[Bug 238035] Divide by zero in kern_fcntl_freebsd
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 21 22:37:12 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238035
Bug ID: 238035
Summary: Divide by zero in kern_fcntl_freebsd
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: Andrew at FreeBSD.org
CC: emaste at freebsd.org
Syzkaller found the following divide by zero bug in kern_fcntl. It seems to be
a problem with devfs as indicated by the struct statfs bsize came from.
Fatal trap 18: integer divide fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer = 0x20:0xffffffff80fb00ea
stack pointer = 0x28:0xfffffe001507c850
frame pointer = 0x28:0xfffffe001507c8f0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 718 (syz-executor.3)
trap number = 18
panic: integer divide fault
cpuid = 0
time = 1558477383
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe001507c520
vpanic() at vpanic+0x1e0/frame 0xfffffe001507c580
panic() at panic+0x43/frame 0xfffffe001507c5e0
trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe001507c660
trap() at trap+0xba/frame 0xfffffe001507c780
calltrap() at calltrap+0x8/frame 0xfffffe001507c780
--- trap 0x12, rip = 0xffffffff80fb00ea, rsp = 0xfffffe001507c850, rbp =
0xfffffe001507c8f0 ---
kern_fcntl() at kern_fcntl+0x9aa/frame 0xfffffe001507c8f0
kern_fcntl_freebsd() at kern_fcntl_freebsd+0x14f/frame 0xfffffe001507c980
amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe001507cab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe001507cab0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x41331a, rsp = 0x7fffdfffdf38,
rbp = 0x3 ---
Uptime: 30s
netdump: overwriting mbuf zone pointers
netdump in progress. searching for server...
netdumping to 169.254.0.1 (02:82:93:04:a7:00)
Dumping 100 out of 465 MB:..16%..32%..48%..64%..80%..96%
__curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
246 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n"
(OFFSETOF_CURTHREAD));
(kgdb) bt
#0 __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
#1 doadump (textdump=1) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:383
#2 0xffffffff81032217 in kern_reboot (howto=260) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:470
#3 0xffffffff81032825 in vpanic (fmt=<optimized out>, ap=<optimized out>) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:896
#4 0xffffffff81032473 in panic (fmt=<unavailable>) at
/usr/home/andrew/head-git/sys/kern/kern_shutdown.c:823
#5 0xffffffff816d13d6 in trap_fatal (frame=0xfffffe001507c790, eva=0) at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:946
#6 0xffffffff816d004a in trap (frame=<optimized out>) at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:218
#7 <signal handler called>
#8 0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized
out>, cmd=<optimized out>, arg=0)
at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
#9 0xffffffff80faf66f in kern_fcntl_freebsd (td=<optimized out>, fd=<optimized
out>, cmd=15, arg=0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:467
#10 0xffffffff816d25d6 in syscallenter (td=0xfffff80008265000) at
/usr/home/andrew/head-git/sys/amd64/amd64/../../kern/subr_syscall.c:135
#11 amd64_syscall (td=0xfffff80008265000, traced=0) at
/usr/home/andrew/head-git/sys/amd64/amd64/trap.c:1166
#12 <signal handler called>
#13 0x000000000041331a in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffdfffdf38
(kgdb) up 8
#8 0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized
out>, cmd=<optimized out>, arg=0)
at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
783 fp->f_seqcount = (arg + bsize - 1) / bsize;
(kgdb) p bsize
$1 = 0
(kgdb)
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list