BUG: general protection fault in mmap_region

From: Xingyu Li
Date: Wed Aug 28 2024 - 19:07:26 EST


Hi,

We found a bug in Linux 6.6 using syzkaller. It is possibly a null
pointer dereference bug.
The reprodcuer is
https://gist.github.com/freexxxyyy/67b082078a6d4da117013f0f269bf7cc

The bug report is:

Syzkaller hit 'general protection fault in mmap_region' bug.

general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 8267 Comm: apt-helper Not tainted 6.6.0 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__rb_insert lib/rbtree.c:115 [inline]
RIP: 0010:__rb_insert_augmented+0x78/0x8e0 lib/rbtree.c:459
Code: ea 48 c1 ea 03 42 80 3c 2a 00 0f 85 7f 05 00 00 4c 8b 65 00 41
f6 c4 01 0f 85 2f 05 00 00 4d 8d 44 24 08 4c 89 c2 48 c1 ea 03 <42> 80
3c 2a 00 0f 85 6f 05 00 00 4d 8b 74 24 08 49 39 ee 0f 84 77
RSP: 0018:ffffc9000962f8b0 EFLAGS: 00010202
RAX: ffff888018b5add8 RBX: ffff88802e724e40 RCX: 1ffff11005ce49c8
RDX: 0000000000000001 RSI: ffff888018b5add8 RDI: ffff88802e724e40
RBP: ffff88802bf80f40 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888024c55680 R15: ffffffff81c875b0
FS: 0000000000000000(0000) GS:ffff888063600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055622b1160c0 CR3: 000000002afe6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mmap_region+0x1466/0x2800 mm/mmap.c:2846
do_mmap+0x86f/0xee0 mm/mmap.c:1374
vm_mmap_pgoff+0x1a8/0x3b0 mm/util.c:546
vm_mmap+0x96/0xc0 mm/util.c:565
elf_map+0x118/0x320 fs/binfmt_elf.c:395
load_elf_interp fs/binfmt_elf.c:637 [inline]
load_elf_binary+0x32ab/0x50b0 fs/binfmt_elf.c:1249
search_binary_handler fs/exec.c:1739 [inline]
exec_binprm fs/exec.c:1781 [inline]
bprm_execve fs/exec.c:1856 [inline]
bprm_execve+0x7f5/0x1990 fs/exec.c:1812
do_execveat_common.isra.0+0x5e8/0x760 fs/exec.c:1964
do_execve fs/exec.c:2038 [inline]
__do_sys_execve fs/exec.c:2114 [inline]
__se_sys_execve fs/exec.c:2109 [inline]
__x64_sys_execve+0x8c/0xb0 fs/exec.c:2109
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x40/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6f/0xd9
RIP: 0033:0x7f507cc66c47
Code: Unable to access opcode bytes at 0x7f507cc66c1d.
RSP: 002b:00007ffe880488a8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00005621cb93a230 RCX: 00007f507cc66c47
RDX: 00005621cba830b0 RSI: 00005621cb9ed600 RDI: 00005621cb911990
RBP: 00007ffe88048aa0 R08: 00005621cb8b13e0 R09: 0000000000000000
R10: 00005621cb93ef40 R11: 0000000000000246 R12: 00005621cb9ed600
R13: 0000000000000000 R14: 00005621cb961ba0 R15: 00005621cb9ed600
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__rb_insert lib/rbtree.c:115 [inline]
RIP: 0010:__rb_insert_augmented+0x78/0x8e0 lib/rbtree.c:459
Code: ea 48 c1 ea 03 42 80 3c 2a 00 0f 85 7f 05 00 00 4c 8b 65 00 41
f6 c4 01 0f 85 2f 05 00 00 4d 8d 44 24 08 4c 89 c2 48 c1 ea 03 <42> 80
3c 2a 00 0f 85 6f 05 00 00 4d 8b 74 24 08 49 39 ee 0f 84 77
RSP: 0018:ffffc9000962f8b0 EFLAGS: 00010202
RAX: ffff888018b5add8 RBX: ffff88802e724e40 RCX: 1ffff11005ce49c8
RDX: 0000000000000001 RSI: ffff888018b5add8 RDI: ffff88802e724e40
RBP: ffff88802bf80f40 R08: 0000000000000008 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff888024c55680 R15: ffffffff81c875b0
FS: 0000000000000000(0000) GS:ffff888063600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f012fc22f70 CR3: 000000002afe6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 48 c1 ea 03 shr $0x3,%rdx
4: 42 80 3c 2a 00 cmpb $0x0,(%rdx,%r13,1)
9: 0f 85 7f 05 00 00 jne 0x58e
f: 4c 8b 65 00 mov 0x0(%rbp),%r12
13: 41 f6 c4 01 test $0x1,%r12b
17: 0f 85 2f 05 00 00 jne 0x54c
1d: 4d 8d 44 24 08 lea 0x8(%r12),%r8
22: 4c 89 c2 mov %r8,%rdx
25: 48 c1 ea 03 shr $0x3,%rdx
* 29: 42 80 3c 2a 00 cmpb $0x0,(%rdx,%r13,1) <-- trapping instruction
2e: 0f 85 6f 05 00 00 jne 0x5a3
34: 4d 8b 74 24 08 mov 0x8(%r12),%r14
39: 49 39 ee cmp %rbp,%r14
3c: 0f .byte 0xf
3d: 84 .byte 0x84
3e: 77 .byte 0x77







--
Yours sincerely,
Xingyu