Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2e65930fda17880da336@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler
Date: Fri, 03 Jan 2025 20:49:01 -0800	[thread overview]
Message-ID: <6778bdbd.050a0220.7f35c.0002.GAE@google.com> (raw)
In-Reply-To: <tencent_BC66DFB3678375296083A124413772F76105@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, w: 1, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 6507 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g85a8463a4d24 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 000000002cf9c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x4b8/0x700 fs/proc/proc_sysctl.c:607
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efcf8784597
Code: Unable to access opcode bytes at 0x7efcf878456d.
RSP: 002b:00007ffe839f29c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000102
RAX: 0000000000000000 RBX: 00007ffe839f2a10 RCX: 00007efcf8784597
RDX: 00000000000001ff RSI: 00007ffe839f2a10 RDI: 00000000ffffff9c
RBP: 00007ffe839f29fc R08: 0000000000000005 R09: 00007ffe839f2765
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002b475 R14: 00007ffe839f2a50 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 0000000030060000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ee 03          	shr    $0x3,%rsi
   4:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1)
   8:	0f 85 76 03 00 00    	jne    0x384
   e:	48 8b 92 08 09 00 00 	mov    0x908(%rdx),%rdx
  15:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  1c:	fc ff df
  1f:	48 8d 7a 08          	lea    0x8(%rdx),%rdi
  23:	48 89 fe             	mov    %rdi,%rsi
  26:	48 c1 ee 03          	shr    $0x3,%rsi
* 2a:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1) <-- trapping instruction
  2e:	0f 85 32 03 00 00    	jne    0x366
  34:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  3b:	fc ff df
  3e:	48                   	rex.W
  3f:	2d                   	.byte 0x2d


Tested on:

commit:         85a8463a utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=16e566f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

next prev parent reply	other threads:[~2025-01-04  4:49 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-04  1:20 [syzbot] [kernel?] general protection fault in proc_sys_call_handler syzbot
2025-01-04  3:10 ` Edward Adam Davis
2025-01-04  3:25   ` syzbot
2025-01-04  4:32 ` Edward Adam Davis
2025-01-04  4:49   ` syzbot [this message]
2025-01-04  5:12 ` Edward Adam Davis
2025-01-04  5:27   ` syzbot
2025-01-04  5:39 ` Edward Adam Davis
2025-01-04  5:54   ` syzbot
2025-01-04  6:00 ` Edward Adam Davis
2025-01-04  6:21   ` syzbot
2025-01-04 12:21 ` [PATCH] utsname: Prevents using NULL value nsproxy Edward Adam Davis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6778bdbd.050a0220.7f35c.0002.GAE@google.com \
    --to=syzbot+2e65930fda17880da336@syzkaller.appspotmail.com \
    --cc=eadavis@qq.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.