Kernel: ptrace(PT_POKE) is racy
2
π
0I didn't look too closely at this, but here's a test program that reliably crashes the kernel in sys$ptrace() with PT_POKE:
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <unistd.h>
int main()
{
pid_t child_pid = fork();
if (!child_pid) {
// child
for (;;) {
void* p;
if ((p = mmap((void*)0x90000000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0)) == MAP_FAILED) {
perror("mmap");
} else {
munmap(p, 4096);
}
}
} else {
// parent
for (;;) {
if (ptrace(PT_ATTACH, child_pid, nullptr, 0) < 0) {
continue;
}
ptrace(PT_POKE, child_pid, (void*)0x90000000, 0xaa);
ptrace(PT_DETACH, child_pid, nullptr, 0);
}
}
return 0;
}Example crash:
[x(27:27)]: CPU[0] NP(error) fault at invalid address V0xbcbcbd18
[x(27:27)]: Unrecoverable page fault, write to address V0xbcbcbd18
[x(27:27)]: Note: Address V0xbcbcbd18 looks like it may be recently slab_dealloc()'d memory
[x(27:27)]: CRASH: CPU #0 Page Fault. Ring 0.
[x(27:27)]: exception code: 0002 (isr: 0000
[x(27:27)]: pc=0008:c0122d08 flags=0002
[x(27:27)]: stk=0010:c4efabec
[x(27:27)]: ds=0010 es=0010 fs=0030 gs=002b
[x(27:27)]: eax=00000000 ebx=bcbcbd18 ecx=c027b840 edx=c4efac20
[x(27:27)]: ebp=c4efac00 esp=c4efabec esi=c4efac78 edi=bcbcbd18
[x(27:27)]: cr0=80010013 cr2=bcbcbd18 cr3=0443e000 cr4=00300ee4
[x(27:27)]: code: f0 0f b1 0b 0f 94 c1 74
[x(27:27)]: Crash in ring 0 :(
[x(27:27)]: 0xc011c88f Kernel::handle_crash(Kernel::RegisterState&, char const*, int, bool) +0xc71
[x(27:27)]: 0xc011ce07 page_fault_handler +0x4a8
[x(27:27)]: 0xc0118c0b page_fault_asm_entry +0x26
[x(27:27)]: 0xc01eff3d Kernel::ScopedSpinLock<Kernel::RecursiveSpinLock>::ScopedSpinLock(Kernel::RecursiveSpinLock&) +0x5d
[x(27:27)]: 0xc01c37a2 Kernel::Region::map(Kernel::PageDirectory&) +0x48
[x(27:27)]: 0xc01c3892 Kernel::Region::remap() +0x66
[x(27:27)]: 0xc0199c6c Kernel::Process::poke_user_data(AK::Userspace<unsigned int*>, unsigned int) +0x292
[x(27:27)]: 0xc0183a90 .L63 +0x34
[x(27:27)]: 0xc01998ee Kernel::Process::sys$ptrace(AK::Userspace<Kernel::Syscall::SC_ptrace_params const*>) +0xee
[x(27:27)]: 0xc0187702 syscall_handler +0x6be
[x(27:27)]: 0xc018703c syscall_asm_entry +0x31
SerenityOSΒ /Β serenity
The Serenity Operating System π
30.6k
Contributors get 100% of received funds after fees
How does funding with Polar work?
1
Pay now to fund the work behind this issue.
2
Get updates on progress being made.
3
Maintainer is rewarded once the issue is completed.
FAQ
Backer
You're funding impactful open source efforts
Contributor
You want to contribute to this effort
Maintainer
You want to get funding like this too