panic: call #0 mmap: ptr vma has bad address 18446744073709547520/4096/4096
bjoernd opened this issue · comments
Describe the bug
Coming off #4715 -- I rebuilt syzkaller with debugging enabled in prog/validation.go. I'm now getting hundreds of reports complaining about a bad VMA address.
To Reproduce
- Base OS: Ubuntu 23.04
- Syzkaller at commit 3ba885b
- Go version
go version go1.21.4 linux/amd64 - CPU
Intel(R) Xeon(R) Platinum 8275CL CPU @ 3.00GHz - fuzzing setup based on https://github.com/google/syzkaller/blob/master/docs/linux/setup.md
- I'm fuzzing upstream kernel 6.1.89-LTS atm.
Config:
{
"target": "linux/amd64",
"http": "127.0.0.1:56741",
"workdir": "/home/ubuntu/syz-work",
"kernel_obj": "/home/ubuntu/src/linux",
"image": "/home/ubuntu/src/image/bullseye.img",
"sshkey": "/home/ubuntu/src/image/bullseye.id_rsa",
"syzkaller": "/home/ubuntu/src/syzkaller",
"procs": 8,
"type": "qemu",
"vm": {
"count": 64,
"kernel": "/home/ubuntu/src/linux/arch/x86/boot/bzImage",
"cmdline" : "net.ifnames=0",
"cpu": 2,
"mem": 2048
}
}
Expected behavior
Syzkaller happily runs fuzzing and produces results.
Additional context
N/A
╰─○ cat log0
Warning: Permanently added '[localhost]:39534' (ED25519) to the list of known hosts.
2024/05/02 19:03:36 fuzzer started
2024/05/02 19:03:36 dialing manager at localhost:40649
2024/05/02 19:03:36 checking machine...
2024/05/02 19:03:36 testing simple program...
syzkaller login: [ 17.819672] cgroup: Unknown subsys name 'net'
[ 17.977755] cgroup: Unknown subsys name 'rlimit'
[ 18.172610] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
panic: call #0 mmap: ptr vma has bad address 18446744073709547520/4096/4096
goroutine 1 [running]:
github.com/google/syzkaller/prog.(*Prog).debugValidate(...)
/home/ubuntu/src/syzkaller/prog/validation.go:19
github.com/google/syzkaller/prog.(*Prog).SerializeForExec(0xc00110f8c0)
/home/ubuntu/src/syzkaller/prog/encodingexec.go:69 +0x3d5
github.com/google/syzkaller/pkg/ipc.(*Env).Exec(0xc000560000?, 0x0?, 0xdc0798?)
/home/ubuntu/src/syzkaller/pkg/ipc/ipc.go:339 +0x25
main.checkSimpleProgram(0xc00110feb8, 0x0?)
/home/ubuntu/src/syzkaller/syz-fuzzer/testing.go:258 +0x21e
main.checkMachine(0xc00110feb8)
/home/ubuntu/src/syzkaller/syz-fuzzer/testing.go:148 +0x265
main.main()
/home/ubuntu/src/syzkaller/syz-fuzzer/fuzzer.go:156 +0xa28
VM DIAGNOSIS:
19:03:38 Registers:
info registers vcpu 0
CPU#0
RAX=ffffffff8665b370 RBX=ffffffff88c24600 RCX=ffffffff86632403 RDX=0000000000000001
RSI=0000000000000004 RDI=00000000001891c4 RBP=0000000000000000 RSP=ffffffff88c07e10
R8 =0000000000000001 R9 =ffff88805aa3cb23 R10=ffffed100b547964 R11=ffffffff8c601003
R12=1ffffffff1180fc6 R13=ffffffff88c24600 R14=dffffc0000000000 R15=0000000000013d30
RIP=ffffffff8665b380 RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=1
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88805aa00000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00000067 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00005603a94a3258 CR3=0000000013cba003 CR4=00770ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=00000000fcfefe00 Opmask01=0000000080000000 Opmask02=000000000000ffff Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 3120737365726464 6120646162207361 6820616d76207274 70203a70616d6d20
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 670a0a363930342f 363930342f303235 3734353930373337 3034343736343438
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 6d6f632e62756874 69670a3a5d676e69 6e6e75725b203120 656e6974756f726f
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2f72656c6c616b7a 79732f656c676f6f 672f6d6f632e6275 687469670a39313a
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 6f672e6e6f697461 64696c61762f676f 72702f72656c6c61 6b7a79732f637273
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 2f75746e7562752f 656d6f682f090a29 2e2e2e2865746164 696c615667756265
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 642e29676f72502a 282e676f72702f72 656c6c616b7a7973 2f656c676f6f672f
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 7c6cf32f7c6cf32f 7c6cf32f7c6cf32f 7c6cf32f7c6cf32f 7c6cf32f7c6cf32f
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 06e9f49c06e9f49c 06e9f49c06e9f49c 06e9f49c06e9f49c 06e9f49c06e9f49c
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 d7039cd5d7039cd5 d7039cd5d7039cd5 d7039cd5d7039cd5 d7039cd5d7039cd5
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 cb5e2442cb5e2442 cb5e2442cb5e2442 cb5e2442cb5e2442 cb5e2442cb5e2442
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000100000000e 0000000c0000000a 0000000f0000000d 0000000b00000009
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 1500000015000000 1500000015000000 1500000015000000 1500000015000000
info registers vcpu 1
CPU#1
RAX=0000000000000001 RBX=0000000000000000 RCX=ffffffff81b81329 RDX=0000000000000001
RSI=0000000000000008 RDI=ffffea0000a165c0 RBP=ffffea0000a165c0 RSP=ffffc90006037648
R8 =0000000000000000 R9 =ffffea0000a165c7 R10=fffff94000142cb8 R11=1ffff1100fff6ad0
R12=dffffc0000000000 R13=ffffea0000a165c8 R14=ffff888014c66ec8 R15=ffffea0000a165c0
RIP=ffffffff81cad948 RFL=00000246 [---Z-P-] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88805ab00000 ffffffff 00c00000
LDT=0000 0000000000000000 00000000 00000000
TR =0040 fffffe000004a000 00000067 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000048000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=0000000000fda9d8 CR3=0000000015f66003 CR4=00770ee0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=0000000000000000 Opmask01=0000000000000000 Opmask02=0000000000000000 Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 97cce300dbd4f1a2 0ad9d61875664d21
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 91875e43c6fc9c89 27e4fa965e067d38
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 dfaf13c66d60c926 f8046806161faee1
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 b95b63d503d5aaee 1ffb61e39dd1ec48
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000540
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000040
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 008001000000000d 01ed7cde5275c488
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000d00000000 0000000d00000000
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000000005274bc2e 0144523951d47e10
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 017fd374527686a8 0000000d0000000d
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 83311c00262a9434 64cd9ebd526bbf8e
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 4b7742a72f2393fe 30f4bf6b5d98a725
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 980afe8808fe7808 fe500ffeaa0dfe6c
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 008aff0173657275 7461654608010002
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 a54ff53a3c6ef372 bb67ae856a09e667
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 5be0cd191f83d9ab 9b05688c510e527f
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
Will now restart the manager with this patch:
diff --git a/prog/validation.go b/prog/validation.go
index b2a358706..69394b218 100644
--- a/prog/validation.go
+++ b/prog/validation.go
@@ -7,7 +7,7 @@ import (
"fmt"
)
-var debug = false // enabled in tests and fuzzers
+var debug = true// enabled in tests and fuzzers
func Debug() {
debug = true
diff --git a/sys/targets/common.go b/sys/targets/common.go
index b6827e76e..c376f51f4 100644
--- a/sys/targets/common.go
+++ b/sys/targets/common.go
@@ -40,7 +40,7 @@ func MakePosixMmap(target *prog.Target, exec, contain bool) func() []*prog.Call
return func() []*prog.Call {
if contain {
return []*prog.Call{
- makeMmap(^target.PageSize+1, target.PageSize, 0),
+ //makeMmap(^target.PageSize+1, target.PageSize, 0),
makeMmap(0, size, protRW),
makeMmap(size, target.PageSize, 0),
}
Still getting that vma has bad address error with the above changes.
Thank you for opening the issue!
This is of course not a proper fix, but I got the debug=true mode working on 3ba885b with this diff
diff --git a/sys/targets/common.go b/sys/targets/common.go
index b6827e76e..c69839dff 100644
--- a/sys/targets/common.go
+++ b/sys/targets/common.go
@@ -38,13 +38,6 @@ func MakePosixMmap(target *prog.Target, exec, contain bool) func() []*prog.Call
return call
}
return func() []*prog.Call {
- if contain {
- return []*prog.Call{
- makeMmap(^target.PageSize+1, target.PageSize, 0),
- makeMmap(0, size, protRW),
- makeMmap(size, target.PageSize, 0),
- }
- }
return []*prog.Call{makeMmap(0, size, protRW)}
}
}
Confirming, this seems to be gone.