From owner-freebsd-bugs@freebsd.org  Tue May 21 22:37:12 2019
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6A7815922AF
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Tue, 21 May 2019 22:37:12 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 3B0CA84E94
 for <freebsd-bugs@freebsd.org>; Tue, 21 May 2019 22:37:12 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id F027615922AE; Tue, 21 May 2019 22:37:11 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5A5D15922AD
 for <bugs@mailman.ysv.freebsd.org>; Tue, 21 May 2019 22:37:11 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 52FA684E87
 for <bugs@FreeBSD.org>; Tue, 21 May 2019 22:37:11 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 8984E14FC9
 for <bugs@FreeBSD.org>; Tue, 21 May 2019 22:37:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x4LMbAa8073175
 for <bugs@FreeBSD.org>; Tue, 21 May 2019 22:37:10 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x4LMbAt3073172
 for bugs@FreeBSD.org; Tue, 21 May 2019 22:37:10 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 238035] Divide by zero in kern_fcntl_freebsd
Date: Tue, 21 May 2019 22:37:10 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: Andrew@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
Message-ID: <bug-238035-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2019 22:37:12 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238035

            Bug ID: 238035
           Summary: Divide by zero in kern_fcntl_freebsd
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: Andrew@FreeBSD.org
                CC: emaste@freebsd.org

Syzkaller found the following divide by zero bug in kern_fcntl. It seems to=
 be
a problem with devfs as indicated by the struct statfs bsize came from.

Fatal trap 18: integer divide fault while in kernel mode
cpuid =3D 0; apic id =3D 00
instruction pointer     =3D 0x20:0xffffffff80fb00ea
stack pointer           =3D 0x28:0xfffffe001507c850
frame pointer           =3D 0x28:0xfffffe001507c8f0
code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                        =3D DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        =3D interrupt enabled, resume, IOPL =3D 0
current process         =3D 718 (syz-executor.3)
trap number             =3D 18
panic: integer divide fault
cpuid =3D 0
time =3D 1558477383
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe001507c=
520
vpanic() at vpanic+0x1e0/frame 0xfffffe001507c580
panic() at panic+0x43/frame 0xfffffe001507c5e0
trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe001507c660
trap() at trap+0xba/frame 0xfffffe001507c780
calltrap() at calltrap+0x8/frame 0xfffffe001507c780
--- trap 0x12, rip =3D 0xffffffff80fb00ea, rsp =3D 0xfffffe001507c850, rbp =
=3D
0xfffffe001507c8f0 ---
kern_fcntl() at kern_fcntl+0x9aa/frame 0xfffffe001507c8f0
kern_fcntl_freebsd() at kern_fcntl_freebsd+0x14f/frame 0xfffffe001507c980
amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe001507cab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe001507cab0
--- syscall (198, FreeBSD ELF64, nosys), rip =3D 0x41331a, rsp =3D 0x7fffdf=
ffdf38,
rbp =3D 0x3 ---
Uptime: 30s
netdump: overwriting mbuf zone pointers
netdump in progress. searching for server...
netdumping to 169.254.0.1 (02:82:93:04:a7:00)
Dumping 100 out of 465 MB:..16%..32%..48%..64%..80%..96%

__curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
246             __asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n"
(OFFSETOF_CURTHREAD));
(kgdb) bt
#0  __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
#1  doadump (textdump=3D1) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383
#2  0xffffffff81032217 in kern_reboot (howto=3D260) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470
#3  0xffffffff81032825 in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou=
t>) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896
#4  0xffffffff81032473 in panic (fmt=3D<unavailable>) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823
#5  0xffffffff816d13d6 in trap_fatal (frame=3D0xfffffe001507c790, eva=3D0) =
at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946
#6  0xffffffff816d004a in trap (frame=3D<optimized out>) at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218
#7  <signal handler called>
#8  0xffffffff80fb00ea in kern_fcntl (td=3D0xfffff80008265000, fd=3D<optimi=
zed
out>, cmd=3D<optimized out>, arg=3D0)
    at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
#9  0xffffffff80faf66f in kern_fcntl_freebsd (td=3D<optimized out>, fd=3D<o=
ptimized
out>, cmd=3D15, arg=3D0) at /usr/home/andrew/head-git/sys/kern/kern_descrip=
.c:467
#10 0xffffffff816d25d6 in syscallenter (td=3D0xfffff80008265000) at
/usr/home/andrew/head-git/sys/amd64/amd64/../../kern/subr_syscall.c:135
#11 amd64_syscall (td=3D0xfffff80008265000, traced=3D0) at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:1166
#12 <signal handler called>
#13 0x000000000041331a in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffdfffdf38
(kgdb) up 8
#8  0xffffffff80fb00ea in kern_fcntl (td=3D0xfffff80008265000, fd=3D<optimi=
zed
out>, cmd=3D<optimized out>, arg=3D0)
    at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
783                             fp->f_seqcount =3D (arg + bsize - 1) / bsiz=
e;
(kgdb) p bsize
$1 =3D 0
(kgdb)

--=20
You are receiving this mail because:
You are the assignee for the bug.=