Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp249632pxk; Wed, 23 Sep 2020 02:05:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTD1ghPYRbElWdPlAxvAtRC9gN95uNkbvo+9VEmIFjsJZhW6on9Jop10zBf6jp43J4gBBK X-Received: by 2002:a17:906:4bc4:: with SMTP id x4mr9550698ejv.240.1600851925140; Wed, 23 Sep 2020 02:05:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600851925; cv=none; d=google.com; s=arc-20160816; b=jLQqs6c+locWwVVcnN68CUVLDMEH7AF0iGRFGk+4CzTmNwifi/ZENz1bUKBz1auqEN l6YGvLbKQoX39d2LZXagKLOpL9A+lGD06sIooLVkLV1rYwUQ3IDQkDJM4o3iZV1cvpTh ChjcTc5iWbMz5dBvbjgWuL93e62lPvgC+yhHfDR2S31yGLgjq/inRRrC+o4Af4gdPSnM DksaA+er7DaM8Bo60YWgP5QEJXdoLMuzmtwuWshjlt6UnFdummiJdlx3dN4LLDhAlb5G DJ8QzKK3ZhFxXhNvXkx17YrWVy+00NLbuY+K3bF8i6F+W1I/UgdKh+AQNBSte1Uf8UCv uLJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=5y0yEgZ5tV+QcahBXtAX02EmqN9T8yvCetF3399N5r0=; b=x2i3WEDFv1Wp1bsdQTPPqvsBWflll1VEuWTCO4P1VY/aVtEGmaxV40tIqDMtlRNt1o /Z6eA8qsrylBnI+9gXT+ADcWaDBWi7P2b4+tNnbnG6b0kdZL7iwKT5FVA9QepjtULIyU H5JTI9J3+6zy99BvW3ljV5miTJQasPCd29nyT5AYKm++pEq6MBqYrmxN7ZDIjIqqzUjv WNulr0xMJdT+LgFhu8AK2hWZc54LgmxA24T9M3aLlK2i9w3T2Jwx50+wGvWt30ir+Krp Kfl3a/jwQrT/D6fMUOxAb3RF5Lcmslpk6kH3DYgX1LbBnMCmXkMIXCs3FIi7az+pRfLQ vWSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=qx2Y+7fs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a12si12172599ejx.584.2020.09.23.02.05.00; Wed, 23 Sep 2020 02:05:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@alien8.de header.s=dkim header.b=qx2Y+7fs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alien8.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726315AbgIWJDo (ORCPT + 99 others); Wed, 23 Sep 2020 05:03:44 -0400 Received: from mail.skyhub.de ([5.9.137.197]:45162 "EHLO mail.skyhub.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726178AbgIWJDo (ORCPT ); Wed, 23 Sep 2020 05:03:44 -0400 Received: from zn.tnic (p200300ec2f0d1300e5068c8a3292d31d.dip0.t-ipconnect.de [IPv6:2003:ec:2f0d:1300:e506:8c8a:3292:d31d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id 0A7B11EC0286; Wed, 23 Sep 2020 11:03:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alien8.de; s=dkim; t=1600851823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=5y0yEgZ5tV+QcahBXtAX02EmqN9T8yvCetF3399N5r0=; b=qx2Y+7fsY28Q95lSrTI2F8Zaqn5TkAEG0aAjmwtovvEVcvVFGMk6kvu5rjnZyLkX1iw//T BePUYvRhKe6Y7+qInCPI9kzaNZvwdOcarlribSEJZhZRiAdZDjEbRjeZaEgpb0X1rEbVkW l8DOT/8qo2qyPw9Pq8jMtj9xl8qiePM= Date: Wed, 23 Sep 2020 11:03:36 +0200 From: Borislav Petkov To: Nick Desaulniers Cc: Josh Poimboeuf , Dmitry Vyukov , syzbot , Arnaldo Carvalho de Melo , Alexander Shishkin , "H. Peter Anvin" , Jiri Olsa , LKML , Mark Rutland , Ingo Molnar , Namhyung Kim , Peter Zijlstra , syzkaller-bugs , Thomas Gleixner , the arch/x86 maintainers , clang-built-linux Subject: Re: general protection fault in perf_misc_flags Message-ID: <20200923090336.GD28545@zn.tnic> References: <00000000000052569205afa67426@google.com> <20200919110831.GD7462@zn.tnic> <20200921221336.GN5901@zn.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 22, 2020 at 11:56:04AM -0700, Nick Desaulniers wrote: > So I think there's an issue with "deterministically reproducible." > The syzcaller report has: > > > Unfortunately, I don't have any reproducer for this issue yet. Yeah, Dmitry gave two other links of similar reports, the first one works for me: https://syzkaller.appspot.com/bug?extid=1dccfcb049726389379c and that one doesn't have a reproducer either. The bytes look familiar though: Code: c1 e8 03 42 80 3c 20 00 74 05 e8 79 7a a7 00 49 8b 47 10 48 89 05 f6 d8 ef 09 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 80 3c 00 00 <00> 00 e8 57 7a a7 00 49 8b 47 08 48 89 05 dc d8 ef 09 49 8d 7f 18 All code ======== 0: c1 e8 03 shr $0x3,%eax 3: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 8: 74 05 je 0xf a: e8 79 7a a7 00 callq 0xa77a88 f: 49 8b 47 10 mov 0x10(%r15),%rax 13: 48 89 05 f6 d8 ef 09 mov %rax,0x9efd8f6(%rip) # 0x9efd910 1a: 49 8d 7f 08 lea 0x8(%r15),%rdi 1e: 48 89 f8 mov %rdi,%rax 21: 48 c1 e8 03 shr $0x3,%rax 25: 42 80 3c 00 00 cmpb $0x0,(%rax,%r8,1) 2a:* 00 00 add %al,(%rax) <-- trapping instruction 2c: e8 57 7a a7 00 callq 0xa77a88 31: 49 8b 47 08 mov 0x8(%r15),%rax 35: 48 89 05 dc d8 ef 09 mov %rax,0x9efd8dc(%rip) # 0x9efd918 3c: 49 8d 7f 18 lea 0x18(%r15),%rdi 4 zero bytes again. And that .config has kasan stuff enabled too so could the failure be related to having kasan stuff enabled and it messing up offsets? That is, provided this is the mechanism how it would happen. We still don't know what and when wrote those zeroes in there. Not having a reproducer is nasty but looking at those reports above and if I'm reading this correctly, rIP points to RIP: 0010:update_pvclock_gtod arch/x86/kvm/x86.c:1743 [inline] each time and the URL says they're 9 crashes total. And each have happened at that rIP. So all we'd need is set a watchpoint when that address is being written and dump stuff. Dmitry, can the syzkaller do debugging stuff like that? > Following my hypothesis about having a bad address calculation; the > tricky part is I'd need to look through the relocations and try to see > if any could resolve to the address that was accidentally modified. I > suspect objtool could be leveraged for that; If you can find this at compile time... > maybe it could check whether each `struct jump_entry`'s `target` > member referred to either a NOP or a CMP, and error otherwise? (Do we > have other non-NOP or CMP targets? IDK) Follow jump_label_transform() - it does verify what it is going to patch. And while I'm looking at this, I realize that the jump labels patch 5 bytes but the above zeroes are 4 bytes. In the other opcode bytes I decoded it is 4 bytes too. So this might not be caused by the jump labels patching... > This hypothesis might also be incorrect, and thus would be chasing a > red herring...not really sure how else to pursue debugging this. Yeah, this one is tricky to debug. -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette