syzbot


kernel: integer divide fault trap, code=NUM

Status: fixed on 2021/12/16 13:42
Reported-by: syzbot+d1f00da48fa717e171f3@syzkaller.appspotmail.com
Fix commit: 38bfd041cb0f fix zero division found by syzkaller. The sanity checks in pf(4) ioctls are not powerful enough to detect invalid port ranges (or even invalid rules). syzkaller does not use pfctl(8), it uses ioctl(2) to pass some random chunk of memory as a rule to pf(4). Fix adds explicit check for 0 divider to pf_get_transaddr(). It should make syzkaller happy without disturbing anyone else.
First crash: 359d, last: 359d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
openbsd kernel: integer divide fault trap, code=NUM (2) C 8 295d 299d 3/3 fixed on 2022/02/10 05:39
openbsd kernel: integer divide fault trap, code=NUM (3) C 157 92d 115d 3/3 fixed on 2022/08/31 00:45

Sample crash report:
login: kernel: integer divide fault trap, code=0
Stopped at      pf_get_transaddr+0x27b: idivl   %r13d,%eax
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
pf_get_transaddr(ffff800000b59558,ffff800021155a18,ffff8000211558d8,ffff800021155900) at pf_get_transaddr+0x27b sys/net/pf_lb.c:711
pf_test_rule(ffff800021155a18,ffff800021155b10,ffff800021155b20,ffff800021155b00,ffff800021155af0,3,5295164399910481) at pf_test_rule+0x4a0 sys/net/pf.c:3891
pf_test(18,2,ffff800000b39800,ffff800021155c98) at pf_test+0x1e30 sys/net/pf.c:7064
ip6_output(fffffd806d206600,ffffffff82839220,0,0,ffff800021155d28,0) at ip6_output+0x14d1 sys/netinet6/ip6_output.c:634
mld6_sendpkt(ffff800000b17300,83,0) at mld6_sendpkt+0x2c2 sys/netinet6/mld6.c:465
mld6_fasttimeo() at mld6_fasttimeo+0x152 mld6_checktimer sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x152 sys/netinet6/mld6.c:341
pffasttimo(ffffffff828add28) at pffasttimo+0x10b sys/kern/uipc_domain.c:288
timeout_run(ffffffff828add28) at timeout_run+0xcc sys/kern/kern_timeout.c:678
softclock_thread(ffff800021149500) at softclock_thread+0x134 sys/kern/kern_timeout.c:802
end trace frame: 0x0, count: -9
ddb{0}> show registers
rdi                                0
rsi                           0xfffe    __ALIGN_SIZE+0xeffe
rbp               0xffff800021155880
rbx                              0xf
rdx                                0
rcx                           0xffff    __ALIGN_SIZE+0xefff
rax                             0x82
r8                0xffffffff81d44a2d    pf_insert_src_node+0x2dd
r9                               0x1
r10               0x6b40ae5be759c4b6
r11               0xfa79390790db3dd6
r12                             0x18
r13                                0
r14               0xffff800021155a18
r15               0xffff800000b59558
rip               0xffffffff81715cdb    pf_get_transaddr+0x27b
cs                               0x8
rflags                       0x10257    __ALIGN_SIZE+0xf257
rsp               0xffff800021155810
ss                              0x10
pf_get_transaddr+0x27b: idivl   %r13d,%eax
ddb{0}> show proc
PROC (softclock) pid=365751 stat=onproc
    flags process=14000<NOZOMBIE,SYSTEM> proc=40000200<SYSTEM,CPUPEG>
    pri=0, usrpri=50, nice=20
    forw=0xffffffffffffffff, list=0xffff800021149a40,0xffff800021148d30
    process=0xffff8000ffffd4f0 user=0xffff800021150000, vmspace=0xffffffff828e31b8
    estcpu=0, cpticks=0, pctcpu=0.0
    user=0, sys=0, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 44211  197414  72689      0  2       0x482                syz-executor.0
 72689  312980  86762      0  3        0x82  thrsleep      syz-execprog
 72689  303340  86762      0  3   0x4000082  thrsleep      syz-execprog
 72689  219398  86762      0  3   0x4000082  thrsleep      syz-execprog
 72689  464134  86762      0  3   0x4000082  thrsleep      syz-execprog
 72689  342484  86762      0  3   0x4000082  kqread        syz-execprog
 72689  235830  86762      0  3   0x4000082  thrsleep      syz-execprog
 72689   69086  86762      0  3   0x4000082  thrsleep      syz-execprog
 72689   22423  86762      0  3   0x4000082  thrsleep      syz-execprog
 86762  268274  12150      0  3    0x10008a  sigsusp       ksh
 12150   44003  96667      0  3        0x9a  kqread        sshd
 81783  445576      1      0  3    0x100083  ttyin         getty
 96667  157736      1      0  3        0x88  kqread        sshd
 44167  448141  89673     74  3    0x100092  bpf           pflogd
 89673   22511      1      0  3        0x80  netio         pflogd
 78676    4050  93346     73  3    0x100090  kqread        syslogd
 93346  103730      1      0  3    0x100082  netio         syslogd
 97344   45909      1      0  3    0x100080  kqread        resolvd
 48611  522837  58623     77  3    0x100092  kqread        dhcpleased
 22671  371344  58623     77  3    0x100092  kqread        dhcpleased
 58623   54935      1      0  3        0x80  kqread        dhcpleased
  1266   44170      0      0  3     0x14200  bored         smr
 24610  316394      0      0  3     0x14200  pgzero        zerothread
 15978  109190      0      0  3     0x14200  aiodoned      aiodoned
 66890  416674      0      0  3     0x14200  syncer        update
 51090  245533      0      0  3     0x14200  cleaner       cleaner
 46612   66706      0      0  3     0x14200  reaper        reaper
 12380  411483      0      0  3     0x14200  pgdaemon      pagedaemon
 57982  285799      0      0  3     0x14200  bored         viomb
 15713  358974      0      0  3  0x40014200  acpi0         acpi0
 51797   73732      0      0  7  0x40014200                idle1
 83200  391135      0      0  3     0x14200  bored         softnet
 28856  313139      0      0  3     0x14200  bored         systqmp
 54831  520124      0      0  3     0x14200  bored         systq
* 7576  365751      0      0  7  0x40014200                softclock
 59917   78952      0      0  3  0x40014200                idle0
     1  397282      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
Process 7576 (softclock) thread 0xffff800021149500 (365751)
exclusive rwlock pf_lock r = 0 (0xffffffff8279a5a0)
#0  witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4b0 sys/kern/subr_witness.c:1182
#1  pf_test+0x1e06
#2  ip6_output+0x14d1 sys/netinet6/ip6_output.c:634
#3  mld6_sendpkt+0x2c2 sys/netinet6/mld6.c:465
#4  mld6_fasttimeo+0x152 mld6_checktimer sys/netinet6/mld6.c:363 [inline]
#4  mld6_fasttimeo+0x152 sys/netinet6/mld6.c:341
#5  pffasttimo+0x10b sys/kern/uipc_domain.c:288
#6  timeout_run+0xcc sys/kern/kern_timeout.c:678
#7  softclock_thread+0x134 sys/kern/kern_timeout.c:802
#8  proc_trampoline+0x1c
exclusive rwlock netlock r = 0 (0xffffffff8282d820)
#0  witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4b0 sys/kern/subr_witness.c:1182
#1  mld6_fasttimeo+0x1d sys/netinet6/mld6.c:336
#2  pffasttimo+0x10b sys/kern/uipc_domain.c:288
#3  timeout_run+0xcc sys/kern/kern_timeout.c:678
#4  softclock_thread+0x134 sys/kern/kern_timeout.c:802
#5  proc_trampoline+0x1c
shared rwlock timeout r = 0 (0xffffffff82822bf0)
#0  witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4b0 sys/kern/subr_witness.c:1182
#1  timeout_run+0xb7 sys/kern/kern_timeout.c:674
#2  softclock_thread+0x134 sys/kern/kern_timeout.c:802
#3  proc_trampoline+0x1c
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff828b0358)
#0  witness_lock+0x4b0 stacktrace_save sys/sys/stacktrace.h:36 [inline]
#0  witness_lock+0x4b0 sys/kern/subr_witness.c:1182
#1  __mp_acquire_count+0x4c sys/kern/kern_lock.c:227
#2  mi_switch+0x3d3 sys/kern/sched_bsd.c:416
#3  sleep_finish+0x1b2 sys/kern/kern_synch.c:433
#4  softclock_thread+0xd9 sys/kern/kern_timeout.c:797
#5  proc_trampoline+0x1c
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10112   6417K    6417K  78643K     11202        0
            pcb    13      8K       8K  78643K        13        0
         rtable    89      4K       4K  78643K       149        0
         ifaddr    39     10K      10K  78643K        40        0
       counters    42     33K      33K  78643K        42        0
       ioctlops     0      0K       4K  78643K      1550        0
          mount     1      1K       1K  78643K         1        0
            log     0      0K       0K  78643K         5        0
         vnodes  1183     74K      75K  78643K      1188        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       1K  78643K         2        0
         VM map     2      1K       1K  78643K         2        0
            sem     2      0K       0K  78643K         2        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1697    195K     286K  78643K     12598        0
      file desc     2      4K      12K  78643K        64        0
           proc    67     87K      99K  78643K       306        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
       in_multi    22      1K       1K  78643K        22        0
    ether_multi     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    19     95K      95K  78643K        19        0
           exec     0      0K       2K  78643K       390        0
            tdb     3      0K       0K  78643K         3        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     7     26K      26K  78643K         7        0
       UVM amap   130     15K      15K  78643K      2694        0
       UVM aobj     3      2K       2K  78643K         3        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
            NDP     5      0K       0K  78643K         7        0
           temp    29   4183K    4247K  78643K      2350        0
         kqueue    12     18K      18K  78643K        21        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       22    0        0     1     0     1     1     0     8    0
rtpcb      120      113    0      110     1     0     1     1     0     8    0
rtentry    112       34    0        1     1     0     1     1     0     8    0
unpcb      128       35    0       20     1     0     1     1     0     8    0
syncache   296        5    0        5     2     1     1     1     0     8    1
tcpcb      736        8    0        5     1     0     1     1     0     8    0
arp        120        4    0        0     1     0     1     1     0     8    0
inpcb      304       36    0       30     1     0     1     1     0     8    0
nd6         48        3    0        0     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfrktable  1344       3    0        1     1     0     1     1     0     8    0
pfstitem    24       10    0        0     1     0     1     1     0     8    0
pfstkey    112       10    0        0     1     0     1     1     0     8    0
pfstate    320       10    0        0     1     0     1     1     0     8    0
pfsrctr    152        1    0        0     1     0     1     1     0     8    0
pfrule     1360      91    0       63     4     1     3     3     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      143    0        0     9     0     9     9     0     8    0
art_table   32      144    0        0     2     0     2     2     0     8    0
art_node    16       33    0        3     1     0     1     1     0     8    0
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     1482    0       75    88     0    88    88     0     8    0
ffsino     272     1482    0       75    94     0    94    94     0     8    0
nchpl      144     1751    0      139    60     0    60    60     0     8    0
uvmvnodes   72     1492    0        0    28     0    28    28     0     8    0
vnodes     224     1492    0        0    88     0    88    88     0     8    0
namei      1024    4858    0     4858     2     1     1     1     0     8    1
percpumem   16       33    0        0     1     0     1     1     0     8    0
pfiaddrpl  120       23    0        0     1     0     1     1     0     8    0
scxspl     216     5192    0     5192     9     1     8     8     0     8    8
plimitpl   152       17    0        9     1     0     1     1     0     8    0
sigapl     424      321    0      291     4     0     4     4     0     8    0
futexpl     64     1033    0     1033     1     0     1     1     0     8    1
knotepl    112       51    0        0     2     0     2     2     0     8    0
kqueuepl   216       17    0        9     1     0     1     1     0     8    0
pipepl     336       83    0       76     2     1     1     1     0     8    0
fdescpl    496      307    0      291     3     0     3     3     0     8    0
filepl     152     1440    0     1370     3     0     3     3     0     8    0
lockfpl    104        6    0        4     1     0     1     1     0     8    0
lockfspl    48        4    0        2     1     0     1     1     0     8    0
sessionpl  144       19    0        9     1     0     1     1     0     8    0
pgrppl      48       19    0        9     1     0     1     1     0     8    0
ucredpl     96       69    0       57     1     0     1     1     0     8    0
zombiepl   144      291    0      290     2     1     1     1     0     8    0
processpl  1072     321    0      290     3     0     3     3     0     8    0
procpl     672      483    0      445     4     0     4     4     0     8    0
sockpl     480      184    0      160     5     1     4     4     0     8    0
mcl8k      8192       3    0        0     1     0     1     1     0     8    0
mcl4k      4096       5    0        0     1     0     1     1     0     8    0
mcl2k      2048      72    0        0     9     0     9     9     0     8    0
mtagpl      96        1    0        0     1     0     1     1     0     8    0
mbufpl     256      127    0        0     8     0     8     8     0     8    0
bufpl      280     3458    0      164   236     0   236   236     0     8    0
anonpl      24    53594    0    49795    36     4    32    32     0   186    8
amapchunkpl 152    5664    0     5359    15     1    14    14     0   158    2
amappl16   200      208    0      158     4     1     3     3     0     8    0
amappl15   192       77    0       72     1     0     1     1     0     8    0
amappl14   184        3    0        2     1     0     1     1     0     8    0
amappl13   176       80    0       76     2     1     1     1     0     8    0
amappl12   168       10    0       10     1     1     0     1     0     8    0
amappl11   160       76    0       58     1     0     1     1     0     8    0
amappl10   152       12    0       10     1     0     1     1     0     8    0
amappl9    144      235    0      232     1     0     1     1     0     8    0
amappl8    136      314    0      293     1     0     1     1     0     8    0
amappl7    128       47    0       42     1     0     1     1     0     8    0
amappl6    120       54    0       48     1     0     1     1     0     8    0
amappl5    112      214    0      194     1     0     1     1     0     8    0
amappl4    104      575    0      552     1     0     1     1     0     8    0
amappl3     96      227    0      209     1     0     1     1     0     8    0
amappl2     88      449    0      409     2     0     2     2     0     8    1
amappl1     80     9121    0     8697    13     0    13    13     0     8    3
amappl      88     2405    0     2308     3     0     3     3     0    92    0
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      64        2    0        0     1     0     1     1     0     8    0
uaddrrnd    24      307    0      291     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      307    0      291     1     0     1     1     0     8    0
vmmpekpl   168     7458    0     7441     1     0     1     1     0     8    0
vmmpepl    168    30101    0    29012    65     1    64    64     0   357   15
vmsppl     368      306    0      291     2     0     2     2     0     8    0
rwobjpl     56     9037    0     8320    15     1    14    14     0     8    3
pdppl      4096     622    0      582    64    18    46    46     0     8    6
pvpl        32   178082    0   171489   134     0   134   134     0   265   79
pmappl     224      306    0      291     2     0     2     2     0     8    0
extentpl    40       58    0       40     1     0     1     1     0     8    0
phpool     112      292    0       23     8     0     8     8     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
pf_get_transaddr(ffff800000b59558,ffff800021155a18,ffff8000211558d8,ffff800021155900) at pf_get_transaddr+0x27b sys/net/pf_lb.c:711
pf_test_rule(ffff800021155a18,ffff800021155b10,ffff800021155b20,ffff800021155b00,ffff800021155af0,3,5295164399910481) at pf_test_rule+0x4a0 sys/net/pf.c:3891
pf_test(18,2,ffff800000b39800,ffff800021155c98) at pf_test+0x1e30 sys/net/pf.c:7064
ip6_output(fffffd806d206600,ffffffff82839220,0,0,ffff800021155d28,0) at ip6_output+0x14d1 sys/netinet6/ip6_output.c:634
mld6_sendpkt(ffff800000b17300,83,0) at mld6_sendpkt+0x2c2 sys/netinet6/mld6.c:465
mld6_fasttimeo() at mld6_fasttimeo+0x152 mld6_checktimer sys/netinet6/mld6.c:363 [inline]
mld6_fasttimeo() at mld6_fasttimeo+0x152 sys/netinet6/mld6.c:341
pffasttimo(ffffffff828add28) at pffasttimo+0x10b sys/kern/uipc_domain.c:288
timeout_run(ffffffff828add28) at timeout_run+0xcc sys/kern/kern_timeout.c:678
softclock_thread(ffff800021149500) at softclock_thread+0x134 sys/kern/kern_timeout.c:802
end trace frame: 0x0, count: -9
ddb{0}> machine ddbcpu 1
Stopped at      x86_ipi_db+0x1a:        addq    $0x8,%rsp
ddb{1}> trace
x86_ipi_db(ffff800020d38ff0) at x86_ipi_db+0x1a sys/arch/amd64/amd64/db_interface.c:393
x86_ipi_handler() at x86_ipi_handler+0xb7 sys/arch/amd64/amd64/ipi.c:106
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x23
acpicpu_idle() at acpicpu_idle+0x2eb sys/dev/acpi/acpicpu.c:1206
sched_idle(ffff800020d38ff0) at sched_idle+0x417 sys/kern/kern_sched.c:178
end trace frame: 0x0, count: -5
ddb{1}> 

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-multicore 2021/12/07 15:04 openbsd 78636d64e252 0230ba3e .config log report syz kernel: integer divide fault trap, code=NUM
ci-openbsd-multicore 2021/12/07 13:57 openbsd 78636d64e252 0230ba3e .config log report kernel: integer divide fault trap, code=NUM
* Struck through repros no longer work on HEAD.