diff options
| author | Jann Horn <jannh@google.com> | 2020-01-14 22:21:57 +0100 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2020-01-15 16:06:40 +0100 |
| commit | 069a5a4486fb7cae0cb63d04d4799839a497a70b (patch) | |
| tree | 930854ea534730568760ddc676e1382c8632ad28 /pkg | |
| parent | b67897d4d1e0adbe963dd3bf9ed797586aa88fd1 (diff) | |
pkg/report: add pattern for Linux #SS faults
On X86-64, dereferencing a non-canonical address normally causes a #GP, for
which syzkaller already has a pattern. However, if the base register of the
non-canonical address is RBP (which can happen in builds that use RBP as a
general-purpose register because they don't use frame pointer unwinding),
#SS is thrown instead, for which syzkaller did not yet have a pattern.
To see this kind of fault, you can insert the following code in
kernel_init() after the call to rcu_end_inkernel_boot():
asm volatile(
"movabs $0x8000000000000000, %rbp\n\t"
"movq (%rbp), %rax\n\t"
"ud2\n\t"
);
Linux prints a different error message for #SS, so add that error message
to syzkaller's list of patterns.
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/report/linux.go | 17 | ||||
| -rw-r--r-- | pkg/report/testdata/linux/report/461 | 38 |
2 files changed, 55 insertions, 0 deletions
diff --git a/pkg/report/linux.go b/pkg/report/linux.go index 272d0c9d4..4ab15148f 100644 --- a/pkg/report/linux.go +++ b/pkg/report/linux.go @@ -1364,6 +1364,23 @@ var linuxOopses = append([]*oops{ []*regexp.Regexp{}, }, { + []byte("stack segment: "), + []oopsFormat{ + { + title: compile("stack segment: "), + fmt: "stack segment fault in %[1]v", + stack: &stackFmt{ + parts: []*regexp.Regexp{ + linuxRipFrame, + compile("Call Trace:"), + parseStackTrace, + }, + }, + }, + }, + []*regexp.Regexp{}, + }, + { []byte("Kernel panic"), []oopsFormat{ // Note: for stack corruption reports kernel may fail diff --git a/pkg/report/testdata/linux/report/461 b/pkg/report/testdata/linux/report/461 new file mode 100644 index 000000000..6799d8892 --- /dev/null +++ b/pkg/report/testdata/linux/report/461 @@ -0,0 +1,38 @@ +TITLE: stack segment fault in kernel_init + +[ 7.793224] stack segment: 0000 [#1] PREEMPT SMP KASAN PTI +[ 7.794002] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc5+ #606 +[ 7.794953] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +[ 7.796150] RIP: 0010:kernel_init+0x55/0x122 +[ 7.796793] Code: 60 83 e8 0a 24 1b fe e8 cb e8 04 fe c7 05 f5 99 0d 01 02 00 00 00 e8 4c b3 57 fe e8 47 42 1e fe 48 bd 00 00 00 00 00 00 00 80 <48> 8b 45 00 0f 0b 48 8b 3d 50 e0 87 01 48 85 ff 74 22 e8 c5 66 f6 +[ 7.799531] RSP: 0000:ffff8880b675ff40 EFLAGS: 00010246 +[ 7.800252] RAX: 0000000000000000 RBX: ffffffff8309b08e RCX: ffffffff8127f331 +[ 7.801273] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff83cf1860 +[ 7.802294] RBP: 8000000000000000 R08: 0000000000000004 R09: fffffbfff079e30c +[ 7.803360] R10: fffffbfff079e30c R11: 0000000000000003 R12: 0000000000000000 +[ 7.804377] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 7.805403] FS: 0000000000000000(0000) GS:ffff8880bb380000(0000) knlGS:0000000000000000 +[ 7.806586] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 7.807440] CR2: 0000000000000000 CR3: 0000000003c22000 CR4: 00000000000006a0 +[ 7.808498] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 7.809517] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 7.810561] Call Trace: +[ 7.810911] ? rest_init+0x26e/0x26e +[ 7.811467] ret_from_fork+0x24/0x30 +[ 7.812006] ---[ end trace 87420535c6f699db ]--- +[ 7.812708] RIP: 0010:kernel_init+0x55/0x122 +[ 7.813361] Code: 60 83 e8 0a 24 1b fe e8 cb e8 04 fe c7 05 f5 99 0d 01 02 00 00 00 e8 4c b3 57 fe e8 47 42 1e fe 48 bd 00 00 00 00 00 00 00 80 <48> 8b 45 00 0f 0b 48 8b 3d 50 e0 87 01 48 85 ff 74 22 e8 c5 66 f6 +[ 7.815998] RSP: 0000:ffff8880b675ff40 EFLAGS: 00010246 +[ 7.816783] RAX: 0000000000000000 RBX: ffffffff8309b08e RCX: ffffffff8127f331 +[ 7.821433] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff83cf1860 +[ 7.822488] RBP: 8000000000000000 R08: 0000000000000004 R09: fffffbfff079e30c +[ 7.823523] R10: fffffbfff079e30c R11: 0000000000000003 R12: 0000000000000000 +[ 7.824539] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 7.825562] FS: 0000000000000000(0000) GS:ffff8880bb380000(0000) knlGS:0000000000000000 +[ 7.826718] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 7.827505] CR2: 0000000000000000 CR3: 0000000003c22000 CR4: 00000000000006a0 +[ 7.828587] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 7.829605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 7.830627] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b +[ 7.832272] Kernel Offset: disabled +[ 7.832766] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- |