From: Vegard Nossum <vegard.nossum@gmail.com>
To: David Howells <dhowells@redhat.com>
Cc: zer0mem@yahoo.com, Greg KH <gregkh@linuxfoundation.org>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [zer0mem@yahoo.com: [oss-security] panic at big_key_preparse #4.7-r6/rc7 & master]
Date: Tue, 26 Jul 2016 11:17:54 +0200 [thread overview]
Message-ID: <CAOMGZ=HZkPia5q8m7dOeLoOB40qqe5W22qdV6aReQNi8GgsGDg@mail.gmail.com> (raw)
In-Reply-To: <26504.1469519104@warthog.procyon.org.uk>
On 26 July 2016 at 09:45, David Howells <dhowells@redhat.com> wrote:
> <zer0mem@yahoo.com> wrote:
>
>> If you will have no luck to repro issue, I will take a deeper look at it at
>> Friday and let you know asap
>
> Can you find out the line on which the crash happens? Load vmlinux into
If you pipe the Code: from the original report into decodecode you get:
$ echo "Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 89 f1 98 ff 4c 8b 25 32 cb
47 02 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 48 48 89 fa 48 c1 ea
03 <80> 3c 02 00 0f 85 78 03 00 00 4d 8b 64 24 48 48 b8 00 00 00 00" |
scripts/decodecode
Code: 5c 41 5d 41 5e 41 5f 5d c3 e8 89 f1 98 ff 4c 8b 25 32 cb 47 02
48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 48 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 78 03 00 00 4d 8b 64 24 48 48 b8 00 00 00 00
All code
========
0: 5c pop %rsp
1: 41 5d pop %r13
3: 41 5e pop %r14
5: 41 5f pop %r15
7: 5d pop %rbp
8: c3 retq
9: e8 89 f1 98 ff callq 0xffffffffff98f197
e: 4c 8b 25 32 cb 47 02 mov 0x247cb32(%rip),%r12 # 0x247cb47
15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1c: fc ff df
1f: 49 8d 7c 24 48 lea 0x48(%r12),%rdi
24: 48 89 fa mov %rdi,%rdx
27: 48 c1 ea 03 shr $0x3,%rdx
2b:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
<-- trapping instruction
2f: 0f 85 78 03 00 00 jne 0x3ad
35: 4d 8b 64 24 48 mov 0x48(%r12),%r12
3a: 48 rex.W
3b: b8 00 00 00 00 mov $0x0,%eax
I find only two places that plausibly match this:
372: 5b pop %rbx
373: 41 5c pop %r12
375: 41 5d pop %r13
377: 41 5e pop %r14
379: 41 5f pop %r15
37b: 5d pop %rbp
37c: c3 retq
37d: 4c 8b 2d 00 00 00 00 mov 0x0(%rip),%r13 # 384
<big_key_preparse+0x164>
384: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38b: fc ff df
38e: 49 8d 7d 48 lea 0x48(%r13),%rdi
392: 48 89 fa mov %rdi,%rdx
395: 48 c1 ea 03 shr $0x3,%rdx
399: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
39d: 0f 85 94 02 00 00 jne 637 <big_key_preparse+0x417>
3a3: 4d 8b 6d 48 mov 0x48(%r13),%r13
3a7: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
3ae: fc ff df
(this is most likely it since it matches with the pops+ret as well)
and
47d: 4c 8b 25 00 00 00 00 mov 0x0(%rip),%r12 # 484
<big_key_preparse+0x264>
484: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
48b: fc ff df
48e: 49 8d 7c 24 48 lea 0x48(%r12),%rdi
493: 48 89 fa mov %rdi,%rdx
496: 48 c1 ea 03 shr $0x3,%rdx
49a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
49e: 0f 85 04 02 00 00 jne 6a8 <big_key_preparse+0x488>
4a4: 49 8b 44 24 48 mov 0x48(%r12),%rax
4a9: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
4b0: fc ff df
That's:
$ addr2line -e security/keys/big_key.o -i 399
include/linux/crypto.h:628
include/linux/crypto.h:1188
security/keys/big_key.c:143
$ addr2line -e security/keys/big_key.o -i 49a
include/crypto/rng.h:112
include/crypto/rng.h:143
include/crypto/rng.h:160
security/keys/big_key.c:84
security/keys/big_key.c:160
Keep in mind that the faulting dereference is a byte comparison
(whereas the dereferences pointed to by those lines should all be
wider) and in fact comes from KASAN itself (KASAN_INLINE). So the
important thing to look for here is probably the dereference offset
0x48(%r12) which corresponds to the crypto_tfm->__crt_alg dereference,
and you see that %r12 is 0 which probably means the tfm is NULL.
Vegard
next prev parent reply other threads:[~2016-07-26 9:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <47074.85917.bm@smtp228.mail.bf1.yahoo.com>
[not found] ` <531421.11642.bm@smtp201.mail.bf1.yahoo.com>
2016-07-22 21:41 ` [zer0mem@yahoo.com: [oss-security] panic at big_key_preparse #4.7-r6/rc7 & master] Greg KH
2016-07-25 13:00 ` David Howells
2016-07-25 21:45 ` David Howells
2016-07-26 7:45 ` David Howells
2016-07-26 9:17 ` Vegard Nossum [this message]
2016-07-26 10:12 ` David Howells
2016-07-25 13:06 ` David Howells
2016-07-25 15:27 ` David Howells
2016-07-25 20:17 ` Greg KH
2016-07-26 22:45 ` David Howells
2016-08-25 22:08 ` Kirill Marinushkin
2016-07-27 13:23 ` [RFC][PATCH] KEYS: Sort out big_key initialisation David Howells
2016-08-10 18:20 ` Kirill Marinushkin
2016-08-11 19:48 ` Kirill Marinushkin
2016-08-27 10:22 ` [zer0mem@yahoo.com: [oss-security] panic at big_key_preparse #4.7-r6/rc7 & master] Kirill Marinushkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOMGZ=HZkPia5q8m7dOeLoOB40qqe5W22qdV6aReQNi8GgsGDg@mail.gmail.com' \
--to=vegard.nossum@gmail.com \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=zer0mem@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.