114882 – gcc causing kernel NULL pointer with hardened-sources-2.6.14-r1

Bug 114882 - gcc causing kernel NULL pointer with hardened-sources-2.6.14-r1

Summary: gcc causing kernel NULL pointer with hardened-sources-2.6.14-r1

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	x86 Linux

Importance:	High critical (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-12-08 08:33 UTC by Anakim Border
Modified:	2006-01-05 18:38 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
System.map for the running kernel (System.map,620.09 KB, application/octet-stream) 2005-12-08 08:34 UTC, Anakim Border	Details
Configuration of the running kernel. (kernel.config,30.53 KB, application/octet-stream) 2005-12-08 08:35 UTC, Anakim Border	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Anakim Border 2005-12-08 08:33:20 UTC

The kernel tries to dereference a NULL pointer while running gcc 3.4.4 (Gentoo
Hardened 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8). The RBAC system is _not_ enabled.

# dmesg
Unable to handle kernel NULL pointer dereference at virtual address 00000000
 printing eip:
0006c502
*pgd =    0
*pmd =    0
Oops: 0000 [#1]
Modules linked in: nfsd exportfs lockd sunrpc ipt_stealth ipt_recent snd_pcm_oss
snd_mixer_oss snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd
soundcore snd_page_alloc ip_conntrack_ftp ohci_hcd
CPU:    0
EIP:    0060:[<0006c502>]    Not tainted VLI
EFLAGS: 00010282   (2.6.14-hardened-r1) 
eax: 00006932   ebx: 00000000   ecx: 00000011   edx: c140c140
esi: dca9abc4   edi: c23eb001   ebp: d76c7e6c   esp: d76c7e00
ds: 007b   es: 007b   ss: 0068
Process i686-pc-linux-g (pid: 1029, threadinfo=d76c6000 task=d9aa20b0)
Stack: 0024a603 00061ce2 00000000 c23eb001 00000003 d76c7e6c c1573d50 0024a603 
       d76c7e64 d76c7f04 d76c7e6c 00061cc6 dffe4240 0024a603 d76c7e6c c23eb001 
       c23eb004 0006259a 0003b850 000eced8 00000001 0003bd9c 00000000 dfc0ece4 
Call Trace:
 [<00061ce2>]
 [<00000000>]
 [<00000003>]
 [<00061cc6>]
 [<0006259a>]
 [<0003b850>]
 [<000eced8>]
 [<00000001>]
 [<0003bd9c>]
 [<00000000>]
 [<00000000>]
 [<00000003>]
 [<0003c17f>]
 [<00000000>]
 [<00062c1c>]
 [<00000001>]
 [<00000000>]
 [<00000001>]
 [<00000000>]
 [<00000000>]
 [<00062f74>]
 [<0006318f>]
 [<0005d6ca>]
 [<00000001>]
 [<00000000>]
 [<00000001>]
 [<00000000>]
 [<0005dd1f>]
 [<00000000>]
 [<00000000>]
 [<00030002>]
 [<00000001>]
 [<00000006>]
 [<00000006>]
 [<0000000e>]
 [<0000000b>]
 [<00209cd0>]
 [<00002fa9>]
 [<000000c4>]
 [<0000007b>]
 [<0000007b>]
 [<000000c4>]
 [<00000073>]
 [<00000202>]
 [<0000007b>]
 [<00000073>]
 [<00000202>]
 [<0000007b>]
Code: 00 00 00 89 c2 81 f2 01 00 37 9e 89 7c 24 0c d3 ea 31 d0 23 05 c8 7e c4 c0
8b 15 d0 7e c4 c0 8b 34 82 85 f6 74 1a 8d 76 00 8b 1e <0f> 18 03 90 8d 6e f4 8b
04 24 39 45 18 74 12 89 de 85 f6 75 e9 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




# emerge info
Portage 2.0.51.22-r3 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r2,
2.6.14-hardened-r1
i686)=================================================================System
uname: 2.6.14-hardened-r1 i686 AMD Athlon(tm) XP 1800+Gentoo Base System version
1.6.13distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]dev-lang/python:     2.4.2sys-apps/sandbox:   
1.2.12sys-devel/autoconf:  2.13, 2.59-r6sys-devel/automake:  1.4_p6, 1.5, 1.6.3,
1.7.9-r1, 1.8.5-r3, 1.9.6-r1sys-devel/binutils:  2.16.1sys-devel/libtool:  
1.5.20virtual/os-headers: 
2.6.11-r2ACCEPT_KEYWORDS="x86"AUTOCLEAN="yes"CBUILD="i686-pc-linux-gnu"CFLAGS="-march=athlon-xp
-mtune=athlon-xp -O2 -pipe -fomit-frame-pointer -mmmx -m3dnow
-msse"CHOST="i686-pc-linux-gnu"CONFIG_PROTECT="/etc /usr/kde/2/share/config
/usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config
/var/qmail/control"CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo
/etc/env.d"CXXFLAGS="-march=athlon-xp -mtune=athlon-xp -O2 -pipe
-fomit-frame-pointer -mmmx -m3dnow
-msse"DISTDIR="/usr/portage/distfiles"FEATURES="autoconfig distcc distlocks
sandbox sfperms
strict"GENTOO_MIRRORS="http://pandemonium.tiscali.de/pub/gentoo"MAKEOPTS="-j3"PKGDIR="/usr/portage/packages"PORTAGE_TMPDIR="/var/tmp"PORTDIR="/usr/portage"PORTDIR_OVERLAY="/usr/myportage"SYNC="rsync://rsync.gentoo.org/gentoo-portage"USE="x86
3dnow alsa apm atm avi berkdb bzip2 crypt cups eds emboss encode expat
foomaticdb gd gif gstreamer gtk2 hardened innodb jpeg libg++ libwww mikmod mmx
motif mp3 ncurses no_wxgtk1 nptl nptlonly ogg oss pam pcre pdflib pic png python
qt quicktime readline samba sse ssl truetype truetype-fonts type1-fonts udev
unicode vorbis xml2 zlib userland_GNU kernel_linux elibc_glibc"Unset:  ASFLAGS,
CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 1 Anakim Border 2005-12-08 08:34:56 UTC

Created attachment 74313 [details]
System.map for the running kernel

Comment 2 Anakim Border 2005-12-08 08:35:49 UTC

Created attachment 74314 [details]
Configuration of the running kernel.

Comment 3 solar (RETIRED) gentoo-dev

2005-12-08 08:45:07 UTC

Steps to reproduce is missing.

Comment 4 Anakim Border 2005-12-08 10:27:16 UTC

(In reply to comment #3)
> Steps to reproduce is missing.

I get that kind of error at random intervals whenever I'm running gcc. The first
time I noticed it, I was in the middle of an 'emerge -e system'; later I got
another NULL pointer while compiling the kernel itself.

Initially I suspected an hardware-related problem, but I can't reproduce the
error while I'm using hardened-sources-2.6.11-r15, no matter how hard I load the
system (with multiple copies of gcc running in parallel).

Comment 5 Anakim Border 2005-12-09 12:32:59 UTC

I think I've been able to track down the problem to a single PAX feature.
If I _disable_ CONFIG_PAX_KERNEXEC (enforce non-executable kernel pages) I don't
get NULL pointers any longer.

Comment 6 PaX Team 2005-12-09 16:05:45 UTC

(In reply to comment #5)
> I think I've been able to track down the problem to a single PAX feature.
> If I _disable_ CONFIG_PAX_KERNEXEC (enforce non-executable kernel pages) I don't
> get NULL pointers any longer.

can you reproduce it with frame pointers enabled (it should give better debug
trace)? from a quick look it's a NULL deref in path lookup code, the only
related module is NFS stuff, so i'm wondering if gcc accessed something on a NFS
volume maybe? not that it helped me find the bug directly, just wondering about
how to trigger it here. you could also do a binary search in that you compile in
modules statically and see when the problem disappears, this way we can quickly
figure out at least the culprit module.

Comment 7 PaX Team 2005-12-09 16:11:48 UTC

(In reply to comment #6)
> from a quick look it's a NULL deref in path lookup code, the only
> related module is NFS stuff, so i'm wondering if gcc accessed something on a NFS
> volume maybe?

it's likely an lstat64 call, if you can reproduce it reliably, then you can just
strace -f gcc and see the last lstat syscall that fails/triggers the oops. i
still don't know how it can trigger a NULL deref though...

Comment 8 PaX Team 2005-12-11 10:34:27 UTC

the bug turned out to be somewhere else, i missed the AMD prefetch bug
workaround that used EIP and needed special handling under KERNEXEC, latest test
patch should fix it.

Comment 9 Anakim Border 2005-12-19 12:05:01 UTC

(In reply to comment #8)
> the bug turned out to be somewhere else, i missed the AMD prefetch bug
> workaround that used EIP and needed special handling under KERNEXEC, latest test
> patch should fix it.

I tested the patch on my system: the problem disappeared.

Comment 10 John Mylchreest (RETIRED) gentoo-dev

2005-12-30 10:08:48 UTC

Can you confirm working with hardened-sources-2.6.14-r3 please?

Comment 11 Anakim Border 2006-01-02 01:46:11 UTC

(In reply to comment #10)
> Can you confirm working with hardened-sources-2.6.14-r3 please?


I've been running the new kernel for two days and got no sign of NULL pointers.

Comment 12 solar (RETIRED) gentoo-dev

2006-01-05 18:38:08 UTC

Solved in -r3. reopen if needed