Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kernel crash #19

Open
klecko opened this issue Nov 8, 2020 · 0 comments
Open

Kernel crash #19

klecko opened this issue Nov 8, 2020 · 0 comments

Comments

@klecko
Copy link

klecko commented Nov 8, 2020

Kernel crash occurs sometimes while fuzzing in my system with Ubuntu 20.04.1 LTS, Linux 5.4.0-52-generic x86_64. System hangs after this.

Nov  7 15:22:11 ubuntu kernel: [ 5462.295246] kernel BUG at mm/slub.c:3995!
Nov  7 15:22:11 ubuntu kernel: [ 5462.295253] invalid opcode: 0000 [#1] SMP PTI
Nov  7 15:22:11 ubuntu kernel: [ 5462.295257] CPU: 7 PID: 43066 Comm: afl-qemu-trace Tainted: G          IOE     5.4.0-52-generic #57-Ubuntu
Nov  7 15:22:11 ubuntu kernel: [ 5462.295259] Hardware name: System manufacturer System Product Name/P6T, BIOS 1408    09/21/2010
Nov  7 15:22:11 ubuntu kernel: [ 5462.295264] RIP: 0010:kfree+0x1de/0x250
Nov  7 15:22:11 ubuntu kernel: [ 5462.295267] Code: ff ff 49 8b 04 24 45 31 ed a9 00 00 01 00 74 06 45 0f b6 6c 24 51 49 8b 04 24 a9 00 00 01 00 75 0b 49 8b 44 24 08 a8 01 75 02 <0f> 0b 49 8b 04 24 44 89 e9 ba ff ff ff ff be 06 00 00 00 d3 e2 48
Nov  7 15:22:11 ubuntu kernel: [ 5462.295269] RSP: 0018:ffffa3be017a3bb8 EFLAGS: 00010246
Nov  7 15:22:11 ubuntu kernel: [ 5462.295271] RAX: ffffe421858c6808 RBX: ffff8d693d52ed00 RCX: 0000000000400010
Nov  7 15:22:11 ubuntu kernel: [ 5462.295273] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8d693d52ed00
Nov  7 15:22:11 ubuntu kernel: [ 5462.295275] RBP: ffffa3be017a3bd8 R08: 0000000000000000 R09: ffffffffc0c81b00
Nov  7 15:22:11 ubuntu kernel: [ 5462.295276] R10: ffff8d6aebde7c40 R11: 0000000000000001 R12: ffffe42185f54b80
Nov  7 15:22:11 ubuntu kernel: [ 5462.295278] R13: 0000000000000000 R14: ffff8d6af39d70c0 R15: ffffffff9aaa6385
Nov  7 15:22:11 ubuntu kernel: [ 5462.295280] FS:  00007f88fb351080(0000) GS:ffff8d6af39c0000(0000) knlGS:0000000000010000
Nov  7 15:22:11 ubuntu kernel: [ 5462.295282] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov  7 15:22:11 ubuntu kernel: [ 5462.295284] CR2: 000000003f533dc8 CR3: 0000000145f92000 CR4: 00000000000006e0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295285] Call Trace:
Nov  7 15:22:11 ubuntu kernel: [ 5462.295294]  clean_memory_snapshot+0x88/0xd0 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295298]  ? do_exit+0x1/0xac0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295301]  clean_snapshot+0x29/0x50 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295305]  exit_hook+0xe/0x20 [afl_snapshot]
Nov  7 15:22:11 ubuntu kernel: [ 5462.295308]  kprobe_ftrace_handler+0x90/0xf0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295311]  ? do_group_exit+0x47/0xb0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295314]  ftrace_ops_assist_func+0x7f/0xf0
Nov  7 15:22:11 ubuntu kernel: [ 5462.295317]  0xffffffffc0c5f0da

There are many more errors after this first one, and it looks like kernel memory corruption. The error displayed above refers to slub.c:3995:

   3981 void kfree(const void *x)
   3982 {
   3983         struct page *page;
   3984         void *object = (void *)x;
   3985 
   3986         trace_kfree(_RET_IP_, x);
   3987 
   3988         if (unlikely(ZERO_OR_NULL_PTR(x)))
   3989                 return;
   3990 
   3991         page = virt_to_head_page(x);
   3992         if (unlikely(!PageSlab(page))) {
   3993                 unsigned int order = compound_order(page);
   3994 
   3995                 BUG_ON(!PageCompound(page));
   3996                 kfree_hook(object);
   3997                 mod_node_page_state(page_pgdat(page), NR_SLAB_UNRECLAIMABLE,
   3998                                     -(1 << order));
   3999                 __free_pages(page, order);
   4000                 return;
   4001         }
   4002         slab_free(page->slab_cache, page, object, NULL, 1, _RET_IP_);
   4003 }

I've attached the full syslog, as well as the slub.c of my kernel.

slub.c
syslog.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant