kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #147174
[Bug 1517864] [NEW] Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map
Public bug reported:
This bug occurs when using ptrace to poke to a map with PROT_NONE
permissions. Here's a minimal reproducer:
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>
int main()
{
void* address = mmap(NULL, 4096, PROT_NONE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (address == MAP_FAILED) return -1;
pid_t child = fork();
if (child == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
raise(SIGINT);
}
else
{
wait(NULL);
printf("Poking 42 to %p\n", address);
ptrace(PTRACE_POKEDATA, child, address, 42);
long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
printf("Value at %p: %ld\n", address, value);
}
return 0;
}
Output on Ubuntu 15.10 (broken):
$ ./minimal_reproducer
Poking 42 to 0x7f0d1e547000
Segmentation fault
I've attached the dmesg output which shows the kernel bug. The system
then becomes unstable with core programs such as `ps` freezing when
they're run.
Output on Ubuntu 14.04 (not broken):
$ ./minimal_reproducer
Poking 42 to 0x7fe5f54a8000
Value at 0x7fe5f54a8000: 42
In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the
system remains stable. Hence this is a regression.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Confirmed
** Tags: kernel-bug
** Attachment added: "dmesg_output.log"
https://bugs.launchpad.net/bugs/1517864/+attachment/4521972/+files/dmesg_output.log
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1517864
Title:
Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map
Status in linux package in Ubuntu:
Confirmed
Bug description:
This bug occurs when using ptrace to poke to a map with PROT_NONE
permissions. Here's a minimal reproducer:
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>
int main()
{
void* address = mmap(NULL, 4096, PROT_NONE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (address == MAP_FAILED) return -1;
pid_t child = fork();
if (child == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
raise(SIGINT);
}
else
{
wait(NULL);
printf("Poking 42 to %p\n", address);
ptrace(PTRACE_POKEDATA, child, address, 42);
long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
printf("Value at %p: %ld\n", address, value);
}
return 0;
}
Output on Ubuntu 15.10 (broken):
$ ./minimal_reproducer
Poking 42 to 0x7f0d1e547000
Segmentation fault
I've attached the dmesg output which shows the kernel bug. The system
then becomes unstable with core programs such as `ps` freezing when
they're run.
Output on Ubuntu 14.04 (not broken):
$ ./minimal_reproducer
Poking 42 to 0x7fe5f54a8000
Value at 0x7fe5f54a8000: 42
In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the
system remains stable. Hence this is a regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1517864/+subscriptions
Follow ups