syzbot


pool: free list modified: semapl

Status: fixed on 2022/09/28 23:42
Reported-by: syzbot+60ba811fe2e8a6b0f975@syzkaller.appspotmail.com
Fix commit: 5bf1588a93fe Fix memory corruptions with sysv semaphores due to sleeps in copyin, copyout and malloc. During a sleep another thread could delete the semaphore (and possibly allocate another one at the same location with different permissions) which would lead to an invalid access after wake up. Therefore check the semaphore pointer, the sequence, the permissions and some values in seminfo after each sleep. OK bluhm@ Reported-by: syzbot+60ba811fe2e8a6b0f975@syzkaller.appspotmail.com
First crash: 116d, last: 116d

Sample crash report:
panic: pool_do_get: semapl free list modified: page 0xfffffd806c3f4000; item addr 0xfffffd806c3f4e70; offset 0x10=0xdeadbe00
Stopped at      db_enter+0x18:  addq    $0x8,%rsp
    TID    PID    UID     PRFLAGS     PFLAGS  CPU  COMMAND
  60769  38124      0           0          0    1  syz-executor.0
*360156  38124      0           0  0x4000000    0  syz-executor.0
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff82603660) at panic+0x177 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82baa760,9,ffff800021334d98) at pool_do_get+0x474 sys/kern/subr_pool.c:741
pool_get(ffffffff82baa760,9) at pool_get+0xe9 sys/kern/subr_pool.c:584
sys_semget(ffff8000ffff5ce8,ffff800021334e98,ffff800021334ee0) at sys_semget+0x259 sys/kern/sysv_sem.c:428
syscall(ffff800021334f60) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021334f60) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x28ad111e4a0, count: 8
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb{0}> 
ddb{0}> set $lines = 0
ddb{0}> set $maxwidth = 0
ddb{0}> show panic
*cpu0: pool_do_get: semapl free list modified: page 0xfffffd806c3f4000; item addr 0xfffffd806c3f4e70; offset 0x10=0xdeadbe00
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff82603660) at panic+0x177 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82baa760,9,ffff800021334d98) at pool_do_get+0x474 sys/kern/subr_pool.c:741
pool_get(ffffffff82baa760,9) at pool_get+0xe9 sys/kern/subr_pool.c:584
sys_semget(ffff8000ffff5ce8,ffff800021334e98,ffff800021334ee0) at sys_semget+0x259 sys/kern/sysv_sem.c:428
syscall(ffff800021334f60) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021334f60) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x28ad111e4a0, count: -7
ddb{0}> show registers
rdi                                0
rsi                              0x1
rbp               0xffff800021334be0
rbx               0xffffffff8293fb97    cpu_info_full_primary+0x2b97
rdx                            0x3fd
rcx                                0
rax                             0x7d
r8                 0x101010101010101
r9                0x8080808080808080
r10               0x9313154e0515d846
r11               0x703c185d3716c8a6
r12               0xffffffff8293f998    cpu_info_full_primary+0x2998
r13                                0
r14                                0
r15                              0x1
rip               0xffffffff813ddc48    db_enter+0x18
cs                               0x8
rflags                         0x246
rsp               0xffff800021334bd0
ss                              0x10
db_enter+0x18:  addq    $0x8,%rsp
ddb{0}> show proc
PROC (syz-executor.0) pid=360156 stat=onproc
    flags process=0 proc=4000000<THREAD>
    pri=51, usrpri=51, nice=20
    forw=0xffffffffffffffff, list=0xffff8000ffff5268,0xffffffff82a89e48
    process=0xffff8000ffff94d0 user=0xffff800021330000, vmspace=0xfffffd807effdb80
    estcpu=2, cpticks=1, pctcpu=0.0
    user=0, sys=1, intr=0
ddb{0}> ps
   PID     TID   PPID    UID  S       FLAGS  WAIT          COMMAND
 38124   60769  56728      0  7           0                syz-executor.0
 38124   52688  56728      0  3   0x4000080  fsleep        syz-executor.0
 38124  115793  56728      0  3   0x4000080  fsleep        syz-executor.0
*38124  360156  56728      0  7   0x4000000                syz-executor.0
 56728  185281  29331      0  2       0x482                syz-executor.0
 29331  511711  64442      0  3        0x82  thrsleep      syz-execprog
 29331   82263  64442      0  2   0x4000482                syz-execprog
 29331  168220  64442      0  3   0x4000082  wait          syz-execprog
 29331  337049  64442      0  3   0x4000082  thrsleep      syz-execprog
 29331  474002  64442      0  3   0x4000082  thrsleep      syz-execprog
 29331  457356  64442      0  3   0x4000082  kqread        syz-execprog
 29331   57617  64442      0  3   0x4000082  thrsleep      syz-execprog
 29331  505831  64442      0  3   0x4000082  thrsleep      syz-execprog
 64442  500785  77941      0  3    0x10008a  sigsusp       ksh
 77941  313837  80763      0  3        0x9a  kqread        sshd
  4420  134126      1      0  3    0x100083  ttyin         getty
 80763  487793      1      0  3        0x88  kqread        sshd
 14836  482752  42051     74  3   0x1100092  bpf           pflogd
 42051  232377      1      0  3        0x80  netio         pflogd
 75953  449363  28263     73  3   0x1100090  kqread        syslogd
 28263  498598      1      0  3    0x100082  netio         syslogd
 21329  188372      1      0  3    0x100080  kqread        resolvd
 62290  291731  39804     77  3    0x100092  kqread        dhcpleased
 93502  490010  39804     77  3    0x100092  kqread        dhcpleased
 39804  315732      1      0  3        0x80  kqread        dhcpleased
 63938  252119      0      0  3     0x14200  bored         smr
  3084  343655      0      0  2     0x14200                zerothread
 27463  291160      0      0  3     0x14200  aiodoned      aiodoned
 64156  168982      0      0  3     0x14200  syncer        update
 64821  390795      0      0  3     0x14200  cleaner       cleaner
 28259  257467      0      0  3     0x14200  reaper        reaper
 21534   43684      0      0  3     0x14200  pgdaemon      pagedaemon
 61744  101659      0      0  3     0x14200  bored         viomb
 76738  375638      0      0  3  0x40014200  acpi0         acpi0
 31066  413910      0      0  3  0x40014200                idle1
 79734  193750      0      0  3     0x14200  bored         softnet
 67802  221673      0      0  3     0x14200  bored         softnet
 44810  138756      0      0  3     0x14200  bored         softnet
 56165  323651      0      0  3     0x14200  bored         softnet
 41406   51730      0      0  3     0x14200  bored         systqmp
  2327  177872      0      0  3     0x14200  bored         systq
 27186   36803      0      0  2  0x40014200                softclock
 58881  499516      0      0  3  0x40014200                idle0
     1   33260      0      0  3        0x82  wait          init
     0       0     -1      0  3     0x10200  scheduler     swapper
ddb{0}> show all locks
CPU 0:
exclusive mutex semapl r = 0 (0xffffffff82baa770)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbd sys/kern/subr_pool.c:581
#4  sys_semget+0x259 sys/kern/sysv_sem.c:428
#5  syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#5  syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#6  Xsyscall+0x128
Process 38124 (syz-executor.0) thread 0xffff8000ffff5ce8 (360156)
exclusive kernel_lock &kernel_lock r = 0 (0xffffffff82ab97c8)
#0  witness_lock+0x44d
#1  syscall+0x41d mi_syscall sys/sys/syscall_mi.h:100 [inline]
#1  syscall+0x41d sys/arch/amd64/amd64/trap.c:585
#2  Xsyscall+0x128
exclusive mutex semapl r = 0 (0xffffffff82baa770)
#0  witness_lock+0x44d
#1  mtx_enter_try+0x100
#2  mtx_enter+0x4b sys/kern/kern_lock.c:266
#3  pool_get+0xbd sys/kern/subr_pool.c:581
#4  sys_semget+0x259 sys/kern/sysv_sem.c:428
#5  syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
#5  syscall+0x435 sys/arch/amd64/amd64/trap.c:585
#6  Xsyscall+0x128
ddb{0}> show malloc
           Type InUse  MemUse  HighUse   Limit  Requests Type Lim
         devbuf 10158   6457K    6457K  78643K     11248        0
            pcb    13      8K       8K  78643K        13        0
         rtable    80      2K       2K  78643K       145        0
         ifaddr    38      9K       9K  78643K        41        0
       counters    42     33K      33K  78643K        42        0
       ioctlops     0      0K       4K  78643K      1480        0
          mount     1      1K       1K  78643K         1        0
            log     0      0K       0K  78643K         4        0
         vnodes  1167     73K      73K  78643K      1180        0
      UFS quota     1     32K      32K  78643K         1        0
      UFS mount     5     36K      36K  78643K         5        0
            shm     2      1K       1K  78643K         2        0
         VM map     2      1K       1K  78643K         2        0
            sem     2      0K       0K  78643K         9        0
        dirhash    12      2K       2K  78643K        12        0
           ACPI  1697    195K     286K  78643K     12548        0
      file desc     4      9K      13K  78643K        24        0
           proc    67     91K     103K  78643K       310        0
    NFS srvsock     1      0K       0K  78643K         1        0
     NFS daemon     1     16K      16K  78643K         1        0
       in_multi    22      1K       1K  78643K        22        0
    ether_multi     1      0K       0K  78643K         1        0
    ISOFS mount     1     32K      32K  78643K         1        0
  MSDOSFS mount     1     16K      16K  78643K         1        0
           ttys    25    122K     122K  78643K        25        0
           exec     0      0K       2K  78643K       500        0
            tdb     3      0K       0K  78643K         3        0
        pagedep     1      8K       8K  78643K         1        0
       inodedep     1     32K      32K  78643K         1        0
         newblk     1      0K       0K  78643K         1        0
        VM swap     8     62K      62K  78643K         8        0
       UVM amap   101     13K      13K  78643K      1819        0
       UVM aobj     3      2K       2K  78643K         3        0
        memdesc     1      4K       4K  78643K         1        0
    crypto data     1      1K       1K  78643K         1        0
            NDP     7      0K       0K  78643K         7        0
           temp    28   4709K    4773K  78643K      2899        0
         kqueue    12     18K      18K  78643K        25        0
      SYN cache     2     16K      16K  78643K         2        0
ddb{0}> show all pools
Name      Size Requests Fail Releases Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
plcache    128       22    0        0     1     0     1     1     0     8    0
rtpcb      120       23    0       20     1     0     1     1     0     8    0
rtentry    112       34    0        1     1     0     1     1     0     8    0
unpcb      144       35    0       20     1     0     1     1     0     8    0
syncache   296        5    0        5     2     1     1     1     0     8    1
tcpcb      736        8    0        5     1     0     1     1     0     8    0
arp        120        4    0        0     1     0     1     1     0     8    0
inpcb      320       36    0       30     1     0     1     1     0     8    0
nd6         48        3    0        0     1     0     1     1     0     8    0
pfosfp      40     1428    0     1005     5     0     5     5     0     8    0
pfosfpen   112     1428    0      714    21     0    21    21     0     8    0
pfstitem    24       11    0        2     1     0     1     1     0     8    0
pfstkey    120       11    0        2     1     0     1     1     0     8    0
pfstate    336       11    0        2     1     0     1     1     0     8    0
pfrule     1360      21    0       16     2     1     1     2     0     8    0
art_heap8  4096       1    0        0     1     0     1     1     0     8    0
art_heap4  256      145    0        0    10     0    10    10     0     8    0
art_table   32      146    0        0     2     0     2     2     0     8    0
art_node    16       33    0        3     1     0     1     1     0     8    0
semapl     112        7    0        7     1     0     1     1     0     8    1
semapl: pool(0xffffffff82baa760:semapl): page inconsistency: page 0xfffffd806c3f4000; item ordinal 0; addr 0xb1ab9ce6bb5e841f
dirhash    1024      17    0        0     3     0     3     3     0     8    0
dino2pl    256     1453    0       51    88     0    88    88     0     8    0
ffsino     272     1453    0       51    94     0    94    94     0     8    0
nchpl      144     1695    0       63    61     0    61    61     0     8    0
uvmvnodes   80     1463    0        0    30     0    30    30     0     8    0
vnodes     216     1463    0        0    82     0    82    82     0     8    0
namei      1024    5175    0     5175     3     1     2     2     0     8    2
percpumem   16       33    0        0     1     0     1     1     0     8    0
kstatmem   264       10    0        0     1     0     1     1     0     8    0
scxspl     216     5371    0     5371    10     2     8     8     0     8    8
plimitpl   152       17    0        9     1     0     1     1     0     8    0
sigapl     424      363    0      329     6     1     5     5     0     8    1
futexpl     64       21    0       19     1     0     1     1     0     8    0
knotepl    120       70    0        0     3     0     3     3     0     8    0
kqueuepl   216       21    0       13     1     0     1     1     0     8    0
pipepl     320      110    0      103     2     1     1     1     0     8    0
fdescpl    496      346    0      329     4     0     4     4     0     8    1
filepl     152     1412    0     1342     4     0     4     4     0     8    1
lockfpl    104        6    0        4     1     0     1     1     0     8    0
lockfspl    48        4    0        2     1     0     1     1     0     8    0
sessionpl  144       19    0        9     1     0     1     1     0     8    0
pgrppl      48       19    0        9     1     0     1     1     0     8    0
ucredpl    104       69    0       57     1     0     1     1     0     8    0
zombiepl   144      329    0      329     2     1     1     1     0     8    1
processpl  1064     363    0      329     3     0     3     3     0     8    0
procpl     672      379    0      335     6     1     5     5     0     8    1
sockpl     488       94    0       70     5     1     4     4     0     8    0
mcl8k      8192       2    0        0     1     0     1     1     0     8    0
mcl4k      4096       4    0        0     1     0     1     1     0     8    0
mcl2k      2048      66    0        0     9     0     9     9     0     8    0
mtagpl      96        2    0        0     1     0     1     1     0     8    0
mbufpl     256      131    0        0     8     0     8     8     0     8    0
bufpl      288     3522    0      136   242     0   242   242     0     8    0
anonpl      24    45239    0    41886    44     4    40    40     0   186   18
amapchunkpl 152    3550    0     3295    17     2    15    15     0   158    5
amappl16   200      127    0       72     5     1     4     4     0     8    0
amappl15   192       90    0       83     1     0     1     1     0     8    0
amappl14   184       23    0       17     1     0     1     1     0     8    0
amappl13   176       40    0       39     2     1     1     1     0     8    0
amappl12   168        2    0        2     1     1     0     1     0     8    0
amappl11   160       81    0       63     1     0     1     1     0     8    0
amappl10   152       20    0       17     1     0     1     1     0     8    0
amappl9    144      451    0      448     1     0     1     1     0     8    0
amappl8    136      433    0      419     2     1     1     1     0     8    0
amappl7    128       98    0       85     1     0     1     1     0     8    0
amappl6    120      143    0      134     2     0     2     2     0     8    1
amappl5    112       98    0       86     1     0     1     1     0     8    0
amappl4    104      727    0      699     2     0     2     2     0     8    1
amappl3     96      513    0      480     2     0     2     2     0     8    1
amappl2     88      408    0      374     2     0     2     2     0     8    0
amappl1     80    10960    0    10474    22     2    20    20     0     8   10
amappl      88     1471    0     1403     4     1     3     3     0    92    1
dma4096    4096       1    0        1     1     1     0     1     0     8    0
dma1024    1024       1    0        0     1     0     1     1     0     8    0
dma256     256        6    0        6     1     1     0     1     0     8    0
dma128     128      253    0      253     1     1     0     1     0     8    0
dma64       64        6    0        6     1     1     0     1     0     8    0
dma32       32        7    0        7     1     1     0     1     0     8    0
dma16       16       18    0       17     1     0     1     1     0     8    0
aobjpl      72        2    0        0     1     0     1     1     0     8    0
uaddrrnd    24      346    0      329     1     0     1     1     0     8    0
uaddrbest   32        2    0        0     1     0     1     1     0     8    0
uaddr       24      346    0      329     1     0     1     1     0     8    0
vmmpekpl   168     8156    0     8133     2     0     2     2     0     8    0
vmmpepl    168    33216    0    32022    97     5    92    92     0   357   40
vmsppl     368      345    0      329     3     0     3     3     0     8    1
rwobjpl     56    11362    0     9144    42     1    41    41     0     8    6
pdppl      4096     699    0      658    85    36    49    57     0     8    8
pvpl        32   206700    0   200284   247     6   241   241     0   265  188
pmappl     248      345    0      329     2     0     2     2     0     8    0
extentpl    40       56    0       38     1     0     1     1     0     8    0
phpool     112      555    0       40    15     0    15    15     0     8    0
ddb{0}> machine ddbcpu 0
Invalid cpu 0
ddb{0}> trace
db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:437
panic(ffffffff82603660) at panic+0x177 sys/kern/subr_prf.c:202
pool_do_get(ffffffff82baa760,9,ffff800021334d98) at pool_do_get+0x474 sys/kern/subr_pool.c:741
pool_get(ffffffff82baa760,9) at pool_get+0xe9 sys/kern/subr_pool.c:584
sys_semget(ffff8000ffff5ce8,ffff800021334e98,ffff800021334ee0) at sys_semget+0x259 sys/kern/sysv_sem.c:428
syscall(ffff800021334f60) at syscall+0x435 mi_syscall sys/sys/syscall_mi.h:101 [inline]
syscall(ffff800021334f60) at syscall+0x435 sys/arch/amd64/amd64/trap.c:585
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x28ad111e4a0, count: -7
ddb{0}> machine ddbcpu 1

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-openbsd-multicore 2022/08/07 23:14 openbsd 68960257f35d 88e3a122 .config log report syz pool: free list modified: semapl
ci-openbsd-multicore 2022/08/07 22:53 openbsd 68960257f35d 88e3a122 .config log report pool: free list modified: semapl
* Struck through repros no longer work on HEAD.