FYI, we noticed the following commit (built with gcc-6):
commit: 92114220fe6a374172e99261b6451c515d29c8dc ("[PATCH] kernel: prevent submission
of creds with higher privileges inside container")
url:
https://github.com/0day-ci/linux/commits/My-Name/kernel-prevent-submissio...
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url:
http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -m 256M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+-----------+------------+
| | v4.19-rc3 | 92114220fe |
+------------------------------------------+-----------+------------+
| boot_successes | 8 | 0 |
| boot_failures | 0 | 6 |
| BUG:unable_to_handle_kernel | 0 | 6 |
| Oops:#[##] | 0 | 6 |
| RIP:commit_creds | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+------------------------------------------+-----------+------------+
[ 53.586547] BUG: unable to handle kernel NULL pointer dereference at 00000000000006c0
[ 53.588054] PGD 0 P4D 0
[ 53.588564] Oops: 0000 [#1] PTI
[ 53.589180] CPU: 0 PID: 1 Comm: init Not tainted 4.19.0-rc3-00001-g9211422 #1
[ 53.590544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1
04/01/2014
[ 53.592139] RIP: 0010:commit_creds+0x51/0x410
[ 53.592988] Code: 08 81 ba b0 01 00 00 fe ff ff ef 74 11 8b 43 04 39 47 04 0f 83 9c 00
00 00 e9 c2 03 00 00 48 8b 50 10 48 83 05 67 82 5a 02 01 <81> ba c0 06 00 00 ff ff
ff ef 75 d7 48 8b 50 18 48 83 05 57 82 5a
[ 53.596525] RSP: 0000:ffffc9000000bd10 EFLAGS: 00010202
[ 53.597526] RAX: ffffffff82ca3060 RBX: ffff88000f02eb40 RCX: ffff88000f0399c8
[ 53.598883] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88000b2a53c0
[ 53.600235] RBP: ffff88000bd66800 R08: ffff88000f030740 R09: 00000000008fb60c
[ 53.601587] R10: 00000000e0098d8b R11: 0000000010c12b46 R12: ffff88000f030040
[ 53.602936] R13: ffffc90000008000 R14: ffff88000cd07500 R15: 0000000000000001
[ 53.604285] FS: 0000000000000000(0000) GS:ffffffff82c5b000(0000)
knlGS:0000000000000000
[ 53.605813] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 53.606906] CR2: 00000000000006c0 CR3: 000000000c6f6000 CR4: 00000000000406b0
[ 53.608264] Call Trace:
[ 53.608762] install_exec_creds+0x25/0xa0
[ 53.609544] load_elf_binary+0x544/0x1e72
[ 53.610324] ? __lock_acquire+0xdbb/0x1030
[ 53.611234] ? find_held_lock+0x35/0xd0
[ 53.611982] ? __lock_acquire+0xdbb/0x1030
[ 53.612891] ? find_held_lock+0x35/0xd0
[ 53.613639] ? search_binary_handler+0x83/0x180
[ 53.614512] search_binary_handler+0x98/0x180
[ 53.615356] load_script+0x348/0x370
[ 53.616058] search_binary_handler+0x98/0x180
[ 53.616906] __do_execve_file+0x7d3/0xaa0
[ 53.617804] do_execve+0x24/0x30
[ 53.618439] run_init_process+0x50/0x60
[ 53.619184] ? rest_init+0x1a0/0x1a0
[ 53.619885] kernel_init+0xca/0x1e0
[ 53.620573] ret_from_fork+0x35/0x40
[ 53.621264] CR2: 00000000000006c0
[ 53.621969] ---[ end trace 3c2bcf9b443a9ddd ]---
To reproduce:
git clone
https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
lkp