BUG: unable to handle kernel paging request in bpf_check
From: Hao Sun
Date: Mon Apr 12 2021 - 02:55:50 EST
Hi
When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found the following bug report.
commit: 4ebaab5fb428374552175aa39832abf5cedb916a
version: linux 5.12
git tree: kmsan
kernel config and full log can be found in the attached file.
===============================================
RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d
RDX: 0000000000000078 RSI: 0000000020000940 RDI: 0000000000000005
RBP: 00007f5e3a26dc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000e
R13: 00007ffc52f4d6af R14: 00007ffc52f4d850 R15: 00007f5e3a26ddc0
BUG: unable to handle page fault for address: ffff9b8cc08f1030
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 1810067 P4D 1810067 PUD 1915067 PMD 48cf067 PTE 0
Oops: 0002 [#1] SMP
CPU: 1 PID: 5840 Comm: executor Not tainted 5.12.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:bpf_check+0x27b/0x19d10 kernel/bpf/verifier.c:12574
Code: 18 83 7c 24 08 00 0f 85 35 01 00 00 45 85 f6 0f 8e 3e 01 00 00
49 83 c7 30 4d 85 e4 0f 85 50 06 00 00 4c 89 ff e8 d5 02 5b 00 <c7> 00
00 00 00 00 41 c7 07 00 00 00 00 83 7c 24 08 00 74 17 48 8b
RSP: 0018:ffff938cc09ff860 EFLAGS: 00010286
RAX: ffff9b8cc08f1030 RBX: 0000000000000000 RCX: ffff9b8cc08f1030
RDX: ffffa38cc08f1030 RSI: 0000000000000004 RDI: ffff938cc08f1030
RBP: ffff938cc09ffb80 R08: fffff76f0000000f R09: ffff8960fffd3000
R10: 00000000654ead81 R11: ffff938cc08f1fff R12: 0000000000000000
R13: ffff896093932000 R14: 000000000000000f R15: ffff938cc08f1030
FS: 00007f5e3a26e700(0000) GS:ffff8960ffb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9b8cc08f1030 CR3: 000000003b921005 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
bpf_prog_load kernel/bpf/syscall.c:2214 [inline]
__do_sys_bpf+0x13ee8/0x17290 kernel/bpf/syscall.c:4393
__se_sys_bpf+0x8e/0xa0 kernel/bpf/syscall.c:4351
__x64_sys_bpf+0x4a/0x70 kernel/bpf/syscall.c:4351
do_syscall_64+0xa2/0x120 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x47338d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5e3a26dc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 000000000059c080 RCX: 000000000047338d
RDX: 0000000000000078 RSI: 0000000020000940 RDI: 0000000000000005
RBP: 00007f5e3a26dc90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000e
R13: 00007ffc52f4d6af R14: 00007ffc52f4d850 R15: 00007f5e3a26ddc0
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: ffff9b8cc08f1030
---[ end trace b012a98933d08860 ]---
RIP: 0010:bpf_check+0x27b/0x19d10 kernel/bpf/verifier.c:12574
Code: 18 83 7c 24 08 00 0f 85 35 01 00 00 45 85 f6 0f 8e 3e 01 00 00
49 83 c7 30 4d 85 e4 0f 85 50 06 00 00 4c 89 ff e8 d5 02 5b 00 <c7> 00
00 00 00 00 41 c7 07 00 00 00 00 83 7c 24 08 00 74 17 48 8b
RSP: 0018:ffff938cc09ff860 EFLAGS: 00010286
RAX: ffff9b8cc08f1030 RBX: 0000000000000000 RCX: ffff9b8cc08f1030
RDX: ffffa38cc08f1030 RSI: 0000000000000004 RDI: ffff938cc08f1030
RBP: ffff938cc09ffb80 R08: fffff76f0000000f R09: ffff8960fffd3000
R10: 00000000654ead81 R11: ffff938cc08f1fff R12: 0000000000000000
R13: ffff896093932000 R14: 000000000000000f R15: ffff938cc08f1030
FS: 00007f5e3a26e700(0000) GS:ffff8960ffb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9b8cc08f1030 CR3: 000000003b921005 CR4: 0000000000770ee0
PKRU: 55555554
The following system call sequence (Syzlang format) can reproduce the crash:
# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1
Slowdown:1 Sandbox:none Fault:true FaultCall:0 FaultNth:13 Leak:false
NetInjection:true NetDevices:true NetReset:true Cgroups:true
BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:true USB:true
VhciInjection:true Wifi:true IEEE802154:true Sysctl:true
UseTmpDir:true HandleSegv:true Repro:false Trace:false}
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x1, 0x11,
&(0x7f0000000080)=@raw=[@generic={0x85bfcacaa1b3f3cb, 0xc, 0x2,
0x3a744d9153a2ffae, 0x1}, @map={0x18, 0x4}, @exit, @ldst={0x0, 0x1,
0x3, 0xa, 0x3, 0xfffffffffffffff0, 0xfffffffffffffff0}, @alu={0x7,
0x1, 0xd, 0x1, 0x6, 0x8fcac243c963f2f1, 0xd90b1f944236b1a6},
@map={0x18, 0x8}, @ldst={0x2, 0x0, 0x6, 0xf, 0x1, 0x3, 0x8},
@btf_id={0x18, 0x9, 0x3, 0x0, 0x1}, @map={0x18, 0x3}, @btf_id={0x18,
0x1, 0x3, 0x0, 0x1}, @ldst={0x7, 0x2, 0x6, 0x1, 0x7,
0xffffffffffffffff, 0xec0c69287b0a1d13}, @func={0x85, 0x0, 0x1, 0x0,
0x2d64b0fc82ae77a3}], &(0x7f0000000140)='GPL\x00', 0x1, 0x0, 0x0,
0x41000, 0xe, [], 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10,
0x0}, 0x78)
Using syz-execprog can run this reproduction program directly:
./syz-execprog -repeat 0 -procs 1 -slowdown 1 -fault_call 0
-fault_nth 16 -enable tun -enable netdev -enable resetnet -enable
cgroups -enable binfmt-misc -enable close_fds -enable devlinkpci
-enable usb -enable vhci -enable wifi -enable ieee802154 -enable
sysctl repro.prog
Attachment:
kmsan-config
Description: Binary data
Attachment:
log
Description: Binary data