-
-
Save xrivendell7/411acf9336ff0b6a70b9742702bbfb1a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
r0 = socket$alg(0x26, 0x5, 0x0) | |
bind$alg(r0, &(0x7f0000000000)={0x26, 'hash\x00', 0x0, 0x0, 'sha3-512\x00'}, 0x58) | |
r1 = accept(r0, 0x0, 0x0) | |
r2 = memfd_secret(0x0) | |
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x2000003, 0x28011, r2, 0x0) | |
ftruncate(r2, 0xde99) | |
sendmsg$DEVLINK_CMD_RELOAD(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=ANY=[], 0xb0}}, 0x47933e2b0522cf63) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TITLE: BUG: unable to handle kernel paging request in crypto_sha3_update | |
BUG: unable to handle page fault for address: ffff88802c583080 | |
#PF: supervisor read access in kernel mode | |
#PF: error_code(0x0000) - not-present page | |
PGD 14a01067 P4D 14a01067 PUD 14a02067 PMD 26119063 PTE 800fffffd3a7c060 | |
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI | |
CPU: 0 PID: 8138 Comm: a0c Not tainted 6.8.0-05242-g32fa4366cc4d #2 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
RIP: 0010:get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline] | |
RIP: 0010:crypto_sha3_update+0x233/0x4c0 crypto/sha3_generic.c:197 | |
Code: c0 40 84 ff 40 0f 95 c7 41 84 f8 0f 85 eb 01 00 00 83 e1 07 40 38 ce 40 0f 9e c7 40 84 f6 0f 91 | |
RSP: 0018:ffffc90012b7f8c8 EFLAGS: 00010246 | |
RAX: ffff88802c583080 RBX: 0000000000000009 RCX: 0000000000000000 | |
RDX: ffff888018b15bc0 RSI: 0000000000000000 RDI: 0000000000000001 | |
RBP: ffff88802fb10b00 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000009 R11: 0000000000000001 R12: 0000000000000000 | |
R13: dffffc0000000000 R14: ffff88802c583080 R15: ffff88802fb10b00 | |
FS: 00000000334d4380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: ffff88802c583080 CR3: 000000014d8dc000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Call Trace: | |
<TASK> | |
shash_ahash_update+0x1ac/0x1f0 crypto/ahash.c:71 | |
crypto_ahash_update+0x7b/0x110 crypto/ahash.c:350 | |
hash_sendmsg+0x2a9/0xf30 crypto/algif_hash.c:149 | |
sock_sendmsg_nosec net/socket.c:730 [inline] | |
__sock_sendmsg net/socket.c:745 [inline] | |
____sys_sendmsg+0xab5/0xc90 net/socket.c:2584 | |
___sys_sendmsg+0x135/0x1e0 net/socket.c:2638 | |
__sys_sendmsg+0x117/0x1f0 net/socket.c:2667 | |
do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83 | |
entry_SYSCALL_64_after_hwframe+0x6d/0x75 | |
RIP: 0033:0x432cb9 | |
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8 | |
RSP: 002b:00007ffe88e07ef8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e | |
RAX: ffffffffffffffda RBX: 00007ffe88e08128 RCX: 0000000000432cb9 | |
RDX: 47933e2b0522cf63 RSI: 0000000020000180 RDI: 0000000000000004 | |
RBP: 00007ffe88e07f10 R08: 00007ffe88e07f10 R09: 00007ffe88e07f10 | |
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000001 | |
R13: 00007ffe88e08118 R14: 0000000000000001 R15: 0000000000000001 | |
</TASK> | |
Modules linked in: | |
CR2: ffff88802c583080 | |
---[ end trace 0000000000000000 ]--- | |
RIP: 0010:get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline] | |
RIP: 0010:crypto_sha3_update+0x233/0x4c0 crypto/sha3_generic.c:197 | |
Code: c0 40 84 ff 40 0f 95 c7 41 84 f8 0f 85 eb 01 00 00 83 e1 07 40 38 ce 40 0f 9e c7 40 84 f6 0f 91 | |
RSP: 0018:ffffc90012b7f8c8 EFLAGS: 00010246 | |
RAX: ffff88802c583080 RBX: 0000000000000009 RCX: 0000000000000000 | |
RDX: ffff888018b15bc0 RSI: 0000000000000000 RDI: 0000000000000001 | |
RBP: ffff88802fb10b00 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000009 R11: 0000000000000001 R12: 0000000000000000 | |
R13: dffffc0000000000 R14: ffff88802c583080 R15: ffff88802fb10b00 | |
FS: 00000000334d4380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: ffff88802c583080 CR3: 000000014d8dc000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
TITLE: kernel panic: Fatal exception | |
CORRUPTED: true (report format is marked as corrupted) | |
MAINTAINERS (TO): [] | |
MAINTAINERS (CC): [] | |
PGD 14a01067 P4D 14a01067 PUD 14a02067 PMD 26119063 PTE 800fffffd3a7c060 | |
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI | |
CPU: 0 PID: 8138 Comm: a0c Not tainted 6.8.0-05242-g32fa4366cc4d #2 | |
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 | |
RIP: 0010:get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline] | |
RIP: 0010:crypto_sha3_update+0x233/0x4c0 crypto/sha3_generic.c:197 | |
Code: c0 40 84 ff 40 0f 95 c7 41 84 f8 0f 85 eb 01 00 00 83 e1 07 40 38 ce 40 0f 9e c7 40 84 f6 0f 91 | |
RSP: 0018:ffffc90012b7f8c8 EFLAGS: 00010246 | |
RAX: ffff88802c583080 RBX: 0000000000000009 RCX: 0000000000000000 | |
RDX: ffff888018b15bc0 RSI: 0000000000000000 RDI: 0000000000000001 | |
RBP: ffff88802fb10b00 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000009 R11: 0000000000000001 R12: 0000000000000000 | |
R13: dffffc0000000000 R14: ffff88802c583080 R15: ffff88802fb10b00 | |
FS: 00000000334d4380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: ffff88802c583080 CR3: 000000014d8dc000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Call Trace: | |
<TASK> | |
shash_ahash_update+0x1ac/0x1f0 crypto/ahash.c:71 | |
crypto_ahash_update+0x7b/0x110 crypto/ahash.c:350 | |
hash_sendmsg+0x2a9/0xf30 crypto/algif_hash.c:149 | |
sock_sendmsg_nosec net/socket.c:730 [inline] | |
__sock_sendmsg net/socket.c:745 [inline] | |
____sys_sendmsg+0xab5/0xc90 net/socket.c:2584 | |
___sys_sendmsg+0x135/0x1e0 net/socket.c:2638 | |
__sys_sendmsg+0x117/0x1f0 net/socket.c:2667 | |
do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83 | |
entry_SYSCALL_64_after_hwframe+0x6d/0x75 | |
RIP: 0033:0x432cb9 | |
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c8 | |
RSP: 002b:00007ffe88e07ef8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e | |
RAX: ffffffffffffffda RBX: 00007ffe88e08128 RCX: 0000000000432cb9 | |
RDX: 47933e2b0522cf63 RSI: 0000000020000180 RDI: 0000000000000004 | |
RBP: 00007ffe88e07f10 R08: 00007ffe88e07f10 R09: 00007ffe88e07f10 | |
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000001 | |
R13: 00007ffe88e08118 R14: 0000000000000001 R15: 0000000000000001 | |
</TASK> | |
Modules linked in: | |
CR2: ffff88802c583080 | |
---[ end trace 0000000000000000 ]--- | |
RIP: 0010:get_unaligned_le64 include/asm-generic/unaligned.h:37 [inline] | |
RIP: 0010:crypto_sha3_update+0x233/0x4c0 crypto/sha3_generic.c:197 | |
Code: c0 40 84 ff 40 0f 95 c7 41 84 f8 0f 85 eb 01 00 00 83 e1 07 40 38 ce 40 0f 9e c7 40 84 f6 0f 91 | |
RSP: 0018:ffffc90012b7f8c8 EFLAGS: 00010246 | |
RAX: ffff88802c583080 RBX: 0000000000000009 RCX: 0000000000000000 | |
RDX: ffff888018b15bc0 RSI: 0000000000000000 RDI: 0000000000000001 | |
RBP: ffff88802fb10b00 R08: 0000000000000001 R09: 0000000000000000 | |
R10: 0000000000000009 R11: 0000000000000001 R12: 0000000000000000 | |
R13: dffffc0000000000 R14: ffff88802c583080 R15: ffff88802fb10b00 | |
FS: 00000000334d4380(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 | |
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | |
CR2: ffff88802c583080 CR3: 000000014d8dc000 CR4: 0000000000750ef0 | |
PKRU: 55555554 | |
Kernel panic - not syncing: Fatal exception | |
Kernel Offset: disabled | |
Rebooting in 86400 seconds.. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define _GNU_SOURCE | |
#include <dirent.h> | |
#include <endian.h> | |
#include <errno.h> | |
#include <fcntl.h> | |
#include <signal.h> | |
#include <stdarg.h> | |
#include <stdbool.h> | |
#include <stdint.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <string.h> | |
#include <sys/prctl.h> | |
#include <sys/stat.h> | |
#include <sys/syscall.h> | |
#include <sys/types.h> | |
#include <sys/wait.h> | |
#include <time.h> | |
#include <unistd.h> | |
#ifndef __NR_memfd_secret | |
#define __NR_memfd_secret 447 | |
#endif | |
static void sleep_ms(uint64_t ms) { | |
usleep(ms * 1000); | |
} | |
static uint64_t current_time_ms(void) { | |
struct timespec ts; | |
if (clock_gettime(CLOCK_MONOTONIC, &ts)) | |
exit(1); | |
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; | |
} | |
static bool write_file(const char* file, const char* what, ...) { | |
char buf[1024]; | |
va_list args; | |
va_start(args, what); | |
vsnprintf(buf, sizeof(buf), what, args); | |
va_end(args); | |
buf[sizeof(buf) - 1] = 0; | |
int len = strlen(buf); | |
int fd = open(file, O_WRONLY | O_CLOEXEC); | |
if (fd == -1) | |
return false; | |
if (write(fd, buf, len) != len) { | |
int err = errno; | |
close(fd); | |
errno = err; | |
return false; | |
} | |
close(fd); | |
return true; | |
} | |
static void kill_and_wait(int pid, int* status) { | |
kill(-pid, SIGKILL); | |
kill(pid, SIGKILL); | |
for (int i = 0; i < 100; i++) { | |
if (waitpid(-1, status, WNOHANG | __WALL) == pid) | |
return; | |
usleep(1000); | |
} | |
DIR* dir = opendir("/sys/fs/fuse/connections"); | |
if (dir) { | |
for (;;) { | |
struct dirent* ent = readdir(dir); | |
if (!ent) | |
break; | |
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) | |
continue; | |
char abort[300]; | |
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", | |
ent->d_name); | |
int fd = open(abort, O_WRONLY); | |
if (fd == -1) { | |
continue; | |
} | |
if (write(fd, abort, 1) < 0) { | |
} | |
close(fd); | |
} | |
closedir(dir); | |
} else { | |
} | |
while (waitpid(-1, status, __WALL) != pid) { | |
} | |
} | |
static void setup_test() { | |
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); | |
setpgrp(); | |
write_file("/proc/self/oom_score_adj", "1000"); | |
} | |
static void execute_one(void); | |
#define WAIT_FLAGS __WALL | |
static void loop(void) { | |
int iter = 0; | |
for (;; iter++) { | |
int pid = fork(); | |
if (pid < 0) | |
exit(1); | |
if (pid == 0) { | |
setup_test(); | |
execute_one(); | |
exit(0); | |
} | |
int status = 0; | |
uint64_t start = current_time_ms(); | |
for (;;) { | |
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) | |
break; | |
sleep_ms(1); | |
if (current_time_ms() - start < 5000) | |
continue; | |
kill_and_wait(pid, &status); | |
break; | |
} | |
} | |
} | |
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; | |
void execute_one(void) { | |
intptr_t res = 0; | |
res = syscall(__NR_socket, /*domain=*/0x26ul, /*type=*/5ul, /*proto=*/0); | |
if (res != -1) | |
r[0] = res; | |
*(uint16_t*)0x20000000 = 0x26; | |
memcpy((void*)0x20000002, "hash\000\000\000\000\000\000\000\000\000\000", 14); | |
*(uint32_t*)0x20000010 = 0; | |
*(uint32_t*)0x20000014 = 0; | |
memcpy((void*)0x20000018, | |
"sha3-" | |
"512\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" | |
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" | |
"\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" | |
"\000\000\000\000\000\000", | |
64); | |
syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul); | |
res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul); | |
if (res != -1) | |
r[1] = res; | |
res = syscall(__NR_memfd_secret, /*flags=*/0ul); | |
if (res != -1) | |
r[2] = res; | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul, | |
/*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2], | |
/*offset=*/0ul); | |
syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul); | |
*(uint64_t*)0x20000180 = 0; | |
*(uint32_t*)0x20000188 = 0; | |
*(uint64_t*)0x20000190 = 0x20000140; | |
*(uint64_t*)0x20000140 = 0x20000080; | |
*(uint64_t*)0x20000148 = 0xb0; | |
*(uint64_t*)0x20000198 = 1; | |
*(uint64_t*)0x200001a0 = 0; | |
*(uint64_t*)0x200001a8 = 0; | |
*(uint32_t*)0x200001b0 = 0; | |
syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul, | |
/*f=*/0x47933e2b0522cf63ul); | |
} | |
int main(void) { | |
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, | |
/*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul); | |
loop(); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment