← Back to team overview

kernel-packages team mailing list archive

[Bug 1517864] [NEW] Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map

 

Public bug reported:

This bug occurs when using ptrace to poke to a map with PROT_NONE
permissions. Here's a minimal reproducer:

#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>

int main()
{
    void* address = mmap(NULL, 4096, PROT_NONE,
                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (address == MAP_FAILED) return -1;

    pid_t child = fork();
    if (child == 0)
    {
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
        raise(SIGINT);
    }
    else
    {
        wait(NULL);

        printf("Poking 42 to %p\n", address);
        ptrace(PTRACE_POKEDATA, child, address, 42);

        long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
        printf("Value at %p: %ld\n", address, value);
    }
    return 0;
}

Output on Ubuntu 15.10 (broken):

$ ./minimal_reproducer 
Poking 42 to 0x7f0d1e547000
Segmentation fault

I've attached the dmesg output which shows the kernel bug. The system
then becomes unstable with core programs such as `ps` freezing when
they're run.

Output on Ubuntu 14.04 (not broken):

$ ./minimal_reproducer 
Poking 42 to 0x7fe5f54a8000
Value at 0x7fe5f54a8000: 42

In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the
system remains stable. Hence this is a regression.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: kernel-bug

** Attachment added: "dmesg_output.log"
   https://bugs.launchpad.net/bugs/1517864/+attachment/4521972/+files/dmesg_output.log

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1517864

Title:
  Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  This bug occurs when using ptrace to poke to a map with PROT_NONE
  permissions. Here's a minimal reproducer:

  #include <stdio.h>
  #include <sys/mman.h>
  #include <sys/ptrace.h>
  #include <sys/wait.h>
  #include <unistd.h>

  int main()
  {
      void* address = mmap(NULL, 4096, PROT_NONE,
                           MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      if (address == MAP_FAILED) return -1;

      pid_t child = fork();
      if (child == 0)
      {
          ptrace(PTRACE_TRACEME, 0, NULL, NULL);
          raise(SIGINT);
      }
      else
      {
          wait(NULL);

          printf("Poking 42 to %p\n", address);
          ptrace(PTRACE_POKEDATA, child, address, 42);

          long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
          printf("Value at %p: %ld\n", address, value);
      }
      return 0;
  }

  Output on Ubuntu 15.10 (broken):

  $ ./minimal_reproducer 
  Poking 42 to 0x7f0d1e547000
  Segmentation fault

  I've attached the dmesg output which shows the kernel bug. The system
  then becomes unstable with core programs such as `ps` freezing when
  they're run.

  Output on Ubuntu 14.04 (not broken):

  $ ./minimal_reproducer 
  Poking 42 to 0x7fe5f54a8000
  Value at 0x7fe5f54a8000: 42

  In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the
  system remains stable. Hence this is a regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1517864/+subscriptions


Follow ups