From: Dmitry Vyukov <dvyukov@google.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
LKML <linux-kernel@vger.kernel.org>,
Andrew Lutomirski <luto@kernel.org>,
Ingo Molnar <mingo@redhat.com>, X86 ML <x86@kernel.org>,
Jann Horn <jannh@google.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: general protection fault in syscall_return_slowpath
Date: Mon, 9 Mar 2020 09:34:25 +0100 [thread overview]
Message-ID: <CACT4Y+YX72sz2LsqQOTQ=TdDK_f7zURjA9j9VyYwj7GgLrajkQ@mail.gmail.com> (raw)
In-Reply-To: <87eeu28zzl.fsf@nanos.tec.linutronix.de>
On Sun, Mar 8, 2020 at 7:26 PM Thomas Gleixner <tglx@linutronix.de> wrote:
>
> Andy Lutomirski <luto@kernel.org> writes:
> > On Sat, Mar 7, 2020 at 11:45 PM syzbot
> > <syzbot+cd66e43794b178bb5cd6@syzkaller.appspotmail.com> wrote:
> > $ make -j4
> > tools/syz-env/env.go:14:2: cannot find package
> > "github.com/google/syzkaller/pkg/osutil" in any of:
> >
> > I'm sure that if I actually understood Go's delightful packaging
> > system, I could reverse engineer your build system and figure out how
> > to make it work. But perhaps you could document the build process?
> > Or maybe make 'make' just work?
> >
> > For kicks, I tried this:
> >
> > $ mkdir -p src/github.com/google
> > $ ln -sr . src/github.com/google/syzkaller
> > $ GOPATH=`/bin/pwd` make
> > GOOS=linux GOARCH=amd64 go install ./syz-manager
> > go install: no install location for directory
> > /home/luto/apps/syzkaller/syz-manager outside GOPATH
> >
> > Are there instructions for just building syzkaller? I don't want to
> > install it, I don't want to fuzz my kernel -- I just want to run your
> > reproducer.
>
> https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>
> That's how I build the binaries:
>
> mkdir foo
> export GOPATH=$HOME/foo
>
> cd foo
> go get -u -d github.com/google/syzkaller/...
> cd src/github.com/google/syzkaller
> make
> cp bin/linux_amd64/syz-execprog bin/linux_amd64/syz-executor $GOPATH
>
> Of course you can build it somewhere and scp the executables to a test box.
>
> And then to run it
>
> cd $GOPATH
> wget -O repro.syz https://syzkaller.appspot.com/x/repro.syz?x=12a42329e00000
> ./syz-execprog -procs 6 -repeat 0 -collide -disable none repro.syz
>
> The command line options are a bit tedious as you have to look them up
> in the comment in repro.syz.
>
> A scripts which converts that comment into command line options or
> syz-execprog simply taking it from repro.syz would indeed be handy.
>
> A kernel with the config provided in the report and running that
> reproducer is still not reproducing with a runtime of 8hrs+ :(
>
> Thanks,
>
> tglx
I see the repro opens /dev/fb0, so this may be related to the exact
type of framebuffer on the machine. That's what Jann tried to figure
out.
There is a plenty of open bugs on dashboard related to fb/tty, just
doing a quick grep based on titles:
https://syzkaller.appspot.com/upstream
BUG: unable to handle kernel paging request in
drm_fb_helper_dirty_work 7 4d20h 90d
BUG: unable to handle kernel paging request in vga16fb_imageblit 1 74d 73d
divide error in fbcon_switch C cause 141 3d15h 96d
general protection fault in fbcon_cursor C cause 12 13h48m 87d
general protection fault in fbcon_fb_blanked 3 88d 90d
general protection fault in fbcon_invert_region 1 49d 48d
general protection fault in fbcon_modechanged 3 89d 90d
INFO: task hung in do_fb_ioctl 6 36d 57d
INFO: task hung in fb_compat_ioctl 1 87d 87d
INFO: task hung in fb_open C cause 171 1h06m 96d
INFO: task hung in fb_release C cause 23 2d12h 77d
INFO: task hung in release_tty 3 6d16h 62d
INFO: task hung in tty_ldisc_hangup C cause 15 17d 92d
INFO: trying to register non-static key in hci_uart_tty_receive (2) 1 103d 99d
KASAN: global-out-of-bounds Read in fbcon_get_font C cause 19 7d06h 90d
KASAN: global-out-of-bounds Read in fb_pad_aligned_buffer C cause 5 4d22h 92d
KASAN: global-out-of-bounds Read in vga16fb_imageblit C cause 225 1d11h 96d
KASAN: slab-out-of-bounds Read in fbcon_get_font C cause 42 5d04h 96d
KASAN: slab-out-of-bounds Read in fb_pad_aligned_buffer 4 9d00h 48d
KASAN: slab-out-of-bounds Write in fbcon_scroll 1 75d 73d
KASAN: use-after-free Read in fbcon_cursor syz cause 3 41d 84d
KASAN: use-after-free Read in fb_mode_is_equal syz cause 70 5h49m 92d
KASAN: use-after-free Read in tty_open C cause 7 42d 96d
KASAN: use-after-free Write in release_tty C cause 544 4h01m 96d
KASAN: vmalloc-out-of-bounds Read in drm_fb_helper_dirty_work 1 80d 80d
KASAN: vmalloc-out-of-bounds Write in drm_fb_helper_dirty_work 2 64d 76d
KCSAN: data-race in echo_char / n_tty_receive_buf_common 11 21d 125d
KMSAN: kernel-infoleak in tty_compat_ioctl C 81 2h17m 14d
memory leak in tty_init_dev C 3 121d 192d
possible deadlock in n_tty_receive_buf_common C cause 585 1h18m 23d
possible deadlock in tty_port_close_start C cause 4 9d18h 25d
WARNING in dlfb_submit_urb/usb_submit_urb C 190 8d23h 251d
So if you don't see something obvious here, it may be not worth
spending more time until these, more obvious ones are fixed. This may
be a previous silent memory corruption that wasn't caught by KASAN.
next prev parent reply other threads:[~2020-03-09 8:34 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-08 7:45 general protection fault in syscall_return_slowpath syzbot
2020-03-08 16:13 ` Andy Lutomirski
2020-03-08 16:37 ` Borislav Petkov
2020-03-08 18:26 ` Thomas Gleixner
2020-03-09 8:34 ` Dmitry Vyukov [this message]
2020-03-09 18:26 ` Eric Biggers
2020-03-10 5:41 ` Dmitry Vyukov
2020-03-09 8:42 ` Dmitry Vyukov
2020-03-08 16:29 ` Andy Lutomirski
2020-03-12 13:34 ` Dan Carpenter
2020-03-08 17:20 ` Jann Horn
2020-03-08 18:00 ` syzbot
2020-03-08 18:35 ` Jann Horn
2020-03-08 21:57 ` syzbot
2020-03-09 8:20 ` Dmitry Vyukov
2020-03-10 6:15 ` Nathan Chancellor
2020-03-10 8:10 ` Dmitry Vyukov
2020-06-14 8:03 ` Dmitry Vyukov
2020-06-15 7:57 ` Jann Horn
2020-08-15 10:18 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+YX72sz2LsqQOTQ=TdDK_f7zURjA9j9VyYwj7GgLrajkQ@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.