From: Oleg Nesterov <oleg@redhat.com>
To: Sasha Levin <sasha.levin@oracle.com>,
David Howells <dhowells@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
richard@nod.at, Dave Jones <davej@redhat.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: kernel: signal: NULL ptr deref when killing process
Date: Wed, 20 Aug 2014 17:06:19 +0200 [thread overview]
Message-ID: <20140820150619.GA12706@redhat.com> (raw)
In-Reply-To: <20140820141252.GA27301@redhat.com>
On 08/20, Oleg Nesterov wrote:
>
> On 08/20, Sasha Levin wrote:
> >
> > Hi all,
> >
> > While fuzzing with trinity inside a KVM tools guest running the latest -next
> > kernel, I've stumbled on the following spew:
>
> Thanks...
>
> looks like, kill_ok_by_cred()->__task_cred(t) returns NULL at first glance.
> perhaps you can show the result of "make kernel/signal.s" to be sure? Or at
> least the full "objdump -d kernel/signal.o".
>
> This looks strange. ->real_cred can be NULL only after __put_task_struct(),
> so this task_struct is already freed or soon-to-be-freed. But everything looks
> correct in this path, this task was found by pid_task() under rcu_read_lock().
Hmm. I'll recheck and report tomorrow, but it seems that I found a bug:
bad_fork_free_pid()->free_pid() looks wrong. This _can_ explain this trace
afaics, but only in unlikely case...
David, any other reason why ->real_cred can be NULL ? (assuming that I interpret
this asm correctly).
> > [ 512.602559] BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
> > [ 512.602566] IP: check_kill_permission (kernel/signal.c:746 kernel/signal.c:781)
> > [ 512.602576] PGD 4c10d0067 PUD 4c1738067 PMD 0
> > [ 512.602584] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> > [ 512.602612] Dumping ftrace buffer:
> > [ 512.602697] (ftrace buffer empty)
> > [ 512.602704] Modules linked in:
> > [ 512.602708] CPU: 18 PID: 8516 Comm: trinity-watchdo Tainted: G B 3.16.0-next-20140815-sasha-00034-g615561b #1071
> > [ 512.602711] task: ffff8804c1e88000 ti: ffff8804c1290000 task.ti: ffff8804c1290000
> > [ 512.602718] RIP: check_kill_permission (kernel/signal.c:746 kernel/signal.c:781)
> > [ 512.602720] RSP: 0018:ffff8804c1293e00 EFLAGS: 00010246
> > [ 512.602722] RAX: 0000000000000000 RBX: ffff8804c1293ec0 RCX: 0000000000000000
> > [ 512.602723] RDX: ffff880546803000 RSI: ffff8804c1293ec0 RDI: 0000000000000000
> > [ 512.602726] RBP: ffff8804c1293e28 R08: 0000000000000000 R09: 0000000000000000
> > [ 512.602728] R10: 0000000000000000 R11: 0000000000000246 R12: ffff880546803000
> > [ 512.602729] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8804c3fe4200
> > [ 512.602732] FS: 00007fb2ed5e8700(0000) GS:ffff88071c400000(0000) knlGS:0000000000000000
> > [ 512.602735] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > [ 512.602737] CR2: 000000000000001c CR3: 00000004c16ff000 CR4: 00000000000006a0
> > [ 512.602750] DR0: 00000000006f0000 DR1: 0000000000000000 DR2: 0000000000000000
> > [ 512.602753] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> > [ 512.602754] Stack:
> > [ 512.602761] 00000000000026ce 0000000000000000 ffff8804c1293ec0 ffff880546803000
> > [ 512.602769] 0000000000000002 ffff8804c1293e60 ffffffff8c17ccb5 ffffffff8c17cc55
> > [ 512.602777] 00000000000026ce ffff880565319180 0000000000000000 ffff8804c1293ec0
> > [ 512.602779] Call Trace:
> > [ 512.602786] group_send_sig_info (kernel/signal.c:1300)
> > [ 512.602791] ? group_send_sig_info (kernel/signal.c:1296)
> > [ 512.602795] kill_pid_info (kernel/signal.c:1338)
> > [ 512.602800] ? kill_pid_info (kernel/signal.c:1330)
> > [ 512.602805] SYSC_kill (kernel/signal.c:1423 kernel/signal.c:2896)
> > [ 512.602809] ? SYSC_kill (include/linux/rcupdate.h:814 kernel/signal.c:1422 kernel/signal.c:2896)
> > [ 512.602814] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:98 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:183)
> > [ 512.602820] ? trace_hardirqs_on (kernel/locking/lockdep.c:2609)
> > [ 512.602824] ? syscall_trace_enter (include/linux/context_tracking.h:27 arch/x86/kernel/ptrace.c:1461)
> > [ 512.602828] SyS_kill (kernel/signal.c:2886)
> > [ 512.602833] tracesys (arch/x86/kernel/entry_64.S:541)
> > [ 512.602921] Code: 06 00 4d 8b b4 24 38 0a 00 00 65 48 8b 04 25 c0 da 00 00 4c 8b b8 40 0a 00 00 e8 ab e3 06 00 85 c0 0f 85 8b 00 00 00 41 8b 47 24 <41> 8b 56 1c 39 d0 74 60 41 8b 4e 14 39 c8 74 58 41 8b 47 14 39
> > All code
> > ========
> > 0: 06 (bad)
> > 1: 00 4d 8b add %cl,-0x75(%rbp)
> > 4: b4 24 mov $0x24,%ah
> > 6: 38 0a cmp %cl,(%rdx)
> > 8: 00 00 add %al,(%rax)
> > a: 65 48 8b 04 25 c0 da mov %gs:0xdac0,%rax
> > 11: 00 00
> > 13: 4c 8b b8 40 0a 00 00 mov 0xa40(%rax),%r15
> > 1a: e8 ab e3 06 00 callq 0x6e3ca
> > 1f: 85 c0 test %eax,%eax
> > 21: 0f 85 8b 00 00 00 jne 0xb2
> > 27: 41 8b 47 24 mov 0x24(%r15),%eax
> > 2b:* 41 8b 56 1c mov 0x1c(%r14),%edx <-- trapping instruction
> > 2f: 39 d0 cmp %edx,%eax
> > 31: 74 60 je 0x93
> > 33: 41 8b 4e 14 mov 0x14(%r14),%ecx
> > 37: 39 c8 cmp %ecx,%eax
> > 39: 74 58 je 0x93
> > 3b: 41 8b 47 14 mov 0x14(%r15),%eax
> > 3f: 39 00 cmp %eax,(%rax)
> >
> > Code starting with the faulting instruction
> > ===========================================
> > 0: 41 8b 56 1c mov 0x1c(%r14),%edx
> > 4: 39 d0 cmp %edx,%eax
> > 6: 74 60 je 0x68
> > 8: 41 8b 4e 14 mov 0x14(%r14),%ecx
> > c: 39 c8 cmp %ecx,%eax
> > e: 74 58 je 0x68
> > 10: 41 8b 47 14 mov 0x14(%r15),%eax
> > 14: 39 00 cmp %eax,(%rax)
> > [ 512.602927] RIP check_kill_permission (kernel/signal.c:746 kernel/signal.c:781)
> > [ 512.602929] RSP <ffff8804c1293e00>
> > [ 512.602931] CR2: 000000000000001c
> >
> >
> > Thanks,
> > Sasha
next prev parent reply other threads:[~2014-08-20 15:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-20 11:18 kernel: signal: NULL ptr deref when killing process Sasha Levin
2014-08-20 14:12 ` Oleg Nesterov
2014-08-20 15:06 ` Oleg Nesterov [this message]
2014-08-20 15:30 ` Oleg Nesterov
2014-08-21 15:20 ` Sasha Levin
2014-08-21 17:11 ` Oleg Nesterov
2014-08-21 16:22 ` David Howells
2014-08-21 17:17 ` Oleg Nesterov
2014-08-27 3:38 ` Sasha Levin
2014-08-27 14:16 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140820150619.GA12706@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=davej@redhat.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=sasha.levin@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.