From: Andrey Ryabinin <aryabinin@virtuozzo.com>
To: Andrew Morton <akpm@linux-foundation.org>, linux-mm@kvack.org
Cc: bugzilla-daemon@bugzilla.kernel.org, icytxw@gmail.com,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access
Date: Tue, 19 Jun 2018 12:45:51 +0300 [thread overview]
Message-ID: <564ac5ca-ff1c-c955-b8fe-9f44fc6a4e00@virtuozzo.com> (raw)
In-Reply-To: <20180618162545.521b8da29637cf7ec7608fa6@linux-foundation.org>
On 06/19/2018 02:25 AM, Andrew Morton wrote:
>
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> Could the KASAN people please help interpret this one?
>
[ 274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[ 274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[ 274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[ 274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[ 274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
All code
========
0: 76 e8 jbe 0xffffffffffffffea
2: 78 3f js 0x43
4: e5 ff in $0xff,%eax
6: 4c 89 e0 mov %r12,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
11: 0f 85 c7 02 00 00 jne 0x2de
17: 4c 8d 6b e8 lea -0x18(%rbx),%r13
1b: 4d 8b 3c 24 mov (%r12),%r15
1f: 49 8d 7d 08 lea 0x8(%r13),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 2a 00 cmpb $0x0,(%rdx,%rbp,1) <-- trapping instruction
2e: 0f 85 a0 02 00 00 jne 0x2d4
34: 4c 3b 7b f0 cmp -0x10(%rbx),%r15
38: 72 9d jb 0xffffffffffffffd7
3a: e8 3f 3f e5 ff callq 0xffffffffffe53f7e
3f: 41 rex.B
cmpb $0x0,(%rdx,%rbp,1) is shadow check for -0x10(%rbx) address (this address is also in %rdi).
So this is attempt to dereference 0x00000416000003f6 address.
%rbx seems contains 'parent' pointer, -0x10(%rbx) is tmp_va->va_end
tmp_va = rb_entry(parent, struct vmap_area, rb_node);
if (va->va_start < tmp_va->va_end)
prev parent reply other threads:[~2018-06-19 9:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-200095-27@https.bugzilla.kernel.org/>
2018-06-18 23:25 ` Andrew Morton
2018-06-19 5:12 ` Dmitry Vyukov
2018-06-19 9:45 ` Andrey Ryabinin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=564ac5ca-ff1c-c955-b8fe-9f44fc6a4e00@virtuozzo.com \
--to=aryabinin@virtuozzo.com \
--cc=akpm@linux-foundation.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=icytxw@gmail.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox