From: Stephen Hemminger <stephen@networkplumber.org>
To: Ursula Braun <ubraun@linux.vnet.ibm.com>
Cc: netdev@vger.kernel.org
Subject: Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
Date: Tue, 17 Apr 2018 19:56:44 -0700 [thread overview]
Message-ID: <20180417195644.7d04aff0@xeon-e3> (raw)
This may already be fixed.
Begin forwarded message:
Date: Wed, 18 Apr 2018 01:52:59 +0000
From: bugzilla-daemon@bugzilla.kernel.org
To: stephen@networkplumber.org
Subject: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability.
https://bugzilla.kernel.org/show_bug.cgi?id=199429
Bug ID: 199429
Summary: smc_shutdown(net/smc/af_smc.c) has a UAF causing null
pointer vulnerability.
Product: Networking
Version: 2.5
Kernel Version: 4.16.0-rc7
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Other
Assignee: stephen@networkplumber.org
Reporter: 1773876454@qq.com
Regression: No
Created attachment 275431
--> https://bugzilla.kernel.org/attachment.cgi?id=275431&action=edit
POC
Syzkaller hit 'general protection fault in kernel_sock_shutdown' bug.
NET: Registered protocol family 43
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in: smc ib_core binfmt_misc joydev hid_generic snd_pcm snd_timer
snd usbmouse usbhid soundcore psmouse e1000 hid pcspkr parport_pc input_leds
i2c_piix4 parport serio_raw floppy qemu_fw_cfg evbug mac_hid
CPU: 1 PID: 1751 Comm: syzkaller252340 Not tainted 4.16.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1
04/01/2014
RIP: 0010:kernel_sock_shutdown+0x29/0x70 net/socket.c:3255
RSP: 0018:ffff88000666fcf8 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff829206e4
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000028
RBP: ffff88003b43a0d2 R08: 0000000000000003 R09: 000000000002b3c0
R10: 0000000000000ae7 R11: 00000000000000eb R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000000000225b880(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5b85800000 CR3: 000000003bcde004 CR4: 00000000001606e0
Call Trace:
smc_shutdown+0x431/0x4a0 [smc]
SYSC_shutdown net/socket.c:1901 [inline]
SyS_shutdown+0x140/0x250 net/socket.c:1892
do_syscall_64+0x2ee/0x580 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4431a9
RSP: 002b:00007ffcccb77758 EFLAGS: 00000217 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000004003d0 RCX: 00000000004431a9
RDX: 00000000004431a9 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000401800 R08: 00000000004003d0 R09: 00000000004003d0
R10: 00000000004003d0 R11: 0000000000000217 R12: 0000000000401890
R13: 0000000000000000 R14: 00000000006b1018 R15: 0000000000000000
Code: 00 00 0f 1f 44 00 00 41 54 55 41 89 f4 53 48 89 fb e8 4c bd ad fe 48 8d
7b 28 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8
7c 62 e0 fe 48 8b 6b 28 48 b8 00 00 00 00
RIP: kernel_sock_shutdown+0x29/0x70 net/socket.c:3255 RSP: ffff88000666fcf8
---[ end trace ac1ba3c5e5bfa977 ]---
0xffffffffa02d1a82 1258 rc =
smc_close_active(smc);
Dump of assembler code from 0xffffffffa02d1a82 to 0xffffffffa02d1a8c:
=> 0xffffffffa02d1a82 <smc_shutdown+1010>: call 0xffffffffa02f3c50
<smc_close_active>
0xffffffffa02d1a87 <smc_shutdown+1015>: mov r13d,eax
0xffffffffa02d1a8a <smc_shutdown+1018>: call 0xffffffff813fc430
End of assembler dump.
rax 0xffff88005a6217c0 -131939878955072
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a7f -1607656833
rdx 0x0 0
rsi 0xfffffe01 4294966785
rdi 0xffff88005be55b40 -131939853575360
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0xffff88005f9d0258 -131939791207848
r9 0xffff880060e2bc00 -131939769861120
r10 0xffff88005f9e7340 -131939791113408
r11 0xb9ed 47597
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1a82 0xffffffffa02d1a82 <smc_shutdown+1010>
eflags 0x293 [ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb) b *0xffffffffa02d1a87
Breakpoint 36 at 0xffffffffa02d1a87: file ../net/smc/af_smc.c, line 1258.
(gdb) c
Continuing.
[Switching to Thread 4]
Thread 4 hit Hardware watchpoint 34: ((struct smc_sock*)
0xffff88005be55b40)->clcsock
Old value = (struct socket *) 0xffff880058fa5100
New value = (struct socket *) 0x0
smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
980 release_sock(lsk);
(gdb) bt
#0 smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1 0xffffffff811dd957 in ?? ()
#2 0xffff880060faf300 in ?? ()
#3 0x000000000be15ecf in ?? ()
#4 0xffff88005f7f5990 in ?? ()
#5 0x1ffff1000be15ed7 in ?? ()
#6 0xffff88005f7f5998 in ?? ()
#7 0xffff88005f7f59a8 in ?? ()
#8 0xffffffff00000000 in ?? ()
#9 0xffff88005f7f59d0 in ?? ()
#10 0xffffffff83000194 in ?? ()
#11 0xffffffff830001a0 in ?? ()
#12 0xffffffff83000194 in ?? ()
#13 0x0000000041b58ab3 in ?? ()
#14 0xffffffff83a0dee0 in ?? ()
#15 0xffffffff811dce50 in ?? ()
#16 0xffffffff83000194 in ?? ()
#17 0xffffffff00000000 in ?? ()
#18 0xffffffff83000194 in ?? ()
#19 0xffffffff830001a0 in ?? ()
#20 0xffffffff83000194 in ?? ()
#21 0xffffffff830001a0 in ?? ()
#22 0xffffffff83000194 in ?? ()
#23 0xffffffff830001a0 in ?? ()
#24 0xcc8f7df19c7e2900 in ?? ()
#25 0xffff880060faf305 in ?? ()
#26 0xffff88005fb88040 in ?? ()
#27 0xffff880057c60040 in ?? ()
#28 0x0000000000000000 in ?? ()
(gdb) file vmlinux
A program is being debugged already.
Are you sure you want to change the file? (y or n) y
Load new symbol table from "vmlinux"? (y or n) y
Reading symbols from vmlinux...done.
warning: File "/home/sdk/linux/scripts/gdb/vmlinux-gdb.py" auto-loading has
been declined by your `auto-load safe-path' set to
"$debugdir:$datadir/auto-load".
(gdb) bt
#0 smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1 0xffffffff811dd957 in process_one_work (worker=0xffff88005f7f5988,
work=0xffff88005be55f90) at ../kernel/workqueue.c:2113
#2 0xffffffff811def0d in worker_thread (__worker=0xffff88005f7f5988) at
../kernel/workqueue.c:2247
#3 0xffffffff811f4f5f in kthread (_create=<optimized out>) at
../kernel/kthread.c:238
#4 0xffffffff83000205 in ret_from_fork () at ../arch/x86/entry/entry_64.S:406
#5 0x0000000000000000 in ?? ()
(gdb) bt
#0 smc_tcp_listen_work (work=0xffff88005be55f90) at ../net/smc/af_smc.c:980
#1 0xffffffff811dd957 in process_one_work (worker=0xffff88005f7f5988,
work=0xffff88005be55f90) at ../kernel/workqueue.c:2113
#2 0xffffffff811def0d in worker_thread (__worker=0xffff88005f7f5988) at
../kernel/workqueue.c:2247
#3 0xffffffff811f4f5f in kthread (_create=<optimized out>) at
../kernel/kthread.c:238
#4 0xffffffff83000205 in ret_from_fork () at ../arch/x86/entry/entry_64.S:406
#5 0x0000000000000000 in ?? ()
(gdb) disas $rip,+0x10
Dump of assembler code from 0xffffffffa02d4304 to 0xffffffffa02d4314:
=> 0xffffffffa02d4304 <smc_tcp_listen_work+2724>: call
0xffffffff813fc430 <__sanitizer_cov_trace_pc>
0xffffffffa02d4309 <smc_tcp_listen_work+2729>: mov rdi,r12
0xffffffffa02d430c <smc_tcp_listen_work+2732>: call
0xffffffff82937820 <release_sock>
0xffffffffa02d4311 <smc_tcp_listen_work+2737>: lock dec DWORD PTR
[rbp-0x3d0]
End of assembler dump.
(gdb) c
Continuing.
[Switching to Thread 3]
Thread 3 hit Breakpoint 36, 0xffffffffa02d1a87 in smc_shutdown (sock=<optimized
out>, how=0) at ../net/smc/af_smc.c:1258
1258 rc = smc_close_active(smc);
(gdb) disas $rip,+0x10
Dump of assembler code from 0xffffffffa02d1a87 to 0xffffffffa02d1a97:
=> 0xffffffffa02d1a87 <smc_shutdown+1015>: mov r13d,eax
0xffffffffa02d1a8a <smc_shutdown+1018>: call 0xffffffff813fc430
<__sanitizer_cov_trace_pc>
0xffffffffa02d1a8f <smc_shutdown+1023>: lea rdi,[rbx+0x2c8]
0xffffffffa02d1a96 <smc_shutdown+1030>: movabs rax,0xdffffc0000000000
End of assembler dump.
(gdb) so ni
1264 rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a8a to 0xffffffffa02d1a94:
=> 0xffffffffa02d1a8a <smc_shutdown+1018>: call 0xffffffff813fc430
<__sanitizer_cov_trace_pc>
0xffffffffa02d1a8f <smc_shutdown+1023>: lea rdi,[rbx+0x2c8]
End of assembler dump.
rax 0x0 0
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02f482b -1607514069
rdx 0x0 0
rsi 0x0 0
rdi 0xffff88005be55c50 -131939853575088
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1a8a 0xffffffffa02d1a8a <smc_shutdown+1018>
eflags 0x282 [ SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1a8f 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a8f to 0xffffffffa02d1a99:
=> 0xffffffffa02d1a8f <smc_shutdown+1023>: lea rdi,[rbx+0x2c8]
0xffffffffa02d1a96 <smc_shutdown+1030>: movabs rax,0xdffffc0000000000
End of assembler dump.
rax 0xffff88005a6217c0 -131939878955072
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x0 0
rsi 0x0 0
rdi 0xffff88005be55c50 -131939853575088
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1a8f 0xffffffffa02d1a8f <smc_shutdown+1023>
eflags 0x293 [ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1a96 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1a96 to 0xffffffffa02d1aa0:
=> 0xffffffffa02d1a96 <smc_shutdown+1030>: movabs rax,0xdffffc0000000000
End of assembler dump.
rax 0xffff88005a6217c0 -131939878955072
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x0 0
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1a96 0xffffffffa02d1a96 <smc_shutdown+1030>
eflags 0x293 [ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1aa0 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa0 to 0xffffffffa02d1aaa:
=> 0xffffffffa02d1aa0 <smc_shutdown+1040>: mov rdx,rdi
0xffffffffa02d1aa3 <smc_shutdown+1043>: shr rdx,0x3
0xffffffffa02d1aa7 <smc_shutdown+1047>: cmp BYTE PTR [rdx+rax*1],0x0
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x0 0
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1aa0 0xffffffffa02d1aa0 <smc_shutdown+1040>
eflags 0x293 [ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1aa3 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa3 to 0xffffffffa02d1aad:
=> 0xffffffffa02d1aa3 <smc_shutdown+1043>: shr rdx,0x3
0xffffffffa02d1aa7 <smc_shutdown+1047>: cmp BYTE PTR [rdx+rax*1],0x0
0xffffffffa02d1aab <smc_shutdown+1051>: je 0xffffffffa02d1ab2
<smc_shutdown+1058>
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0xffff88005be55e08 -131939853574648
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1aa3 0xffffffffa02d1aa3 <smc_shutdown+1043>
eflags 0x293 [ CF AF SF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1aa7 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aa7 to 0xffffffffa02d1ab1:
=> 0xffffffffa02d1aa7 <smc_shutdown+1047>: cmp BYTE PTR [rdx+rax*1],0x0
0xffffffffa02d1aab <smc_shutdown+1051>: je 0xffffffffa02d1ab2
<smc_shutdown+1058>
0xffffffffa02d1aad <smc_shutdown+1053>: call 0xffffffff81726980
<__asan_report_load8_noabort>
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x1ffff1000b7cabc1 2305826516731997121
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1aa7 0xffffffffa02d1aa7 <smc_shutdown+1047>
eflags 0x202 [ IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1aab 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1aab to 0xffffffffa02d1ab5:
=> 0xffffffffa02d1aab <smc_shutdown+1051>: je 0xffffffffa02d1ab2
<smc_shutdown+1058>
0xffffffffa02d1aad <smc_shutdown+1053>: call 0xffffffff81726980
<__asan_report_load8_noabort>
0xffffffffa02d1ab2 <smc_shutdown+1058>: mov rdi,QWORD PTR
[rbx+0x2c8]
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x1ffff1000b7cabc1 2305826516731997121
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1aab 0xffffffffa02d1aab <smc_shutdown+1051>
eflags 0x246 [ PF ZF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
Thread 3 hit Breakpoint 32, 0xffffffffa02d1ab2 in smc_shutdown (sock=<optimized
out>, how=0) at ../net/smc/af_smc.c:1264
1264 rc1 = kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1ab2 to 0xffffffffa02d1abc:
=> 0xffffffffa02d1ab2 <smc_shutdown+1058>: mov rdi,QWORD PTR
[rbx+0x2c8]
0xffffffffa02d1ab9 <smc_shutdown+1065>: mov esi,r12d
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x1ffff1000b7cabc1 2305826516731997121
rsi 0x0 0
rdi 0xffff88005be55e08 -131939853574648
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1ab2 0xffffffffa02d1ab2 <smc_shutdown+1058>
eflags 0x246 [ PF ZF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
0xffffffffa02d1ab9 1264 rc1 =
kernel_sock_shutdown(smc->clcsock, how);
Dump of assembler code from 0xffffffffa02d1ab9 to 0xffffffffa02d1ac3:
=> 0xffffffffa02d1ab9 <smc_shutdown+1065>: mov esi,r12d
0xffffffffa02d1abc <smc_shutdown+1068>: call 0xffffffff829206d0
<kernel_sock_shutdown>
0xffffffffa02d1ac1 <smc_shutdown+1073>: lea rdi,[rbx+0x24a]
End of assembler dump.
rax 0xdffffc0000000000 -2305847407260205056
rbx 0xffff88005be55b40 -131939853575360
rcx 0xffffffffa02d1a8f -1607656817
rdx 0x1ffff1000b7cabc1 2305826516731997121
rsi 0x0 0
rdi 0x0 0
rbp 0xffff88005be55b52 0xffff88005be55b52
rsp 0xffff88005e887d18 0xffff88005e887d18
r8 0x88 136
r9 0xffff880060f2bc00 -131939768812544
r10 0xffff88005e17f2f8 -131939816705288
r11 0xb839 47161
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xffffffffa02d1ab9 0xffffffffa02d1ab9 <smc_shutdown+1065>
eflags 0x246 [ PF ZF IF ]
cs 0x10 16
ss 0x18 24
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
ni:3: Error in sourced command file:
Could not fetch register "fs_base"; remote failure reply 'E14'
(gdb)
--
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2018-04-18 2:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-18 2:56 Stephen Hemminger [this message]
2018-04-18 11:46 ` Fw: [Bug 199429] New: smc_shutdown(net/smc/af_smc.c) has a UAF causing null pointer vulnerability Ursula Braun
2018-04-18 15:55 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180417195644.7d04aff0@xeon-e3 \
--to=stephen@networkplumber.org \
--cc=netdev@vger.kernel.org \
--cc=ubraun@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.