Skip to content

All seeds crash due to KASAN NULL-pointer deref on 5.4 kernel #1

Open
Open
All seeds crash due to KASAN NULL-pointer deref on 5.4 kernel#1
Assignees
benquike
@tklengyel

Description

@tklengyel
tklengyel
opened on Oct 19, 2020

Hi,
thank you for releasing this project. I'm trying to run it on a 5.4 kernel according to the README. I have ported the kernel patches and the kernel boots and seems to work just fine. I'm using the stretch.img you've made available. However, when I try to fuzz AFL quits right away complaining that the seeds crash the target. I tested manually and I get the following trace with all seeds:

[   31.973341] BUG: kernel NULL pointer dereference, address: 00000000000009a8
[   31.976424] #PF: supervisor read access in kernel mode
[   31.978778] #PF: error_code(0x0000) - not-present page
[   31.981036] PGD 0 P4D 0 
[   31.982231] Oops: 0000 [#1] SMP KASAN PTI
[   31.983891] CPU: 0 PID: 2667 Comm: kworker/0:3 Not tainted 5.4.71+ #3
[   31.986144] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   31.990641] Workqueue: pm hcd_resume_work
[   31.992340] RIP: 0010:__sanitizer_cov_trace_pc+0x82/0x16a
[   31.994249] Code: 65 48 8b 05 c1 f5 e3 7e 48 89 44 24 38 90 48 8b 44 24 38 48 89 44 24 40 90 48 8b 44 24 40 48 89 44 24 10 eb 11 48 8b 44 24 28 <48> 8b 80 a8 09 00 00 48 89 44 24 10 48 8b 44 24 18 48 89 44 24 58
[   32.001307] RSP: 0018:ffff88815467f990 EFLAGS: 00010246
[   32.003277] RAX: 0000000000000000 RBX: ffff888154e14000 RCX: ffffffff8207483a
[   32.006188] RDX: dffffc0000000000 RSI: 0000000000000410 RDI: ffffffff821527ca
[   32.009100] RBP: ffff888154e14000 R08: ffffffff8207480f R09: ffffed102a9bb294
[   32.011841] R10: ffffed102a9bb293 R11: ffff888154dd949e R12: ffffffff85da2f00
[   32.014724] R13: 1ffff1102a8cff58 R14: ffff888154e14148 R15: ffff888154e14250
[   32.017664] FS:  0000000000000000(0000) GS:ffff88815ae00000(0000) knlGS:0000000000000000
[   32.020768] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   32.022234] CR2: 00000000000009a8 CR3: 00000001503ce000 CR4: 00000000000006f0
[   32.024110] Call Trace:
[   32.026556]  ? xhci_bus_resume+0x1a/0x870
[   32.028086]  ? xhci_bus_resume+0x1a/0x870
[   32.029763]  ? wait_for_completion_killable_timeout+0x240/0x240
[   32.032119]  ? blk_mq_sched_insert_request+0x18b/0x280
[   32.034271]  ? pvclock_clocksource_read+0xf6/0x1c0
[   32.036297]  ? hcd_bus_resume+0x110/0x340
[   32.037897]  ? usb_hcd_get_frame_number+0x60/0x60
[   32.039840]  ? __update_load_avg_cfs_rq+0xf7/0x3d0
[   32.041743]  ? usb_generic_driver_resume+0x51/0x60
[   32.043361]  ? usb_resume_both+0x298/0x360
[   32.045378]  ? rpm_resume+0x1cc/0xb00
[   32.046884]  ? usb_suspend_both+0x440/0x440
[   32.048615]  ? pvclock_clocksource_read+0xf6/0x1c0
[   32.050780]  ? usb_runtime_suspend+0x80/0x80
[   32.052638]  ? usb_runtime_suspend+0x80/0x80
[   32.054506]  ? __rpm_callback+0xb3/0x1b0
[   32.056224]  ? ktime_get_mono_fast_ns+0x106/0x1b0
[   32.058224]  ? usb_runtime_suspend+0x80/0x80
[   32.059886]  ? usb_runtime_suspend+0x80/0x80
[   32.061707]  ? rpm_callback+0x37/0xd0
[   32.063193]  ? usb_runtime_suspend+0x80/0x80
[   32.064929]  ? rpm_resume+0x831/0xb00
[   32.066480]  ? pm_runtime_get_if_in_use+0x160/0x160
[   32.068534]  ? __schedule+0x1188/0x1f70
[   32.070113]  ? _raw_spin_lock_irqsave+0x7b/0xd0
[   32.071899]  ? _raw_spin_trylock_bh+0xf0/0xf0
[   32.073755]  ? mutex_lock+0x89/0xd0
[   32.075186]  ? __pm_runtime_resume+0x4a/0xa0
[   32.076868]  ? usb_autoresume_device+0x16/0x50
[   32.078675]  ? usb_remote_wakeup+0x42/0x60
[   32.080335]  ? process_one_work+0x449/0x7c0
[   32.082060]  ? worker_thread+0x73/0x670
[   32.083622]  ? process_one_work+0x7c0/0x7c0
[   32.085336]  ? kthread+0x1b9/0x1e0
[   32.086777]  ? kthread_create_worker_on_cpu+0xd0/0xd0
[   32.088944]  ? ret_from_fork+0x35/0x40
[   32.090563] Modules linked in:
[   32.091916] CR2: 00000000000009a8
[   32.093297] ---[ end trace 6f009659d59b068a ]---
[   32.095247] RIP: 0010:__sanitizer_cov_trace_pc+0x82/0x16a
[   32.097560] Code: 65 48 8b 05 c1 f5 e3 7e 48 89 44 24 38 90 48 8b 44 24 38 48 89 44 24 40 90 48 8b 44 24 40 48 89 44 24 10 eb 11 48 8b 44 24 28 <48> 8b 80 a8 09 00 00 48 89 44 24 10 48 8b 44 24 18 48 89 44 24 58
[   32.105342] RSP: 0018:ffff88815467f990 EFLAGS: 00010246
[   32.107407] RAX: 0000000000000000 RBX: ffff888154e14000 RCX: ffffffff8207483a
[   32.110103] RDX: dffffc0000000000 RSI: 0000000000000410 RDI: ffffffff821527ca
[   32.113041] RBP: ffff888154e14000 R08: ffffffff8207480f R09: ffffed102a9bb294
[   32.116126] R10: ffffed102a9bb293 R11: ffff888154dd949e R12: ffffffff85da2f00
[   32.119092] R13: 1ffff1102a8cff58 R14: ffff888154e14148 R15: ffff888154e14250
[   32.122101] FS:  0000000000000000(0000) GS:ffff88815ae00000(0000) knlGS:0000000000000000
[   32.125828] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   32.128258] CR2: 00000000000009a8 CR3: 00000001503ce000 CR4: 00000000000006f0

I guess I could try with KASAN disabled but any idea what might be wrong here?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions