All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Kumlien <pomac@vapor.com>
To: Borislav Petkov <bp@alien8.de>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] NULL pointer dereference in 3.7-rc7 (syscall_trace_enter)
Date: Fri, 30 Nov 2012 00:56:08 +0100	[thread overview]
Message-ID: <1354233368.5396.6.camel@pi> (raw)
In-Reply-To: <20121129192500.GG30789@liondog.tnic>

[-- Attachment #1: Type: text/plain, Size: 4018 bytes --]

On tor, 2012-11-29 at 20:25 +0100, Borislav Petkov wrote:
> On Thu, Nov 29, 2012 at 05:24:03PM +0100, Ian Kumlien wrote:
> > > Can you do:
> > > 
> > > make arch/x86/kernel/ptrace.lst
> > > 
> > > and send me that file, privately is fine too.
> > 
> > Done, =)
> 
> Ok, thanks. Here it is:
> 
> ffffffff8100b627:       83 3f 00                cmpl   $0x0,(%rdi)
> ffffffff8100b62a:       75 24                   jne    ffffffff8100b650 <syscall_trace_enter+0x163>
> ffffffff8100b62c:       eb 37                   jmp    ffffffff8100b665 <syscall_trace_enter+0x178>
> ffffffff8100b62e:       65 48 8b 0c 25 00 00    mov    %gs:0x0,%rcx
> ffffffff8100b635:       00 00 
>                         ffffffff8100b633: R_X86_64_32S  current_task
> extern void __audit_seccomp(unsigned long syscall, long signr, int code);
> extern void __audit_ptrace(struct task_struct *t);
> 
> static inline int audit_dummy_context(void)
> {
>         void *p = current->audit_context;
> ffffffff8100b637:       48 8b 89 c0 04 00 00    mov    0x4c0(%rcx),%rcx
>                                     regs->orig_ax,
>                                     regs->bx, regs->cx,
>                                     regs->dx, regs->si);
> #ifdef CONFIG_X86_64
>         else
>                 audit_syscall_entry(AUDIT_ARCH_X86_64,
> ffffffff8100b63e:       4c 8b 4b 38             mov    0x38(%rbx),%r9
> ffffffff8100b642:       48 8b 53 70             mov    0x70(%rbx),%rdx
>         return !p || *(int *)p;
> ffffffff8100b646:       48 85 c9                test   %rcx,%rcx
> ffffffff8100b649:       74 05                   je     ffffffff8100b650 <syscall_trace_enter+0x163>
> ffffffff8100b64b:       83 39 00                cmpl   $0x0,(%rcx)
> ffffffff8100b64e:       74 1f                   je     ffffffff8100b66f <syscall_trace_enter+0x182>
>                                     regs->di, regs->si,
>                                     regs->dx, regs->r10);
> #endif
> 
> out:
>         return ret ?: regs->orig_ax;
> ffffffff8100b650:       48 83 ca ff             or     $0xffffffffffffffff,%rdx
> ffffffff8100b654:       48 85 ed                test   %rbp,%rbp
> ffffffff8100b657:       75 04                   jne    ffffffff8100b65d <syscall_trace_enter+0x170>
> ffffffff8100b659:       48 8b 53 78             mov    0x78(%rbx),%rdx
> }
> ffffffff8100b65d:       5b                      pop    %rbx
> ffffffff8100b65e:       5d                      pop    %rbp
> ffffffff8100b65f:       48 89 d0                mov    %rdx,%rax
> ffffffff8100b662:       41 5c                   pop    %r12
> ffffffff8100b664:       c3                      retq
> 
> We're calling audit_syscall_entry() for a 64-bit task (chrome) and we
> check whether the audit context of the task is not a dummy one.
> 
> We fail at the second check in
> 
>         return !p || *(int *)p;
> 
> when we're trying to deref the ->audit_context pointer of current and
> then check it for being 0 in audit_syscall_entry. It turns out it is
> some random crap, as we saw already: RCX=0000000000000063.

Yep, actually gathered that from the disassembly =)

> From looking at the code, task audit contexts get normally allocated
> at fork time and dealloc'd at task exit time so your process should
> actually have a valid task context.

Weird, and this should be allocated automatically?

> The only explanation I have is that it could be some random corruption
> which f*cked up the ->audit_context pointer but I might be wrong. Btw,
> do you have CONFIG_AUDITSYSCALL enabled in your kernel?

grep CONFIG_AUDITSYSCALL .config
CONFIG_AUDITSYSCALL=y

> I'd say right now we could watch this and if it is reproducible, then
> we can involve some more brain power and skills into it. If it has been
> only a single occurrence, then we'll write it on the random corruption's
> tab.

Uhmmm oki

> Thanks.
> 

-- 
Ian Kumlien  -- http://demius.net || http://pomac.netswarm.net

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

  reply	other threads:[~2012-11-29 23:56 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-28 23:20 [BUG] NULL pointer dereference in 3.7-rc7 (syscall_trace_enter) Ian Kumlien
2012-11-29  9:26 ` Borislav Petkov
2012-11-29 12:27   ` Ian Kumlien
2012-11-29 14:22     ` Borislav Petkov
2012-11-29 16:24       ` Ian Kumlien
2012-11-29 19:25         ` Borislav Petkov
2012-11-29 23:56           ` Ian Kumlien [this message]
2012-11-30  1:00             ` Borislav Petkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1354233368.5396.6.camel@pi \
    --to=pomac@vapor.com \
    --cc=bp@alien8.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.