[syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ccb98ccef0e5 Merge tag 'platform-drivers-x86-v6.13-4' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13f1eaf8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=86dd15278dbfe19f
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=140888b0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d24eb225cff7/disk-ccb98cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dd81532f8240/vmlinux-ccb98cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/18b08e4bbf40/bzImage-ccb98cce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e65930fda17880da336@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5943 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0544972008 CR3: 000000000db7e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xad8/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3017
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f069358473c
Code: Unable to access opcode bytes at 0x7f0693584712.
RSP: 002b:00007ffd01fb5d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f069358473c
RDX: 0000000000000030 RSI: 00007ffd01fb5de0 RDI: 00000000000000f9
RBP: 00007ffd01fb5d8c R08: 0000000000000000 R09: 0079746972756365
R10: 00007ffd01fb56f0 R11: 0000000000000246 R12: 0000000000000032
R13: 000000000002bc4a R14: 00007ffd01fb5de0 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc686ce448 CR3: 000000002f9ae000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ee 03          	shr    $0x3,%rsi
   4:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1)
   8:	0f 85 56 03 00 00    	jne    0x364
   e:	48 8b 92 08 09 00 00 	mov    0x908(%rdx),%rdx
  15:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  1c:	fc ff df
  1f:	48 8d 7a 08          	lea    0x8(%rdx),%rdi
  23:	48 89 fe             	mov    %rdi,%rsi
  26:	48 c1 ee 03          	shr    $0x3,%rsi
* 2a:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1) <-- trapping instruction
  2e:	0f 85 12 03 00 00    	jne    0x346
  34:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  3b:	fc ff df
  3e:	48                   	rex.W
  3f:	2d                   	.byte 0x2d


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[Edward Adam Davis]

utsname: debug ctl table for domainname

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

#syz test: https://github.com/ea1davis/linux proc/syz

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
tab: ffffffff8de3a458, data: ffffffff90028ec5, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 6417 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-gdcb6ff6bb369 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e8f20af048 CR3: 0000000034d8c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x441/0x610 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47f6787c47
Code: Unable to access opcode bytes at 0x7f47f6787c1d.
RSP: 002b:00007ffe11e12818 EFLAGS: 00000202 ORIG_RAX: 0000000000000029
RAX: 0000000000000003 RBX: 0000000000000003 RCX: 00007f47f6787c47
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007ffe11e12efc R08: 00007ffe11e1280c R09: 00007ffe11e12c17
R10: 00007ffe11e12890 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002677e R14: 00007ffe11e12f50 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ee/0x5d0 kernel/utsname_sysctl.c:54
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 6a 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 28 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003657468 EFLAGS: 00010202
RAX: ffffffff90028ec5 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006cae92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900036574c0 R14: ffffffff8de3a460 R15: ffffc90003657520
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f27a1ca7d60 CR3: 0000000034d8c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ee 03          	shr    $0x3,%rsi
   4:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1)
   8:	0f 85 6a 03 00 00    	jne    0x378
   e:	48 8b 92 08 09 00 00 	mov    0x908(%rdx),%rdx
  15:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  1c:	fc ff df
  1f:	48 8d 7a 08          	lea    0x8(%rdx),%rdi
  23:	48 89 fe             	mov    %rdi,%rsi
  26:	48 c1 ee 03          	shr    $0x3,%rsi
* 2a:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1) <-- trapping instruction
  2e:	0f 85 28 03 00 00    	jne    0x35c
  34:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  3b:	fc ff df
  3e:	48                   	rex.W
  3f:	2d                   	.byte 0x2d


Tested on:

commit:         dcb6ff6b utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=141938b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[Edward Adam Davis]

utsname: debug ctl table for domainname

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

sys_acct accounting records to "/proc/sys/kernel/domainname", if data
too long, can we continue account?

#syz test: https://github.com/ea1davis/linux proc/syz

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, w: 1, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028f45, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 6507 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g85a8463a4d24 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 000000002cf9c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x4b8/0x700 fs/proc/proc_sysctl.c:607
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efcf8784597
Code: Unable to access opcode bytes at 0x7efcf878456d.
RSP: 002b:00007ffe839f29c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000102
RAX: 0000000000000000 RBX: 00007ffe839f2a10 RCX: 00007efcf8784597
RDX: 00000000000001ff RSI: 00007ffe839f2a10 RDI: 00000000ffffff9c
RBP: 00007ffe839f29fc R08: 0000000000000005 R09: 00007ffe839f2765
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000032
R13: 000000000002b475 R14: 00007ffe839f2a50 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x1ea/0x5e0 kernel/utsname_sysctl.c:53
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 76 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 32 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc90003567460 EFLAGS: 00010202
RAX: ffffffff90028f45 RBX: ffffffff8de3a458 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: 1ffff920006ace92 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900035674c0 R14: ffffc90003567520 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056128a1406dd CR3: 0000000030060000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ee 03          	shr    $0x3,%rsi
   4:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1)
   8:	0f 85 76 03 00 00    	jne    0x384
   e:	48 8b 92 08 09 00 00 	mov    0x908(%rdx),%rdx
  15:	48 b9 00 00 00 00 00 	movabs $0xdffffc0000000000,%rcx
  1c:	fc ff df
  1f:	48 8d 7a 08          	lea    0x8(%rdx),%rdi
  23:	48 89 fe             	mov    %rdi,%rsi
  26:	48 c1 ee 03          	shr    $0x3,%rsi
* 2a:	80 3c 0e 00          	cmpb   $0x0,(%rsi,%rcx,1) <-- trapping instruction
  2e:	0f 85 32 03 00 00    	jne    0x366
  34:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  3b:	fc ff df
  3e:	48                   	rex.W
  3f:	2d                   	.byte 0x2d


Tested on:

commit:         85a8463a utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=16e566f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[Edward Adam Davis]

utsname: debug ctl table for domainname

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

#syz test: https://github.com/ea1davis/linux proc/syz

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
tab: ffffffff8de3a458, data: ffffffff90028ec5, datalen: 6, maxlen: 65, procname: domainname, proc_do_uts_string
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6578 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g224ab98542f8 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6c3438498a
Code: Unable to access opcode bytes at 0x7f6c34384960.
RSP: 002b:00007ffe74966a30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6c3438498a
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffe74966a7c R08: 00007ffe7496637c R09: 0079746972756365
R10: 00007ffe749663e0 R11: 0000000000000293 R12: 0000000000000032
R13: 00000000000276a7 R14: 00007ffe74966ad0 R15: 0000000000000258
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x256/0x630 kernel/utsname_sysctl.c:55
Code: 03 00 00 4d 8b 7f 08 e8 28 b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f8 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc900037f7460 EFLAGS: 00010207
RAX: 0000000000000145 RBX: ffffffff8de3a458 RCX: 1ffff11005cb9121
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802e5c8908
RBP: 0000000000000001 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: ffffc900037f74c0
R13: ffffc900037f7520 R14: ffffffff8de3a460 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556c83033da8 CR3: 0000000030b94000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	00 4d 8b             	add    %cl,-0x75(%rbp)
   5:	7f 08                	jg     0xf
   7:	e8 28 b1 fe ff       	call   0xfffeb134
   c:	48 8b 04 24          	mov    (%rsp),%rax
  10:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  17:	fc ff df
  1a:	48 2d 80 8d 02 90    	sub    $0xffffffff90028d80,%rax
  20:	4c 01 f8             	add    %r15,%rax
  23:	48 89 c2             	mov    %rax,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 0c 32          	movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
  2e:	48 8d 50 40          	lea    0x40(%rax),%rdx
  32:	48 89 d7             	mov    %rdx,%rdi
  35:	48 c1 ef 03          	shr    $0x3,%rdi
  39:	0f b6 34 37          	movzbl (%rdi,%rsi,1),%esi
  3d:	48 89 c7             	mov    %rax,%rdi


Tested on:

commit:         224ab985 utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=106b38b0580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[Edward Adam Davis]

utsname: debug ctl table for domainname

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

#syz test: https://github.com/ea1davis/linux proc/syz

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in proc_sys_call_handler

nsp: ffff888032f4d340, get_uts
nsp: ffff888032f4d340, get_uts
write buf: \x13\x03, count: 64, tab: ffffffff8de3a458, proc_sys_call_handler
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000028: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000140-0x0000000000000147]
CPU: 0 UID: 0 PID: 6593 Comm: syz-executor Not tainted 6.12.0-syzkaller-10299-g5009ba366804 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a01053200 CR3: 000000007a9a2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x424/0x5f0 fs/proc/proc_sysctl.c:602
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xadd/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3016
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f810a587a6a
Code: Unable to access opcode bytes at 0x7f810a587a40.
RSP: 002b:00007ffcd4dfd8c8 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: 0000000000000000 RBX: 00007ffcd4dfd950 RCX: 00007f810a587a6a
RDX: 0000000000000041 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007ffcd4dfd8ec R09: 0079746972756365
R10: 00007ffcd4dfd950 R11: 0000000000000212 R12: 00007f810a747a00
R13: 00007ffcd4dfd8ec R14: 0000000000000000 R15: 00007f810a748e40
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:proc_do_uts_string+0x1f1/0x610 kernel/utsname_sysctl.c:54
Code: 03 00 00 4d 8b 76 08 e8 8d b1 fe ff 48 8b 04 24 48 be 00 00 00 00 00 fc ff df 48 2d 80 8d 02 90 4c 01 f0 48 89 c2 48 c1 ea 03 <0f> b6 0c 32 48 8d 50 40 48 89 d7 48 c1 ef 03 0f b6 34 37 48 89 c7
RSP: 0018:ffffc90003e6f468 EFLAGS: 00010207
RAX: 0000000000000145 RBX: 1ffff920007cde92 RCX: 1ffff110052538a1
RDX: 0000000000000028 RSI: dffffc0000000000 RDI: ffff88802929c508
RBP: ffffffff8de3a458 R08: 0000000000000001 R09: fffffbfff1b8e045
R10: ffffffff8dc7022f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc90003e6f520 R14: 0000000000000000 R15: ffffffff8de3a460
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562a00fcac40 CR3: 000000007c1d4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	03 00                	add    (%rax),%eax
   2:	00 4d 8b             	add    %cl,-0x75(%rbp)
   5:	76 08                	jbe    0xf
   7:	e8 8d b1 fe ff       	call   0xfffeb199
   c:	48 8b 04 24          	mov    (%rsp),%rax
  10:	48 be 00 00 00 00 00 	movabs $0xdffffc0000000000,%rsi
  17:	fc ff df
  1a:	48 2d 80 8d 02 90    	sub    $0xffffffff90028d80,%rax
  20:	4c 01 f0             	add    %r14,%rax
  23:	48 89 c2             	mov    %rax,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 0c 32          	movzbl (%rdx,%rsi,1),%ecx <-- trapping instruction
  2e:	48 8d 50 40          	lea    0x40(%rax),%rdx
  32:	48 89 d7             	mov    %rdx,%rdi
  35:	48 c1 ef 03          	shr    $0x3,%rdi
  39:	0f b6 34 37          	movzbl (%rdi,%rsi,1),%esi
  3d:	48 89 c7             	mov    %rax,%rdi


Tested on:

commit:         5009ba36 utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=123366f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[Edward Adam Davis]

utsname: debug ctl table for domainname

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

#syz test: https://github.com/ea1davis/linux proc/syz

Re: [syzbot] [kernel?] general protection fault in proc_sys_call_handler

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+2e65930fda17880da336@syzkaller.appspotmail.com
Tested-by: syzbot+2e65930fda17880da336@syzkaller.appspotmail.com

Tested on:

commit:         567d8ea8 utsname: debug ctl table for domainname
git tree:       https://github.com/ea1davis/linux proc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=15ba4edf980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[PATCH] utsname: Prevents using NULL value nsproxy

[Edward Adam Davis]

syzbot reported a null-ptr-deref in get_uts. [1]

Before exit_task_work() is executed, exit_task_namespaces() has been executed,
which will cause task->nsproxy to be NULL.

To avoid this issue, check nsproxy of the task in proc_do_uts_string().

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 5943 Comm: syz-executor Not tainted 6.13.0-rc5-syzkaller-00004-gccb98ccef0e5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:get_uts kernel/utsname_sysctl.c:23 [inline]
RIP: 0010:proc_do_uts_string+0x137/0x4e0 kernel/utsname_sysctl.c:50
Code: 48 c1 ee 03 80 3c 0e 00 0f 85 56 03 00 00 48 8b 92 08 09 00 00 48 b9 00 00 00 00 00 fc ff df 48 8d 7a 08 48 89 fe 48 c1 ee 03 <80> 3c 0e 00 0f 85 12 03 00 00 48 be 00 00 00 00 00 fc ff df 48 2d
RSP: 0018:ffffc900038f7468 EFLAGS: 00010202
RAX: ffffffff90022485 RBX: 1ffff9200071ee92 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000008
RBP: ffffffff8de39fd8 R08: 0000000000000001 R09: fffffbfff1b8e071
R10: ffffffff8dc7038f R11: 0000000000000002 R12: 0000000000000001
R13: ffffc900038f7520 R14: dffffc0000000000 R15: ffffffff8de39fe0
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0544972008 CR3: 000000000db7e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 proc_sys_call_handler+0x403/0x5d0 fs/proc/proc_sysctl.c:601
 __kernel_write_iter+0x318/0xa80 fs/read_write.c:612
 __kernel_write+0xf6/0x140 fs/read_write.c:632
 do_acct_process+0xcb0/0x14a0 kernel/acct.c:539
 acct_pin_kill+0x2d/0x100 kernel/acct.c:192
 pin_kill+0x194/0x7c0 fs/fs_pin.c:44
 mnt_pin_kill+0x61/0x1e0 fs/fs_pin.c:81
 cleanup_mnt+0x3ac/0x450 fs/namespace.c:1366
 task_work_run+0x14e/0x250 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xad8/0x2d70 kernel/exit.c:938
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087
 get_signal+0x2576/0x2610 kernel/signal.c:3017
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89

Reported-by: syzbot+2e65930fda17880da336@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2e65930fda17880da336
Tested-by: syzbot+2e65930fda17880da336@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 kernel/utsname_sysctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
index 7282f61a8650..da2a9c92227f 100644
--- a/kernel/utsname_sysctl.c
+++ b/kernel/utsname_sysctl.c
@@ -37,6 +37,9 @@ static int proc_do_uts_string(const struct ctl_table *table, int write,
 	int r;
 	char tmp_data[__NEW_UTS_LEN + 1];
 
+	if (!current->nsproxy)
+		return -EINVAL;
+
 	memcpy(&uts_table, table, sizeof(uts_table));
 	uts_table.data = tmp_data;
 
-- 
2.47.0