Date: Tue, 21 May 2019 22:37:10 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238035] Divide by zero in kern_fcntl_freebsd Message-ID: <bug-238035-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238035 Bug ID: 238035 Summary: Divide by zero in kern_fcntl_freebsd Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: Andrew@FreeBSD.org CC: emaste@freebsd.org Syzkaller found the following divide by zero bug in kern_fcntl. It seems to be a problem with devfs as indicated by the struct statfs bsize came from. Fatal trap 18: integer divide fault while in kernel mode cpuid = 0; apic id = 00 instruction pointer = 0x20:0xffffffff80fb00ea stack pointer = 0x28:0xfffffe001507c850 frame pointer = 0x28:0xfffffe001507c8f0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 718 (syz-executor.3) trap number = 18 panic: integer divide fault cpuid = 0 time = 1558477383 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe001507c520 vpanic() at vpanic+0x1e0/frame 0xfffffe001507c580 panic() at panic+0x43/frame 0xfffffe001507c5e0 trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe001507c660 trap() at trap+0xba/frame 0xfffffe001507c780 calltrap() at calltrap+0x8/frame 0xfffffe001507c780 --- trap 0x12, rip = 0xffffffff80fb00ea, rsp = 0xfffffe001507c850, rbp = 0xfffffe001507c8f0 --- kern_fcntl() at kern_fcntl+0x9aa/frame 0xfffffe001507c8f0 kern_fcntl_freebsd() at kern_fcntl_freebsd+0x14f/frame 0xfffffe001507c980 amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe001507cab0 fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe001507cab0 --- syscall (198, FreeBSD ELF64, nosys), rip = 0x41331a, rsp = 0x7fffdfffdf38, rbp = 0x3 --- Uptime: 30s netdump: overwriting mbuf zone pointers netdump in progress. searching for server... netdumping to 169.254.0.1 (02:82:93:04:a7:00) Dumping 100 out of 465 MB:..16%..32%..48%..64%..80%..96% __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 246 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (OFFSETOF_CURTHREAD)); (kgdb) bt #0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246 #1 doadump (textdump=1) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383 #2 0xffffffff81032217 in kern_reboot (howto=260) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470 #3 0xffffffff81032825 in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896 #4 0xffffffff81032473 in panic (fmt=<unavailable>) at /usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823 #5 0xffffffff816d13d6 in trap_fatal (frame=0xfffffe001507c790, eva=0) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946 #6 0xffffffff816d004a in trap (frame=<optimized out>) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218 #7 <signal handler called> #8 0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized out>, cmd=<optimized out>, arg=0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783 #9 0xffffffff80faf66f in kern_fcntl_freebsd (td=<optimized out>, fd=<optimized out>, cmd=15, arg=0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:467 #10 0xffffffff816d25d6 in syscallenter (td=0xfffff80008265000) at /usr/home/andrew/head-git/sys/amd64/amd64/../../kern/subr_syscall.c:135 #11 amd64_syscall (td=0xfffff80008265000, traced=0) at /usr/home/andrew/head-git/sys/amd64/amd64/trap.c:1166 #12 <signal handler called> #13 0x000000000041331a in ?? () Backtrace stopped: Cannot access memory at address 0x7fffdfffdf38 (kgdb) up 8 #8 0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized out>, cmd=<optimized out>, arg=0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783 783 fp->f_seqcount = (arg + bsize - 1) / bsize; (kgdb) p bsize $1 = 0 (kgdb) -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238035-227>