From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751307AbdBANWd (ORCPT ); Wed, 1 Feb 2017 08:22:33 -0500 Received: from mx1.redhat.com ([209.132.183.28]:51750 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751126AbdBANWb (ORCPT ); Wed, 1 Feb 2017 08:22:31 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: To: Dmitry Vyukov Cc: dhowells@redhat.com, james.l.morris@oracle.com, serge@hallyn.com, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, LKML , syzkaller Subject: Re: keys: GPF in request_key MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <21708.1485955344.1@warthog.procyon.org.uk> Date: Wed, 01 Feb 2017 13:22:24 +0000 Message-ID: <21709.1485955344@warthog.procyon.org.uk> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Wed, 01 Feb 2017 13:22:32 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Dmitry Vyukov wrote: > The line causes the crash is: > BUG_ON(index_key->desc_len == 0); > > The addresses that the line tried to access are: > > RDI: ffffffffca29fa68 > RDI: ffffffffd7236a28 > RDI: 000000007d19ed68 These are all calculated from R12: lea 0x10(%r12),%rdi ... mov %rdi,%rdx shr $0x3,%rdx cmpb $0x0,(%rdx,%rax,1) R12 would appear to be index_key - which would correlate with 0x10 being the offset of desc_len therein - but why muck around with the pointer rather than just In my compiler output, BUG_ON(index_key->desc_len == 0); is turned into: 0xffffffff8131f023 <+0>: cmpq $0x0,0x10(%rsi) 0xffffffff8131f028 <+5>: jne 0xffffffff8131f02c <__key_link_begin+9> 0xffffffff8131f02a <+7>: ud2 What compiler are you using? David