Date: Tue, 21 May 2019 22:37:10 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238035] Divide by zero in kern_fcntl_freebsd Message-ID: <bug-238035-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238035 Bug ID: 238035 Summary: Divide by zero in kern_fcntl_freebsd Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: Andrew@FreeBSD.org CC: emaste@freebsd.org Syzkaller found the following divide by zero bug in kern_fcntl. It seems to= be a problem with devfs as indicated by the struct statfs bsize came from. Fatal trap 18: integer divide fault while in kernel mode cpuid =3D 0; apic id =3D 00 instruction pointer =3D 0x20:0xffffffff80fb00ea stack pointer =3D 0x28:0xfffffe001507c850 frame pointer =3D 0x28:0xfffffe001507c8f0 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 718 (syz-executor.3) trap number =3D 18 panic: integer divide fault cpuid =3D 0 time =3D 1558477383 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe001507c= 520 vpanic() at vpanic+0x1e0/frame 0xfffffe001507c580 panic() at panic+0x43/frame 0xfffffe001507c5e0 trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe001507c660 trap() at trap+0xba/frame 0xfffffe001507c780 calltrap() at calltrap+0x8/frame 0xfffffe001507c780 --- trap 0x12, rip =3D 0xffffffff80fb00ea, rsp =3D 0xfffffe001507c850, rbp = =3D 0xfffffe001507c8f0 --- kern_fcntl() at kern_fcntl+0x9aa/frame 0xfffffe001507c8f0 kern_fcntl_freebsd() at kern_fcntl_freebsd+0x14f/frame 0xfffffe001507c980 amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe001507cab0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe001507cab0 --- syscall (198, FreeBSD ELF64, nosys), rip =3D 0x41331a, rsp =3D 0x7fffdf= ffdf38, rbp =3D 0x3 --- Uptime: 30s netdump: overwriting mbuf zone pointers netdump in progress. searching for server... netdumping to 169.254.0.1 (02:82:93:04:a7:00) Dumping 100 out of 465 MB:..16%..32%..48%..64%..80%..96% __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 246 __asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n" (OFFSETOF_CURTHREAD)); (kgdb) bt #0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 #1 doadump (textdump=3D1) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383 #2 0xffffffff81032217 in kern_reboot (howto=3D260) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470 #3 0xffffffff81032825 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou= t>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896 #4 0xffffffff81032473 in panic (fmt=3D<unavailable>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823 #5 0xffffffff816d13d6 in trap_fatal (frame=3D0xfffffe001507c790, eva=3D0) = at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946 #6 0xffffffff816d004a in trap (frame=3D<optimized out>) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218 #7 <signal handler called> #8 0xffffffff80fb00ea in kern_fcntl (td=3D0xfffff80008265000, fd=3D<optimi= zed out>, cmd=3D<optimized out>, arg=3D0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783 #9 0xffffffff80faf66f in kern_fcntl_freebsd (td=3D<optimized out>, fd=3D<o= ptimized out>, cmd=3D15, arg=3D0) at /usr/home/andrew/head-git/sys/kern/kern_descrip= .c:467 #10 0xffffffff816d25d6 in syscallenter (td=3D0xfffff80008265000) at /usr/home/andrew/head-git/sys/amd64/amd64/../../kern/subr_syscall.c:135 #11 amd64_syscall (td=3D0xfffff80008265000, traced=3D0) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:1166 #12 <signal handler called> #13 0x000000000041331a in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdfffdf38 (kgdb) up 8 #8 0xffffffff80fb00ea in kern_fcntl (td=3D0xfffff80008265000, fd=3D<optimi= zed out>, cmd=3D<optimized out>, arg=3D0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783 783 fp->f_seqcount =3D (arg + bsize - 1) / bsiz= e; (kgdb) p bsize $1 =3D 0 (kgdb) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238035-227>