2022-11-14 06:44:02

by Wei Chen

[permalink] [raw]
Subject: general protection fault in klist_next

Dear Linux Developer,

Recently when using our tool to fuzz kernel, the following crash was
triggered. A similar patch
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=d5ebaa7c5f6f688959e8d40840b2249ede63b8ed
is applied but kernel persists.

HEAD commit: 4fe89d07d Linux 6.0
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1mXSQ5T1XpV7jcrxa8nM3XMchyWuY8i01/view?usp=share_link
kernel config: https://drive.google.com/file/d/1ZHRxVTXHL9mENdAPmQYS1DtgbflZ9XsD/view?usp=share_link
C reproducer: https://drive.google.com/file/d/1iaLcMGNX6pL_x0-3Tag_0Qipdr4FrfMN/view?usp=share_link
Syz reproducer:
https://drive.google.com/file/d/15pVBa8YaBuinmQZrxkA1Wx5n8yb4xoo8/view?usp=share_link

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <[email protected]>

Bluetooth: hci0: hardware error 0x00
general protection fault, probably for non-canonical address
0xdffffc000000000b: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
CPU: 0 PID: 51 Comm: kworker/u7:0 Not tainted 6.0.0 #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_error_reset
RIP: 0010:klist_next+0x4a/0x330 lib/klist.c:377
Code: 4c 89 e8 48 c1 e8 03 48 89 44 24 08 42 80 3c 20 00 74 08 4c 89
ef e8 65 77 7d fd 49 8b 5d 00 48 8d 6b 58 48 89 e8 48 c1 e8 03 <42> 80
3c 20 00 74 08 48 89 ef e8 47 77 7d fd 48 8b 6d 00 4d 8d 75
RSP: 0018:ffffc90000a979c0 EFLAGS: 00010202
RAX: 000000000000000b RBX: 0000000000000000 RCX: ffff8880428a2440
RDX: 0000000000000000 RSI: ffffc90000a97a60 RDI: ffffc90000a97a60
RBP: 0000000000000058 R08: ffffffff89442273 R09: ffffffff893b7dec
R10: 0000000000000002 R11: ffff8880428a2440 R12: dffffc0000000000
R13: ffffc90000a97a60 R14: ffff88801f45c000 R15: ffffffff89442390
FS: 0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16fc4ac000 CR3: 0000000018532000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
next_device drivers/base/core.c:3756 [inline]
device_find_child+0xb0/0x1c0 drivers/base/core.c:3899
hci_conn_del_sysfs+0x8c/0x180 net/bluetooth/hci_sysfs.c:71
hci_conn_cleanup+0x599/0x750 net/bluetooth/hci_conn.c:147
hci_conn_del+0x2ae/0x3b0 net/bluetooth/hci_conn.c:1022
hci_conn_hash_flush+0x1bd/0x240 net/bluetooth/hci_conn.c:2367
hci_dev_close_sync+0x742/0xd30 net/bluetooth/hci_sync.c:4476
hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
hci_error_reset+0xdb/0x1d0 net/bluetooth/hci_core.c:1050
process_one_work+0x83c/0x11a0 kernel/workqueue.c:2289
worker_thread+0xa6c/0x1290 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:klist_next+0x4a/0x330 lib/klist.c:377
Code: 4c 89 e8 48 c1 e8 03 48 89 44 24 08 42 80 3c 20 00 74 08 4c 89
ef e8 65 77 7d fd 49 8b 5d 00 48 8d 6b 58 48 89 e8 48 c1 e8 03 <42> 80
3c 20 00 74 08 48 89 ef e8 47 77 7d fd 48 8b 6d 00 4d 8d 75
RSP: 0018:ffffc90000a979c0 EFLAGS: 00010202
RAX: 000000000000000b RBX: 0000000000000000 RCX: ffff8880428a2440
RDX: 0000000000000000 RSI: ffffc90000a97a60 RDI: ffffc90000a97a60
RBP: 0000000000000058 R08: ffffffff89442273 R09: ffffffff893b7dec
R10: 0000000000000002 R11: ffff8880428a2440 R12: dffffc0000000000
R13: ffffc90000a97a60 R14: ffff88801f45c000 R15: ffffffff89442390
FS: 0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f16fc4ac000 CR3: 0000000018532000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 4c 89 e8 mov %r13,%rax
3: 48 c1 e8 03 shr $0x3,%rax
7: 48 89 44 24 08 mov %rax,0x8(%rsp)
c: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
11: 74 08 je 0x1b
13: 4c 89 ef mov %r13,%rdi
16: e8 65 77 7d fd callq 0xfd7d7780
1b: 49 8b 5d 00 mov 0x0(%r13),%rbx
1f: 48 8d 6b 58 lea 0x58(%rbx),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 ef mov %rbp,%rdi
34: e8 47 77 7d fd callq 0xfd7d7780
39: 48 8b 6d 00 mov 0x0(%rbp),%rbp
3d: 4d rex.WRB
3e: 8d .byte 0x8d
3f: 75 .byte 0x75

Best,
Wei


2022-11-14 22:23:20

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: general protection fault in klist_next

Hi,

On Sun, Nov 13, 2022 at 10:34 PM Wei Chen <[email protected]> wrote:
>
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was
> triggered. A similar patch
> https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=d5ebaa7c5f6f688959e8d40840b2249ede63b8ed
> is applied but kernel persists.
>
> HEAD commit: 4fe89d07d Linux 6.0
> git tree: upstream
> compiler: clang 12.0.0
> console output:
> https://drive.google.com/file/d/1mXSQ5T1XpV7jcrxa8nM3XMchyWuY8i01/view?usp=share_link
> kernel config: https://drive.google.com/file/d/1ZHRxVTXHL9mENdAPmQYS1DtgbflZ9XsD/view?usp=share_link
> C reproducer: https://drive.google.com/file/d/1iaLcMGNX6pL_x0-3Tag_0Qipdr4FrfMN/view?usp=share_link
> Syz reproducer:
> https://drive.google.com/file/d/15pVBa8YaBuinmQZrxkA1Wx5n8yb4xoo8/view?usp=share_link
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <[email protected]>
>
> Bluetooth: hci0: hardware error 0x00
> general protection fault, probably for non-canonical address
> 0xdffffc000000000b: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
> CPU: 0 PID: 51 Comm: kworker/u7:0 Not tainted 6.0.0 #35
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> Workqueue: hci0 hci_error_reset
> RIP: 0010:klist_next+0x4a/0x330 lib/klist.c:377
> Code: 4c 89 e8 48 c1 e8 03 48 89 44 24 08 42 80 3c 20 00 74 08 4c 89
> ef e8 65 77 7d fd 49 8b 5d 00 48 8d 6b 58 48 89 e8 48 c1 e8 03 <42> 80
> 3c 20 00 74 08 48 89 ef e8 47 77 7d fd 48 8b 6d 00 4d 8d 75
> RSP: 0018:ffffc90000a979c0 EFLAGS: 00010202
> RAX: 000000000000000b RBX: 0000000000000000 RCX: ffff8880428a2440
> RDX: 0000000000000000 RSI: ffffc90000a97a60 RDI: ffffc90000a97a60
> RBP: 0000000000000058 R08: ffffffff89442273 R09: ffffffff893b7dec
> R10: 0000000000000002 R11: ffff8880428a2440 R12: dffffc0000000000
> R13: ffffc90000a97a60 R14: ffff88801f45c000 R15: ffffffff89442390
> FS: 0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f16fc4ac000 CR3: 0000000018532000 CR4: 0000000000752ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> next_device drivers/base/core.c:3756 [inline]
> device_find_child+0xb0/0x1c0 drivers/base/core.c:3899
> hci_conn_del_sysfs+0x8c/0x180 net/bluetooth/hci_sysfs.c:71

Well this trace seems to not match what we have in mainline:

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/tree/net/bluetooth/hci_sysfs.c#n71

I suspect it is missing:

https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/net/bluetooth/hci_sysfs.c?id=448a496f760664d3e2e79466aa1787e6abc922b5

We should probably have it sent to stable though.

> hci_conn_cleanup+0x599/0x750 net/bluetooth/hci_conn.c:147
> hci_conn_del+0x2ae/0x3b0 net/bluetooth/hci_conn.c:1022
> hci_conn_hash_flush+0x1bd/0x240 net/bluetooth/hci_conn.c:2367
> hci_dev_close_sync+0x742/0xd30 net/bluetooth/hci_sync.c:4476
> hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
> hci_error_reset+0xdb/0x1d0 net/bluetooth/hci_core.c:1050
> process_one_work+0x83c/0x11a0 kernel/workqueue.c:2289
> worker_thread+0xa6c/0x1290 kernel/workqueue.c:2436
> kthread+0x266/0x300 kernel/kthread.c:376
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:klist_next+0x4a/0x330 lib/klist.c:377
> Code: 4c 89 e8 48 c1 e8 03 48 89 44 24 08 42 80 3c 20 00 74 08 4c 89
> ef e8 65 77 7d fd 49 8b 5d 00 48 8d 6b 58 48 89 e8 48 c1 e8 03 <42> 80
> 3c 20 00 74 08 48 89 ef e8 47 77 7d fd 48 8b 6d 00 4d 8d 75
> RSP: 0018:ffffc90000a979c0 EFLAGS: 00010202
> RAX: 000000000000000b RBX: 0000000000000000 RCX: ffff8880428a2440
> RDX: 0000000000000000 RSI: ffffc90000a97a60 RDI: ffffc90000a97a60
> RBP: 0000000000000058 R08: ffffffff89442273 R09: ffffffff893b7dec
> R10: 0000000000000002 R11: ffff8880428a2440 R12: dffffc0000000000
> R13: ffffc90000a97a60 R14: ffff88801f45c000 R15: ffffffff89442390
> FS: 0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f16fc4ac000 CR3: 0000000018532000 CR4: 0000000000752ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> ----------------
> Code disassembly (best guess):
> 0: 4c 89 e8 mov %r13,%rax
> 3: 48 c1 e8 03 shr $0x3,%rax
> 7: 48 89 44 24 08 mov %rax,0x8(%rsp)
> c: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
> 11: 74 08 je 0x1b
> 13: 4c 89 ef mov %r13,%rdi
> 16: e8 65 77 7d fd callq 0xfd7d7780
> 1b: 49 8b 5d 00 mov 0x0(%r13),%rbx
> 1f: 48 8d 6b 58 lea 0x58(%rbx),%rbp
> 23: 48 89 e8 mov %rbp,%rax
> 26: 48 c1 e8 03 shr $0x3,%rax
> * 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
> 2f: 74 08 je 0x39
> 31: 48 89 ef mov %rbp,%rdi
> 34: e8 47 77 7d fd callq 0xfd7d7780
> 39: 48 8b 6d 00 mov 0x0(%rbp),%rbp
> 3d: 4d rex.WRB
> 3e: 8d .byte 0x8d
> 3f: 75 .byte 0x75
>
> Best,
> Wei



--
Luiz Augusto von Dentz