0xaf4 sys/arch/amd64/amd64/trap.c:783
#2 Xsyscall+0x128
ddb{0}> show malloc
Type InUse MemUse HighUse Limit Requests Type Lim
devbuf 11049 12088K 12279K 166960K 12374 0
pcb 17 14K 16K 166960K 121 0
rtable 198 7K 8K 166960K 644 0
pf 33 17K 24K 166960K 111 0
ifaddr 35 5K 7K 166960K 92 0
ifgroup 51 2K 2K 166960K 125 0
sysctl 3 1K 9K 166960K 8 0
counters 68 36K 37K 166960K 110 0
ioctlops 0 0K 4K 166960K 1527 0
iov 0 0K 12K 166960K 6 0
mount 1 1K 1K 166960K 1 0
log 1 0K 0K 166960K 5 0
vnodes 1395 88K 88K 166960K 1668 0
UFS quota 1 32K 32K 166960K 1 0
UFS mount 5 36K 36K 166960K 5 0
shm 2 1K 5K 166960K 10 0
VM map 2 1K 1K 166960K 2 0
sem 5 0K 0K 166960K 8 0
dirhash 12 2K 2K 166960K 12 0
ACPI 1692 195K 286K 166960K 12470 0
file desc 19 73K 93K 166960K 424 0
sigio 0 0K 0K 166960K 65 0
proc 12 17K 164K 166960K 836 0
subproc 72 4K 4K 166960K 162 0
NFS srvsock 1 0K 0K 166960K 1 0
NFS daemon 1 16K 16K 166960K 1 0
ip_moptions 0 0K 0K 166960K 14 0
in_multi 68 5K 6K 166960K 189 0
ether_multi 1 0K 0K 166960K 1 0
mrt 0 0K 0K 166960K 10 0
ISOFS mount 1 32K 32K 166960K 1 0
MSDOSFS mount 1 16K 16K 166960K 1 0
ttys 55 254K 254K 166960K 55 0
exec 0 0K 1K 166960K 537 0
fusefs mount 1 32K 32K 166960K 1 0
tdb 3 0K 0K 166960K 3 0
VM swap 8 62K 64K 166960K 10 0
UVM amap 136 81K 180K 166960K 5288 0
UVM aobj 131 4K 4K 166960K 132 0
pinsyscall 22 44K 108K 166960K 1862 0
memdesc 1 4K 4K 166960K 1 0
crypto data 1 1K 1K 166960K 1 0
ip6_options 0 0K 0K 166960K 6 0
NDP 11 0K 1K 166960K 63 0
temp 73 9127K 9154K 166960K 14256 0
kqueue 1 2K 24K 166960K 52 0
SYN cache 2 16K 16K 166960K 2 0
ddb{0}> show all pools
Name Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache 128 26 0 0 1 0 1 1 0 8 0
rtpcb 120 57 0 56 1 0 1 1 0 8 0
rtentry 176 209 0 124 5 0 5 5 0 8 0
unpcb 144 233 0 231 6 1 5 6 0 8 4
syncache 336 7 0 7 1 0 1 1 0 8 1
tcpcb 736 106 0 105 7 0 7 7 0 8 6
arp 136 37 0 22 1 0 1 1 0 8 0
inpcb 328 349 0 347 7 0 7 7 0 8 6
nd6 152 49 0 34 1 0 1 1 0 8 0
pkpcb 40 1 0 1 1 0 1 1 0 8 1
kcovpl 48 18 0 10 1 0 1 1 0 8 0
ppxss 1192 6 0 6 1 0 1 1 0 8 1
pfstscr 40 4 0 2 1 0 1 1 0 8 0
pffrag 232 1 0 1 1 0 1 1 0 482 1
pffrnode 88 1 0 1 1 0 1 1 0 8 1
pffrent 40 2 0 2 1 0 1 1 0 8 1
pfosfp 40 1428 0 1005 5 0 5 5 0 8 0
pfosfpen 112 1428 0 714 21 0 21 21 0 8 0
pfrktable 1344 1 0 0 1 0 1 1 0 8 0
pfsrclim 320 1 0 1 1 0 1 1 0 8 1
pfanchor 1288 4 0 0 1 0 1 1 0 8 0
pftag 88 1 0 0 1 0 1 1 0 8 0
pfstitem 24 32 0 0 1 0 1 1 0 8 0
pfstkey 128 34 0 2 2 0 2 2 0 8 0
pfstate 448 32 0 1 4 0 4 4 0 8 0
pfrule 1360 22 0 16 2 1 1 2 0 8 0
rttmr 136 1 0 1 1 1 0 1 0 8 0
art_heap8 4096 2 0 0 2 0 2 2 0 8 0
art_heap4 256 840 0 504 27 0 27 27 0 8 3
art_table 40 842 0 504 5 0 5 5 0 8 0
art_node 32 209 0 131 1 0 1 1 0 8 0
semapl 72 4 0 1 1 0 1 1 0 8 0
shmpl 112 129 0 1 4 0 4 4 0 8 0
dirhash 1024 17 0 0 3 0 3 3 0 8 0
dino2pl 256 1847 0 349 94 0 94 94 0 8 0
ffsino 296 1847 0 349 116 0 116 116 0 8 0
nchpl 144 2219 0 477 65 0 65 65 0 8 0
vnodes 216 2195 0 0 122 0 122 122 0 8 0
namei 1024 7854 0 7854 3 0 3 3 0 8 3
percpumem 16 70 0 21 1 0 1 1 0 8 0
kstatmem 264 65 0 40 3 0 3 3 0 8 1
scsiplug 72 1 0 1 1 0 1 1 0 8 1
scxspl 216 9133 0 9133 4 3 1 3 1 8 1
plimitpl 152 54 0 37 1 0 1 1 0 8 0
sigapl 424 733 0 683 7 1 6 7 0 8 0
knotepl 120 301 0 0 10 0 10 10 0 8 0
kqueuepl 224 58 0 57 1 0 1 1 0 8 0
pipepl 344 172 0 145 3 0 3 3 0 8 0
fdescpl 528 716 0 695 3 0 3 3 0 8 0
filepl 160 3013 0 2786 18 2 16 18 0 8 6
lockfpl 104 124 0 90 1 0 1 1 0 8 0
lockfspl 48 76 0 42 1 0 1 1 0 8 0
sessionpl 144 39 0 30 1 0 1 1 0 8 0
pgrppl 48 58 0 41 1 0 1 1 0 8 0
ucredpl 104 221 0 208 1 0 1 1 0 8 0
zombiepl 144 696 0 683 1 0 1 1 0 8 0
processpl 1232 733 0 683 5 1 4 5 0 8 0
procpl 664 991 0 930 6 0 6 6 0 8 0
sosppl 176 1 0 1 1 0 1 1 0 8 1
sockpl 752 644 0 639 24 14 10 24 0 8 8
mcl64k 65536 3 0 0 1 0 1 1 0 8 0
mcl16k 16384 1 0 0 1 0 1 1 0 8 0
mcl9k128 9344 1 0 0 1 0 1 1 0 8 0
mcl8k 8192 2 0 0 1 0 1 1 0 8 0
mcl4k 4096 124 0 0 16 0 16 16 0 8 0
mcl2k 2048 29 0 0 4 0 4 4 0 8 0
mtagpl 96 5 0 0 1 0 1 1 0 8 0
mbufpl 256 220 0 0 14 0 14 14 0 8 0
bufpl 272 4228 0 106 275 0 275 275 0 8 0
anonpl 32 7904 0 0 64 0 64 64 0 115 0
amapchunkpl 152 14865 0 14523 26 0 26 26 0 158 11
amappl16 200 1871 0 1855 15 5 10 15 0 8 8
amappl15 192 21 0 21 1 1 0 1 0 8 0
amappl14 184 550 0 547 1 0 1 1 0 8 0
amappl13 176 203 0 201 1 0 1 1 0 8 0
amappl12 168 1053 0 1034 2 0 2 2 0 8 0
amappl11 160 3 0 3 1 1 0 1 0 8 0
amappl10 152 73 0 73 1 0 1 1 0 8 1
amappl9 144 318 0 318 1 1 0 1 0 8 0
amappl8 136 143 0 143 1 0 1 1 0 8 1
amappl7 128 166 0 163 1 0 1 1 0 8 0
amappl6 120 250 0 248 1 0 1 1 0 8 0
amappl5 112 103 0 103 1 0 1 1 0 8 1
amappl4 104 346 0 343 1 0 1 1 0 8 0
amappl3 96 2852 0 2772 4 0 4 4 0 8 1
amappl2 88 645 0 635 2 0 2 2 0 8 0
amappl1 80 12893 0 12749 17 2 15 17 0 8 8
amappl 88 4297 0 4181 4 0 4 4 0 92 1
uvmvnodes 80 108 0 0 3 0 3 3 0 8 0
dma4096 4096 1 0 1 1 1 0 1 0 8 0
dma1024 1024 1 0 0 1 0 1 1 0 8 0
dma256 256 6 0 6 1 1 0 1 0 8 0
dma128 128 253 0 253 1 1 0 1 0 8 0
dma64 64 7 0 7 2 1 1 1 0 8 1
dma32 32 7 0 7 1 1 0 1 0 8 0
dma16 16 18 0 17 1 0 1 1 0 8 0
aobjpl 72 131 0 1 3 0 3 3 0 8 0
uaddrrnd 24 716 0 695 1 0 1 1 0 8 0
uaddrbest 32 2 0 0 1 0 1 1 0 8 0
uaddr 24 716 0 695 1 0 1 1 0 8 0
vmmpekpl 168 7716 0 7677 3 0 3 3 0 8 0
vmmpepl 168 55573 0 54698 99 0 99 99 0 357 57
vmsppl 488 715 0 695 5 0 5 5 0 8 1
rwobjpl 80 18939 0 18355 30 1 29 29 0 8 6
pdppl 4096 1439 0 1390 113 64 49 85 0 8 0
pvpl 32 15915 0 0 129 0 129 129 0 265 0
pmappl 256 715 0 695 3 0 3 3 0 8 0
extentpl 40 45 0 27 1 0 1 1 0 8 0
phpool 112 574 0 67 15 0 15 15 0 8 0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
savectx() at savectx+0xae
end of kernel
end trace frame: 0x7f376a02e688, count: -1
ddb{0}> machine ddbcpu 1
Stopped at x86_ipi_db+0x27: addq $0x8,%rsp
x86_ipi_db(ffff80002998dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:670
comcnputc(800,75) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1671 [inline]
comcnputc(800,75) at comcnputc+0x250 sys/dev/ic/com.c:1274
cnputc(75) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(75) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834ace1c) at db_printf+0x9b sys/kern/subr_prf.c:-1
db_ktrap(6,0,ffff80002a364090) at db_ktrap+0x1b6 db_printtrap sys/arch/amd64/amd64/db_interface.c:103 [inline]
db_ktrap(6,0,ffff80002a364090) at db_ktrap+0x1b6 sys/arch/amd64/amd64/db_interface.c:128
kerntrap(ffff80002a364090) at kerntrap+0x243 sys/arch/amd64/amd64/trap.c:519
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff807ffffe6a80,fffff0006abc96e0,ffff80002a364270) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2690
sys_futimes(ffff807ffffe6a80,ffff80002a3643c0,ffff80002a364310) at sys_futimes+0x208 sys/kern/vfs_syscalls.c:2732
end trace frame: 0xffff80002a3643b0, count: 0
ddb{1}> trace
x86_ipi_db(ffff80002998dff0) at x86_ipi_db+0x27 sys/arch/amd64/amd64/db_interface.c:394
x86_ipi_handler() at x86_ipi_handler+0xd9 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x27
x86_bus_space_io_read_1(3f8,5) at x86_bus_space_io_read_1+0x37 sys/arch/amd64/amd64/bus_space.c:670
comcnputc(800,75) at comcnputc+0x250 comcn_read_reg sys/dev/ic/com.c:1671 [inline]
comcnputc(800,75) at comcnputc+0x250 sys/dev/ic/com.c:1274
cnputc(75) at cnputc+0x67 sys/dev/cons.c:218
db_putchar(75) at db_putchar+0x36d sys/ddb/db_output.c:155
kprintf() at kprintf+0x29c5 sys/kern/subr_prf.c:-1
db_printf(ffffffff834ace1c) at db_printf+0x9b sys/kern/subr_prf.c:-1
db_ktrap(6,0,ffff80002a364090) at db_ktrap+0x1b6 db_printtrap sys/arch/amd64/amd64/db_interface.c:103 [inline]
db_ktrap(6,0,ffff80002a364090) at db_ktrap+0x1b6 sys/arch/amd64/amd64/db_interface.c:128
kerntrap(ffff80002a364090) at kerntrap+0x243 sys/arch/amd64/amd64/trap.c:519
alltraps_kern_meltdown() at alltraps_kern_meltdown+0x7b
dovutimens(ffff807ffffe6a80,fffff0006abc96e0,ffff80002a364270) at dovutimens+0x368 sys/kern/vfs_syscalls.c:2690
sys_futimes(ffff807ffffe6a80,ffff80002a3643c0,ffff80002a364310) at sys_futimes+0x208 sys/kern/vfs_syscalls.c:2732
syscall(ffff80002a3643c0) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a3643c0) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:783
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x9f0b9bfc7e0, count: -16
ddb{1}>
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup