From 069a5a4486fb7cae0cb63d04d4799839a497a70b Mon Sep 17 00:00:00 2001
From: Jann Horn <jannh@google.com>
Date: Tue, 14 Jan 2020 22:21:57 +0100
Subject: pkg/report: add pattern for Linux #SS faults

On X86-64, dereferencing a non-canonical address normally causes a #GP, for
which syzkaller already has a pattern. However, if the base register of the
non-canonical address is RBP (which can happen in builds that use RBP as a
general-purpose register because they don't use frame pointer unwinding),
#SS is thrown instead, for which syzkaller did not yet have a pattern.

To see this kind of fault, you can insert the following code in
kernel_init() after the call to rcu_end_inkernel_boot():

	asm volatile(
		"movabs $0x8000000000000000, %rbp\n\t"
		"movq (%rbp), %rax\n\t"
		"ud2\n\t"
	);

Linux prints a different error message for #SS, so add that error message
to syzkaller's list of patterns.
---
 pkg/report/linux.go                  | 17 ++++++++++++++++
 pkg/report/testdata/linux/report/461 | 38 ++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 pkg/report/testdata/linux/report/461

(limited to 'pkg')

diff --git a/pkg/report/linux.go b/pkg/report/linux.go
index 272d0c9d4..4ab15148f 100644
--- a/pkg/report/linux.go
+++ b/pkg/report/linux.go
@@ -1363,6 +1363,23 @@ var linuxOopses = append([]*oops{
 		},
 		[]*regexp.Regexp{},
 	},
+	{
+		[]byte("stack segment: "),
+		[]oopsFormat{
+			{
+				title: compile("stack segment: "),
+				fmt:   "stack segment fault in %[1]v",
+				stack: &stackFmt{
+					parts: []*regexp.Regexp{
+						linuxRipFrame,
+						compile("Call Trace:"),
+						parseStackTrace,
+					},
+				},
+			},
+		},
+		[]*regexp.Regexp{},
+	},
 	{
 		[]byte("Kernel panic"),
 		[]oopsFormat{
diff --git a/pkg/report/testdata/linux/report/461 b/pkg/report/testdata/linux/report/461
new file mode 100644
index 000000000..6799d8892
--- /dev/null
+++ b/pkg/report/testdata/linux/report/461
@@ -0,0 +1,38 @@
+TITLE: stack segment fault in kernel_init
+
+[    7.793224] stack segment: 0000 [#1] PREEMPT SMP KASAN PTI
+[    7.794002] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc5+ #606
+[    7.794953] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[    7.796150] RIP: 0010:kernel_init+0x55/0x122
+[    7.796793] Code: 60 83 e8 0a 24 1b fe e8 cb e8 04 fe c7 05 f5 99 0d 01 02 00 00 00 e8 4c b3 57 fe e8 47 42 1e fe 48 bd 00 00 00 00 00 00 00 80 <48> 8b 45 00 0f 0b 48 8b 3d 50 e0 87 01 48 85 ff 74 22 e8 c5 66 f6
+[    7.799531] RSP: 0000:ffff8880b675ff40 EFLAGS: 00010246
+[    7.800252] RAX: 0000000000000000 RBX: ffffffff8309b08e RCX: ffffffff8127f331
+[    7.801273] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff83cf1860
+[    7.802294] RBP: 8000000000000000 R08: 0000000000000004 R09: fffffbfff079e30c
+[    7.803360] R10: fffffbfff079e30c R11: 0000000000000003 R12: 0000000000000000
+[    7.804377] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[    7.805403] FS:  0000000000000000(0000) GS:ffff8880bb380000(0000) knlGS:0000000000000000
+[    7.806586] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[    7.807440] CR2: 0000000000000000 CR3: 0000000003c22000 CR4: 00000000000006a0
+[    7.808498] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[    7.809517] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[    7.810561] Call Trace:
+[    7.810911]  ? rest_init+0x26e/0x26e
+[    7.811467]  ret_from_fork+0x24/0x30
+[    7.812006] ---[ end trace 87420535c6f699db ]---
+[    7.812708] RIP: 0010:kernel_init+0x55/0x122
+[    7.813361] Code: 60 83 e8 0a 24 1b fe e8 cb e8 04 fe c7 05 f5 99 0d 01 02 00 00 00 e8 4c b3 57 fe e8 47 42 1e fe 48 bd 00 00 00 00 00 00 00 80 <48> 8b 45 00 0f 0b 48 8b 3d 50 e0 87 01 48 85 ff 74 22 e8 c5 66 f6
+[    7.815998] RSP: 0000:ffff8880b675ff40 EFLAGS: 00010246
+[    7.816783] RAX: 0000000000000000 RBX: ffffffff8309b08e RCX: ffffffff8127f331
+[    7.821433] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff83cf1860
+[    7.822488] RBP: 8000000000000000 R08: 0000000000000004 R09: fffffbfff079e30c
+[    7.823523] R10: fffffbfff079e30c R11: 0000000000000003 R12: 0000000000000000
+[    7.824539] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[    7.825562] FS:  0000000000000000(0000) GS:ffff8880bb380000(0000) knlGS:0000000000000000
+[    7.826718] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[    7.827505] CR2: 0000000000000000 CR3: 0000000003c22000 CR4: 00000000000006a0
+[    7.828587] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[    7.829605] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[    7.830627] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+[    7.832272] Kernel Offset: disabled
+[    7.832766] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
-- 
cgit mrf-deployment