431314 – ptrace: Unprivileged crash on x86_64 %cs corruption

Bug 431314 - ptrace: Unprivileged crash on x86_64 %cs corruption

Summary: ptrace: Unprivileged crash on x86_64 %cs corruption

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	8
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Jarod Wilson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2008-1615
TreeView+	depends on / blocked

Reported:	2008-02-02 17:06 UTC by Jan Kratochvil
Modified:	2008-06-08 17:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:	2.6.24.5-85.fc8
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-05-14 16:08:13 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Kratochvil 2008-02-02 17:06:41 UTC

Description of problem:
Accidentally I crashed my own x86_64 host being a non-root there.

Version-Release number of selected component (if applicable):
kernel-2.6.23.14-107.fc8.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. wget
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/x86_64-ia32-tf.c?cvsroot=systemtap
2. gcc -m32 -ggdb2 -o x86_64-ia32-tf x86_64-ia32-tf.c -Wall -D_GNU_SOURCE
3. ./x86_64-ia32-tf

Actual results:
Frozen machine.
The crash reports differ, sometimes the machine gets hung with no message.
Unable to handle kernel NULL pointer dereference at 0000000000000010 RIP: 
 [<ffffffff810b6dd5>] sync_sb_inodes+0x9d/0x261
PGD 0 
Oops: 0000 [1] SMP 
CPU 1 
Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore
nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod uinput
parport_pc floppy pcspkr 8139too parport sg 8139cp mii sr_mod cdrom ata_piix
ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 171, comm: pdflush Not tainted 2.6.23.14-107.fc8 #1
RIP: 0010:[<ffffffff810b6dd5>]  [<ffffffff810b6dd5>] sync_sb_inodes+0x9d/0x261
RSP: 0018:ffff810017795e20  EFLAGS: 00010283
RAX: ffff81000cb7a1e8 RBX: ffff81000cb7a0c8 RCX: 0000000000000001
RDX: ffff810017795fd8 RSI: 0000000000000001 RDI: ffff81000cb7a0d8
RBP: 0000000000000000 R08: 6000000000000000 R09: ffff810017f3c780
R10: ffff81000d7310d0 R11: 0000000000000001 R12: ffff810017d72400
R13: ffff810017795e80 R14: 0000000000000002 R15: 00000000fffca510
FS:  0000000000000000(0000) GS:ffff810017cb8280(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 0000000011153000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process pdflush (pid: 171, threadinfo ffff810017794000, task ffff81000960c820)
Stack:  0000000000000286 ffff810017d72400 ffff810017d72470 ffff810017795e80
 ffffffffffffffff ffffffff81456820 0000000000000000 ffffffff810b731c
 00000000000014b5 00000000fffcb898 ffff8100095a9d70 ffffffff81078ea2
Call Trace:
 [<ffffffff810b731c>] writeback_inodes+0x93/0xe9
 [<ffffffff81078ea2>] wb_kupdate+0x9c/0x10b
 [<ffffffff810791be>] pdflush+0x0/0x1f3
 [<ffffffff81079307>] pdflush+0x149/0x1f3
 [<ffffffff81078e06>] wb_kupdate+0x0/0x10b
 [<ffffffff810492a0>] kthread+0x47/0x73
 [<ffffffff8100c9e8>] child_rip+0xa/0x12
 [<ffffffff81049259>] kthread+0x0/0x73
 [<ffffffff8100c9de>] child_rip+0x0/0x12


Code: f6 45 10 02 74 2d 48 8b 17 48 8b 47 08 49 8d b4 24 d0 00 00 
RIP  [<ffffffff810b6dd5>] sync_sb_inodes+0x9d/0x261
 RSP <ffff810017795e20>
CR2: 0000000000000010
BUG: soft lockup - CPU#1 stuck for 11s! [pdflush:171]
CPU 1:
Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore
nfs nfsd exportfs lockd nfs_acl auth_rpcgss sunrpc ipv6 dm_mirror dm_mod uinput
parport_pc floppy pcspkr 8139too parport sg 8139cp mii sr_mod cdrom ata_piix
ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 171, comm: pdflush Tainted: G      D 2.6.23.14-107.fc8 #1
RIP: 0010:[<ffffffff8125d1c7>]  [<ffffffff8125d1c7>] _spin_lock+0x5/0xf
RSP: 0018:ffff810017795ae0  EFLAGS: 00000286
RAX: 0000000000000000 RBX: ffffffff8137f280 RCX: 0000000000000001
RDX: ffff810011e879b0 RSI: ffffffff8137f280 RDI: ffffffff8137f280
RBP: 00000000ffffffff R08: ffffffff8131ee11 R09: ffffffff81281120
R10: 0000000000000000 R11: ffff8100095aa348 R12: ffff81000960c820
R13: ffff810017795bc8 R14: ffff810017795ad8 R15: 0000000000000016
FS:  0000000000000000(0000) GS:ffff810017cb8280(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 0000000011153000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

Call Trace:
 [<ffffffff8111dc4d>] _atomic_dec_and_lock+0x39/0x58
 [<ffffffff810ad827>] iput+0x42/0x7b
 [<ffffffff810ab79e>] d_kill+0x21/0x43
 [<ffffffff810ac499>] prune_one_dentry+0x3a/0xee
 [<ffffffff810ac630>] prune_dcache+0xe3/0x163
 [<ffffffff810ac707>] shrink_dcache_parent+0x21/0xe5
 [<ffffffff810d633a>] proc_flush_task+0x5e/0x1f6
 [<ffffffff81039e0b>] release_task+0x331/0x375
 [<ffffffff8103b09f>] do_exit+0x762/0x7e5
 [<ffffffff8125d2b3>] _spin_unlock_irqrestore+0x8/0x9
 [<ffffffff8125f532>] do_page_fault+0x716/0x7e4
 [<ffffffff81078270>] __writepage+0x0/0x23
 [<ffffffff88220fb7>] :nfs:nfs_writepages+0x6f/0x88
 [<ffffffff8125d75d>] error_exit+0x0/0x84
 [<ffffffff810b6dd5>] sync_sb_inodes+0x9d/0x261
 [<ffffffff810b731c>] writeback_inodes+0x93/0xe9
 [<ffffffff81078ea2>] wb_kupdate+0x9c/0x10b
 [<ffffffff810791be>] pdflush+0x0/0x1f3
 [<ffffffff81079307>] pdflush+0x149/0x1f3
 [<ffffffff81078e06>] wb_kupdate+0x0/0x10b
 [<ffffffff810492a0>] kthread+0x47/0x73
 [<ffffffff8100c9e8>] child_rip+0xa/0x12
 [<ffffffff81049259>] kthread+0x0/0x73
 [<ffffffff8100c9de>] child_rip+0x0/0x12

Expected results:
No crash.

Additional info:

Comment 2 Roland McGrath 2008-02-04 09:16:04 UTC

The test program uses struct pt_regs where you want struct user_regs_struct.
You are not poking the eflags slot, but the cs slot.
If there really is a problem with setting TF, please adjust this test so it's
testing that.  For the crash from continuing after setting a bogus cs, please
make a clearer test.  It looks like it hits on any bad cs value, e.g. 0, and I
think also hits upstream kernels.

Comment 3 Jan Kratochvil 2008-02-04 14:04:24 UTC

I assumed struct pt_regs is the same as struct user_regs_struct, mea culpa,
thanks, it was really corrupting %cs.
The renamed testcase is at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/x86_64-cs.c?cvsroot=systemtap

native i686 kernels: no crash
x86_64 kernels running x86_64 ptracer running x86_64 ptracee: crash
x86_64 kernels running i386   ptracer running i386   ptracee: crash
x86_64 kernels running x86_64 ptracer running i386   ptracee: not tested

Comment 4 Jan Kratochvil 2008-02-04 14:05:59 UTC

Upstream kernel (built as 2.6.21-1.3190.fc7.x86_64) also crashes.

Comment 6 Jan Kratochvil 2008-03-31 15:13:13 UTC

Comment 0 update - the testcase has been renamed:

Steps to Reproduce:
1. wget
http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/x86_64-cs.c?cvsroot=systemtap
2. gcc -o x86_64-cs x86_64-cs.c -Wall -ggdb2 -D_GNU_SOURCE
3. ./x86_64-cs

Comment 7 Jarod Wilson 2008-03-31 21:36:03 UTC

Patches committed to latest F8 and F7 kernel cvs.

Comment 8 Jan Kratochvil 2008-06-08 17:38:02 UTC

Verified as fixed on kernel-2.6.25.4-10.fc8.x86_64.

Note You need to log in before you can comment on or make changes to this bug.