[Bug 238035] Divide by zero in kern_fcntl_freebsd

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 21 22:37:12 UTC 2019


            Bug ID: 238035
           Summary: Divide by zero in kern_fcntl_freebsd
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: Andrew at FreeBSD.org
                CC: emaste at freebsd.org

Syzkaller found the following divide by zero bug in kern_fcntl. It seems to be
a problem with devfs as indicated by the struct statfs bsize came from.

Fatal trap 18: integer divide fault while in kernel mode
cpuid = 0; apic id = 00
instruction pointer     = 0x20:0xffffffff80fb00ea
stack pointer           = 0x28:0xfffffe001507c850
frame pointer           = 0x28:0xfffffe001507c8f0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 718 (syz-executor.3)
trap number             = 18
panic: integer divide fault
cpuid = 0
time = 1558477383
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x47/frame 0xfffffe001507c520
vpanic() at vpanic+0x1e0/frame 0xfffffe001507c580
panic() at panic+0x43/frame 0xfffffe001507c5e0
trap_fatal() at trap_fatal+0x4c6/frame 0xfffffe001507c660
trap() at trap+0xba/frame 0xfffffe001507c780
calltrap() at calltrap+0x8/frame 0xfffffe001507c780
--- trap 0x12, rip = 0xffffffff80fb00ea, rsp = 0xfffffe001507c850, rbp =
0xfffffe001507c8f0 ---
kern_fcntl() at kern_fcntl+0x9aa/frame 0xfffffe001507c8f0
kern_fcntl_freebsd() at kern_fcntl_freebsd+0x14f/frame 0xfffffe001507c980
amd64_syscall() at amd64_syscall+0x436/frame 0xfffffe001507cab0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe001507cab0
--- syscall (198, FreeBSD ELF64, nosys), rip = 0x41331a, rsp = 0x7fffdfffdf38,
rbp = 0x3 ---
Uptime: 30s
netdump: overwriting mbuf zone pointers
netdump in progress. searching for server...
netdumping to (02:82:93:04:a7:00)
Dumping 100 out of 465 MB:..16%..32%..48%..64%..80%..96%

__curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
246             __asm("movq %%gs:%P1,%0" : "=r" (td) : "n"
(kgdb) bt
#0  __curthread () at /usr/home/andrew/head-git/sys/amd64/include/pcpu.h:246
#1  doadump (textdump=1) at
#2  0xffffffff81032217 in kern_reboot (howto=260) at
#3  0xffffffff81032825 in vpanic (fmt=<optimized out>, ap=<optimized out>) at
#4  0xffffffff81032473 in panic (fmt=<unavailable>) at
#5  0xffffffff816d13d6 in trap_fatal (frame=0xfffffe001507c790, eva=0) at
#6  0xffffffff816d004a in trap (frame=<optimized out>) at
#7  <signal handler called>
#8  0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized
out>, cmd=<optimized out>, arg=0)
    at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
#9  0xffffffff80faf66f in kern_fcntl_freebsd (td=<optimized out>, fd=<optimized
out>, cmd=15, arg=0) at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:467
#10 0xffffffff816d25d6 in syscallenter (td=0xfffff80008265000) at
#11 amd64_syscall (td=0xfffff80008265000, traced=0) at
#12 <signal handler called>
#13 0x000000000041331a in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffdfffdf38
(kgdb) up 8
#8  0xffffffff80fb00ea in kern_fcntl (td=0xfffff80008265000, fd=<optimized
out>, cmd=<optimized out>, arg=0)
    at /usr/home/andrew/head-git/sys/kern/kern_descrip.c:783
783                             fp->f_seqcount = (arg + bsize - 1) / bsize;
(kgdb) p bsize
$1 = 0

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list