Re: BUG: unable to handle kernel paging request in check_memory_region
From: Daniel Borkmann <daniel@iogearbox.net>
Date: 2018-01-14 00:22:18
Also in:
lkml
On 01/13/2018 08:29 AM, Dmitry Vyukov wrote:
On Fri, Jan 12, 2018 at 11:58 PM, syzbot [off-list ref] wrote:quoted
Hello, syzkaller hit the following crash on c92a9a461dff6140c539c61e457aa97df29517d6 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master compiler: gcc (GCC) 7.1.1 20170620 .config is attached Raw console output is attached. C reproducer is attached syzkaller reproducer is attached. See https://goo.gl/kgGztJ for information about syzkaller reproducers IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+32b24f3e7c9000c48490@syzkaller.appspotmail.com It will help syzbot understand when the bug is fixed. See footer for details. If you forward the report, please keep this part and the footer.Daniel, is it the same bug that was fixed by "bpf, array: fix overflow in max_entries and undefined behavior in index_mask"?
And also here, fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1
quoted
audit: type=1400 audit(1515790631.378:9): avc: denied { sys_chroot } for pid=3510 comm="syzkaller602893" capability=18 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 BUG: unable to handle kernel paging request at ffffed004e875e33 IP: bytes_is_nonzero mm/kasan/kasan.c:166 [inline] IP: memory_is_nonzero mm/kasan/kasan.c:184 [inline] IP: memory_is_poisoned_n mm/kasan/kasan.c:210 [inline] IP: memory_is_poisoned mm/kasan/kasan.c:241 [inline] IP: check_memory_region_inline mm/kasan/kasan.c:257 [inline] IP: check_memory_region+0x61/0x190 mm/kasan/kasan.c:267 PGD 21ffee067 P4D 21ffee067 PUD 21ffec067 PMD 0 Oops: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3510 Comm: syzkaller602893 Not tainted 4.15.0-rc7+ #259 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bytes_is_nonzero mm/kasan/kasan.c:166 [inline] RIP: 0010:memory_is_nonzero mm/kasan/kasan.c:184 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/kasan.c:210 [inline] RIP: 0010:memory_is_poisoned mm/kasan/kasan.c:241 [inline] RIP: 0010:check_memory_region_inline mm/kasan/kasan.c:257 [inline] RIP: 0010:check_memory_region+0x61/0x190 mm/kasan/kasan.c:267 RSP: 0018:ffff8801bfa77770 EFLAGS: 00010202 RAX: ffffed004e875e33 RBX: ffff8802743af19b RCX: ffffffff817deb1c RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8802743af198 RBP: ffff8801bfa77780 R08: 1ffff1004e875e33 R09: ffffed004e875e33 R10: 0000000000000001 R11: ffffed004e875e33 R12: ffffed004e875e34 R13: ffff8802743af198 R14: ffff8801bfc9f000 R15: ffff8801c135a680 FS: 0000000001a1d880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffed004e875e33 CR3: 00000001bfe22003 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: memcpy+0x23/0x50 mm/kasan/kasan.c:302 memcpy include/linux/string.h:344 [inline] map_lookup_elem+0x4dc/0xbd0 kernel/bpf/syscall.c:584 SYSC_bpf kernel/bpf/syscall.c:1711 [inline] SyS_bpf+0x922/0x4400 kernel/bpf/syscall.c:1685 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x440ac9 RSP: 002b:00000000007dff68 EFLAGS: 00000203 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000440ac9 RDX: 0000000000000018 RSI: 0000000020eed000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000203 R12: 00000000004022a0 R13: 0000000000402330 R14: 0000000000000000 R15: 0000000000000000 Code: 89 f8 49 c1 e8 03 49 89 db 49 c1 eb 03 4d 01 cb 4d 01 c1 4d 8d 63 01 4c 89 c8 4d 89 e2 4d 29 ca 49 83 fa 10 7f 3d 4d 85 d2 74 33 <41> 80 39 00 75 21 48 b8 01 00 00 00 00 fc ff df 4d 01 d1 49 01 RIP: bytes_is_nonzero mm/kasan/kasan.c:166 [inline] RSP: ffff8801bfa77770 RIP: memory_is_nonzero mm/kasan/kasan.c:184 [inline] RSP: ffff8801bfa77770 RIP: memory_is_poisoned_n mm/kasan/kasan.c:210 [inline] RSP: ffff8801bfa77770 RIP: memory_is_poisoned mm/kasan/kasan.c:241 [inline] RSP: ffff8801bfa77770 RIP: check_memory_region_inline mm/kasan/kasan.c:257 [inline] RSP: ffff8801bfa77770 RIP: check_memory_region+0x61/0x190 mm/kasan/kasan.c:267 RSP: ffff8801bfa77770 CR2: ffffed004e875e33 ---[ end trace 769bd3705f3abe78 ]--- Kernel panic - not syncing: Fatal exception Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a dumb bot. It may contain errors. See https://goo.gl/tpsmEJ for details. Direct all questions to syzkaller@googlegroups.com. syzbot will keep track of this bug report. If you forgot to add the Reported-by tag, once the fix for this bug is merged into any tree, please reply to this email with: #syz fix: exact-commit-title If you want to test a patch for this bug, please reply with: #syz test: git://repo/address.git branch and provide the patch inline or as an attachment. To mark this as a duplicate of another syzbot report, please reply with: #syz dup: exact-subject-of-another-report If it's a one-off invalid bug report, please reply with: #syz invalid Note: if the crash happens again, it will cause creation of a new bug report. Note: all commands must start from beginning of the line in the email body. -- You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/001a113feecc4fa53a05629c32a5%40google.com. For more options, visit https://groups.google.com/d/optout.