BUG: unable to handle kernel paging request in arch_adjust_kprobe_addr

[cheung wall]

Hello,


when using Healer to fuzz the latest Linux Kernel, the following crash

was triggered on:


HEAD commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a  (tag: v6.7)

git tree: upstream

console output: https://pastebin.com/raw/iw2bFsWa

kernel config: https://pastebin.com/raw/Ta59KYzh

C reproducer: https://pastebin.com/raw/JDqeSxiK

Syzlang reproducer: https://pastebin.com/raw/Vjs199hz


If you fix this issue, please add the following tag to the commit:

Reported-by: Qiang Zhang <zzqq0103.hey@xxxxxxxxx>

----------------------------------------------------------


BUG: unable to handle page fault for address: ffffffff95003e80
audit: type=1400 audit(1710291918.880:7): avc:  denied  { open } for
pid=298 comm="syz-executor372" scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1c4a7067 P4D 1c4a7067 PUD 1c4a8063
audit: type=1400 audit(1710291918.880:8): avc:  denied  { kernel } for
 pid=298 comm="syz-executor372" scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=perf_event permissive=1
PMD 800fffffe29ff062
Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 298 Comm: syz-executor372 Not tainted 6.7.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:arch_adjust_kprobe_addr+0x42/0x180 arch/x86/kernel/kprobes/core.c:338
Code: 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02
48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 09 01 00 00 <44> 8b
6d 00 41 81 fd 66 0f 1f 00 74 18 e8 3c e5 30 00 41 81 e5 ff
RSP: 0018:ffff888112af7a68 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: ffffffff902cd938
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff95003e80
RBP: ffffffff95003e80 R08: ffff8881bec62da8 R09: ffffffff930000eb
R10: ffffffff906e4e58 R11: ffffffff92f009b3 R12: ffff888112af7b70
R13: ffff888107f5e258 R14: ffff88810124c6f0 R15: 0000000000000001
FS:  000055555555e880(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff95003e80 CR3: 00000001036da005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 _kprobe_addr+0x10e/0x140 kernel/kprobes.c:1479
 register_kprobe+0xe0/0x15b0 kernel/kprobes.c:1622
 __register_trace_kprobe kernel/trace/trace_kprobe.c:510 [inline]
 __register_trace_kprobe+0x233/0x2a0 kernel/trace/trace_kprobe.c:478
 create_local_trace_kprobe+0x209/0x370 kernel/trace/trace_kprobe.c:1821
 perf_kprobe_init+0xed/0x1b0 kernel/trace/trace_event_perf.c:267
 perf_kprobe_event_init+0xcc/0x180 kernel/events/core.c:10334
 perf_try_init_event+0x10d/0x4e0 kernel/events/core.c:11650
 perf_init_event kernel/events/core.c:11720 [inline]
 perf_event_alloc kernel/events/core.c:12000 [inline]
 perf_event_alloc+0xded/0x3310 kernel/events/core.c:11866
 __do_sys_perf_event_open+0x328/0x1d50 kernel/events/core.c:12507
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x43/0xf0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f92060ecb4d
Code: 28 c3 e8 36 29 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff2df5c268 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f92060ecb4d
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000020001200
RBP: 00007f92060a6500 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007f92060a65a0
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
CR2: ffffffff95003e80
---[ end trace 0000000000000000 ]---
RIP: 0010:arch_adjust_kprobe_addr+0x42/0x180 arch/x86/kernel/kprobes/core.c:338
Code: 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02
48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 09 01 00 00 <44> 8b
6d 00 41 81 fd 66 0f 1f 00 74 18 e8 3c e5 30 00 41 81 e5 ff
RSP: 0018:ffff888112af7a68 EFLAGS: 00010246
RAX: 0000000000000003 RBX: 0000000000000000 RCX: ffffffff902cd938
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff95003e80
RBP: ffffffff95003e80 R08: ffff8881bec62da8 R09: ffffffff930000eb
R10: ffffffff906e4e58 R11: ffffffff92f009b3 R12: ffff888112af7b70
R13: ffff888107f5e258 R14: ffff88810124c6f0 R15: 0000000000000001
FS:  000055555555e880(0000) GS:ffff8881c0000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff95003e80 CR3: 00000001036da005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
note: syz-executor372[298] exited with irqs disabled
----------------
Code disassembly (best guess):
   0: 48 89 ea             mov    %rbp,%rdx
   3: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
   a: fc ff df
   d: 48 c1 ea 03           shr    $0x3,%rdx
  11: 0f b6 14 02           movzbl (%rdx,%rax,1),%edx
  15: 48 89 e8             mov    %rbp,%rax
  18: 83 e0 07             and    $0x7,%eax
  1b: 83 c0 03             add    $0x3,%eax
  1e: 38 d0                 cmp    %dl,%al
  20: 7c 08                 jl     0x2a
  22: 84 d2                 test   %dl,%dl
  24: 0f 85 09 01 00 00     jne    0x133
* 2a: 44 8b 6d 00           mov    0x0(%rbp),%r13d <-- trapping instruction
  2e: 41 81 fd 66 0f 1f 00 cmp    $0x1f0f66,%r13d
  35: 74 18                 je     0x4f
  37: e8 3c e5 30 00       callq  0x30e578
  3c: 41                   rex.B
  3d: 81                   .byte 0x81
  3e: e5 ff                 in     $0xff,%eax