<!--
_font-face
Hello folks,
When I run a vsyscall in my app on cpu 61 or 21 (both are on core 21), It crashed quickly. From the kernel log, CR2 == ffffffffff600500, ip == ffffffffff600400, and CR2 != ip triggered this bug, has anyone encountered it?
CPU: Intel(R) Xeon(R) Gold 6248 CPU @ 2.50GHz
Kernel: 5.8.0-rc7 and 5.7.11
Test code and kernel log are as follows:
#cat time.c
#include <time.h>
int main(void)
{
for (;;) {
time(NULL);
}
return 0;
}
# gcc --static -o time time.c (with glibc 2.12 that use vsyscall)
# taskset -c 61 ./time
Segmentation fault (core dumped)
Jul 29 17:06:13 hb10-uhost-147-68 kernel: ------------[ cut here ]------------
Jul 29 17:06:13 hb10-uhost-147-68 kernel: WARNING: CPU: 61 PID: 13044 at arch/x86/entry/vsyscall/vsyscall_64.c:151 emulate_vsyscall+0x31e/0x3f0
Jul 29 17:06:13 hb10-uhost-147-68 kernel: Modules linked in: mlx5_ib ib_uverbs ib_core mlx5_core mlxfw ptp pps_core pci_hyperv_intf nbd ebtable_filter ebtables ip6table_filter ip6_tables bonding esp6_offload esp6 esp4_offload esp4 act_gact cls_flower sch_ingress ip_gre ip_tunnel gre openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 skx_edac nfit x86_pkg_temp_thermal intel_powerclamp iptable_filter iTCO_wdt coretemp
iTCO_vendor_support crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper rapl intel_cstate ses enclosure mei_me lpc_ich i2c_i801 pcspkr sg input_leds joydev mfd_core i2c_smbus mei ioatdma dca wmi acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad vhost_net tun vhost nfsd vhost_iotlb tap kvm_intel auth_rpcgss kvm nfs_acl lockd grace irqbypass sunrpc ip_tables xfs libcrc32c sd_mod t10_pi crc32c_intel ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm_ttm_helper smartpqi ttm
Jul 29 17:06:13 hb10-uhost-147-68 kernel: scsi_transport_sas ahci libahci drm libata [last unloaded: mlxfw]
Jul 29 17:06:13 hb10-uhost-147-68 kernel: CPU: 61 PID: 13044 Comm: time Kdump: loaded Not tainted 5.8.0-rc7 #3
Jul 29 17:06:13 hb10-uhost-147-68 kernel: Hardware name: H3C R4900 G3/RS33M2C9S, BIOS 2.00.37P21 03/12/2020
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RIP: 0010:emulate_vsyscall+0x31e/0x3f0
Jul 29 17:06:13 hb10-uhost-147-68 kernel: Code: 48 89 df e8 44 fb 0f 00 e9 60 fe ff ff 48 8b 6b 60 48 c7 43 60 00 00 00 00 48 89 df e8 5b c1 08 00 48 89 6b 60 e9 43 fe ff ff <0f> 0b e9 20 fd ff ff 48 c7 c2 e0 b5 0b 82 48 89
de 48 c7 c7 6d b4
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RSP: 0000:ffffc9000ea57eb0 EFLAGS: 00010287
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RAX: 0000000000000004 RBX: ffffc9000ea57f58 RCX: 0000000000000010
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RDX: 0000000000000000 RSI: ffffc9000ea57f58 RDI: 0000000000000010
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RBP: ffffffffff600500 R08: ffffffffff600000 R09: 0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015
Jul 29 17:06:13 hb10-uhost-147-68 kernel: R13: ffffffffff600500 R14: ffff88ff6c90bd00 R15: ffff88ff7d702c00
Jul 29 17:06:13 hb10-uhost-147-68 kernel: FS: 000000000236d860(0000) GS:ffff88ff7f940000(0000) knlGS:0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 29 17:06:13 hb10-uhost-147-68 kernel: CR2: ffffffffff600500 CR3: 000000457dbac006 CR4: 00000000007606e0
Jul 29 17:06:13 hb10-uhost-147-68 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jul 29 17:06:13 hb10-uhost-147-68 kernel: PKRU: 55555554
Jul 29 17:06:13 hb10-uhost-147-68 kernel: Call Trace:
Jul 29 17:06:13 hb10-uhost-147-68 kernel: exc_page_fault+0x423/0x600
Jul 29 17:06:13 hb10-uhost-147-68 kernel: ? __prepare_exit_to_usermode+0x13b/0x150
Jul 29 17:06:13 hb10-uhost-147-68 kernel: ? asm_exc_page_fault+0x8/0x30
Jul 29 17:06:13 hb10-uhost-147-68 kernel: asm_exc_page_fault+0x1e/0x30
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RIP: 0033:__init_scratch_end+0x7b600400/0xffffffffffa26000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: Code: Bad RIP value.
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RSP: 002b:00007ffc9d93f5d8 EFLAGS: 00010202
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RAX: ffffffffff600400 RBX: 0000000000400e00 RCX: 000000000040d710
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RDX: 0000000000000000 RSI: 00007ffc9d93f5b0 RDI: 0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: RBP: 00007ffc9d93f5f0 R08: 00007ffc9d93f410 R09: 000000000000003f
Jul 29 17:06:13 hb10-uhost-147-68 kernel: R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jul 29 17:06:13 hb10-uhost-147-68 kernel: ---[ end trace 3576570f773d1444 ]---
Jul 29 17:06:13 hb10-uhost-147-68 kernel: time[13044] misaligned vsyscall (exploit attempt or buggy program) -- look up the vsyscall kernel parameter if you need a workaround ip:ffffffffff600400 cs:33 sp:7ffc9d93f5d8 ax:ffffffffff600400 si:7ffc9d93f5b0 di:0