Bug 200625 - Application run by unprivileged user can crash the kernel on sparc64
Summary: Application run by unprivileged user can crash the kernel on sparc64
Status: NEW
Alias: None
Product: Platform Specific/Hardware
Classification: Unclassified
Component: SPARC64 (show other bugs)
Hardware: All Linux
: P1 high
Assignee: platform_sparc64
URL: https://people.debian.org/~glaubitz/k...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-22 20:40 UTC by John Paul Adrian Glaubitz
Modified: 2018-07-22 20:40 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.17.0
Subsystem:
Regression: No
Bisected commit-id:

Attachments
tweaklib2 test from Free Pascal Compiler which crashes sparc64 kernel (565.21 KB, application/gzip)
2018-07-22 20:40 UTC, John Paul Adrian Glaubitz 		Details
Add an attachment (proposed patch, testcase, etc.)

Description John Paul Adrian Glaubitz 2018-07-22 20:40:53 UTC 
Created attachment 277467 [details]
tweaklib2 test from Free Pascal Compiler which crashes sparc64 kernel

The upstream developers of the Free Pascal Compiler (FPC) have discovered that one of their test programs which are part of the FPC source code can crash the whole kernel on sparc64 when run from strace.

To demonstrate, run the attached test program as an unprivileged user:

glaubitz@stadler:~/kernel-crash-test$ ./tweaklib2 
Illegal instruction
glaubitz@stadler:~/kernel-crash-test$ strace ./tweaklib2 
execve("./tweaklib2", ["./tweaklib2"], 0x7feffead590 /* 22 vars */) = 0
brk(NULL)                               = 0x264000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffff800100024000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./tls/v9v/libtweaklib1.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./tls/libtweaklib1.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./v9v/libtweaklib1.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "./libtweaklib1.so", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0\0\3\0+\0\0\0\1\0\0\0\0\0\0\310\360"..., 832) = 832
fstat64(3, {st_mode=S_IFREG|0755, st_size=1165312, ...}) = 0
getcwd("/home/glaubitz/kernel-crash-test", 128) = 33
mmap(NULL, 1503776, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffff800100128000
mprotect(0xffff800100188000, 1040384, PROT_NONE) = 0
mmap(0xffff800100286000, 57344, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5e000) = 0xffff800100286000
mmap(0xffff800100294000, 12832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xffff800100294000
close(3)                                = 0
mprotect(0xffff800100286000, 8192, PROT_READ) = 0
mprotect(0x252000, 8192, PROT_READ)     = 0
mprotect(0xffff800100122000, 8192, PROT_READ) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
rt_sigaction(SIGFPE, {sa_handler=0xffff800100180e10, sa_mask=[], sa_flags=SA_SIGINFO}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0xffff800100180e10, sa_mask=[], sa_flags=SA_SIGINFO}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0xffff800100180e10, sa_mask=[], sa_flags=SA_SIGINFO}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGILL, {sa_handler=0xffff800100180e10, sa_mask=[], sa_flags=SA_SIGINFO}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 0xffff800100134ca8, 8) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(2, TCGETS, {B38400 opost isig icanon echo ...}) = 0
readlink("/proc/self/exe", "/home/glaubitz/kernel-crash-test"..., 255) = 42
rt_sigaction(SIGFPE, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 0xffff800100134ca8, 8) = 0
rt_sigaction(SIGILL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, NULL, 0xffff800100134ca8, 8) = 0

At the same time, the kernel log on the serial console shows the following messages. Shortly after, the machine locks up and has to be restarted

[  147.715770] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 128)!
[  147.716477] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 128)!
[  147.717349] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 128)!
[  147.718276] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 128)!
[  147.719250] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 128)!
[  168.727220] INFO: rcu_sched detected stalls on CPUs/tasks:
[  168.727399]  20-...!: (1 GPs behind) idle=ac2/1/4611686018427387906 softirq=2161/2162 fqs=364 
[  168.727499]  (detected by 8, t=5252 jiffies, g=1073, c=1072, q=44)
[  168.727759] rcu_sched kthread starved for 4524 jiffies! g1073 c1072 f0x0 RCU_GP_WAIT_FQS(3) ->state=0x402 ->cpu=16
[  168.727825] RCU grace-period kthread stack dump:
[  231.869098] INFO: rcu_sched detected stalls on CPUs/tasks:
[  231.869295]  20-...!: (1 GPs behind) idle=ac2/1/4611686018427387906 softirq=2161/2162 fqs=364 
[  231.869399]  (detected by 17, t=21038 jiffies, g=1073, c=1072, q=114)
[  231.869758] rcu_sched kthread starved for 20310 jiffies! g1073 c1072 f0x0 RCU_GP_WAIT_FQS(3) ->state=0x402 ->cpu=16
[  231.870020] RCU grace-period kthread stack dump:

This has been tested on a Sun Fire 2000 (sun4v) running Linux 4.17.0 on Debian unstable (sparc64) with a 64-bit userland.

Further discussion here: https://marc.info/?l=linux-sparc&m=153120915118086&w=2
Note You need to log in before you can comment on or make changes to this bug.