syzbot

 sign-in | mailing list | source | docs
🐞 Open [245] 🐞 Fixed [376] 🐞 Invalid [901] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

netbsd boot error: panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/pmap.c:LINE, member access

Status: fixed on 2019/11/17 08:54
Reported-by: syzbot+110b29c1973f38a38026@syzkaller.appspotmail.com
Fix commit: 4acdfa6ced5b Add a NULL check on the structure pointer, not to retrieve its first field if it is NULL. The previous code was not buggy strictly speaking. This change probably doesn't change anything, except removing assumptions in the compiler optimization passes, which too probably doesn't change anything in this case.
First crash: 1635d, last: 1633d

Sample crash report:
[   1.8118204] panic: UBSan: Undefined Behavior in /syzkaller/managers/netbsd-kubsan/kernel/sys/arch/x86/x86/pmap.c:545:9, member access within null pointer of type 'struct pv_entry'

[   1.8325318] cpu1: Begin traceback...
[   1.8425911] vpanic() at netbsd:vpanic+0x2aa sys/kern/subr_prf.c:336
[   1.8628501] isAlreadyReported() at netbsd:isAlreadyReported
[   1.8919415] HandleTypeMismatch.part.1() at netbsd:HandleTypeMismatch.part.1+0x15b
[   1.9124891] HandleTypeMismatch() at netbsd:HandleTypeMismatch+0x7b sys/../common/lib/libc/misc/ubsan.c:408
[   1.9428594] pmap_pp_clear_attrs() at netbsd:pmap_pp_clear_attrs+0x2fb pve_to_pvpte sys/arch/x86/x86/pmap.c:545 [inline]
[   1.9428594] pmap_pp_clear_attrs() at netbsd:pmap_pp_clear_attrs+0x2fb pv_pte_first sys/arch/x86/x86/pmap.c:567 [inline]
[   1.9428594] pmap_pp_clear_attrs() at netbsd:pmap_pp_clear_attrs+0x2fb sys/arch/x86/x86/pmap.c:3930
[   1.9625869] genfs_getpages() at netbsd:genfs_getpages+0x1fdd sys/miscfs/genfs/genfs_io.c:479
[   1.9929035] VOP_GETPAGES() at netbsd:VOP_GETPAGES+0x14b sys/kern/vnode_if.c:1596
[   2.0230871] uvn_get() at netbsd:uvn_get+0x1d4 sys/uvm/uvm_vnode.c:187
[   2.0522951] ubc_fault() at netbsd:ubc_fault+0x41a sys/uvm/uvm_bio.c:388
[   2.0723378] uvm_fault_internal() at netbsd:uvm_fault_internal+0x1026 sys/uvm/uvm_fault.c:890
[   2.0923811] trap() at netbsd:trap+0xe45 sys/arch/amd64/amd64/trap.c:538
[   2.1024038] --- trap (number 6) ---
[   2.1225194] kcopy() at netbsd:kcopy+0x15
[   2.1427877] uiomove() at netbsd:uiomove+0xd3 sys/kern/subr_copy.c:132
[   2.1636966] ubc_uiomove() at netbsd:ubc_uiomove+0x1c0 sys/uvm/uvm_bio.c:751
[   2.1825778] ffs_read() at netbsd:ffs_read+0x334 sys/ufs/ufs/ufs_readwrite.c:110
[   2.2128065] VOP_READ() at netbsd:VOP_READ+0x11b sys/kern/vnode_if.c:470
[   2.2327306] vn_rdwr() at netbsd:vn_rdwr+0x196 sys/kern/vfs_vnops.c:463
[   2.2529498] check_exec() at netbsd:check_exec+0x547 sys/kern/kern_exec.c:443
[   2.2730297] execve_loadvm() at netbsd:execve_loadvm+0x830 sys/kern/kern_exec.c:822
[   2.3037770] execve1() at netbsd:execve1+0x74 sys/kern/kern_exec.c:1419
[   2.3228833] sys_execve() at netbsd:sys_execve+0x4f sys/kern/kern_exec.c:588
[   2.3540683] start_init() at netbsd:start_init+0x400 sys/kern/init_main.c:1104
[   2.3629704] cpu1: End traceback...
[   2.3629704] fatal breakpoint trap in supervisor mode
[   2.3629704] trap type 1 code 0 rip 0xffffffff8021dddd cs 0x8 rflags 0x286 cr2 0xffffaf80a5c64000 ilevel 0 rsp 0xffffaf80a68ae950
[   2.3740766] curlwp 0xffffd2b1191e7a60 pid 1.1 lowest kstack 0xffffaf80a68ac2c0
Stopped in pid 1.1 (init) at    netbsd:breakpoint+0x5:  leave
db{1}>

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/17 08:35 netbsd cd11a48b21a4 cdac920b .config console log report ci2-netbsd-kubsan
2019/11/17 08:35 netbsd cd11a48b21a4 cdac920b .config console log report ci2-netbsd-kubsan
2019/11/17 08:35 netbsd cd11a48b21a4 cdac920b .config console log report ci2-netbsd-kubsan
2019/11/16 05:32 netbsd 074d9895ffaa cdac920b .config console log report ci2-netbsd-kubsan
2019/11/16 05:32 netbsd 074d9895ffaa cdac920b .config console log report ci2-netbsd-kubsan
2019/11/16 05:32 netbsd 074d9895ffaa cdac920b .config console log report ci2-netbsd-kubsan
* Struck through repros no longer work on HEAD.