Kernel Oops: attach to init process for normal user

Thu, 31 Jul 2008 19:35:05 -0700 

Hi,
The kernel has permitted tracing /sbin/init in commit 00cd5c37afd5f431ac186dd131705048c0a11fdb. 

I wrote a tiny test to get some experience.

The test works fine on upstream kernel:
For root: return 0, success.
For normal user: return 1, Operation not permitted.

But gets crashed on the utrace-patched kernel both 2.6.26/2.6.27.
For root: return 0, success.
For normal user: crashed

#include <signal.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <sys/user.h>
#include <unistd.h>
#include <sched.h>
#include <assert.h>
#include <asm/unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <error.h>
#include <errno.h>

static void
handler_fail (int signo)
{
  signal (SIGABRT, SIG_DFL);
  assert (0);
}

int main(int argc, char **argv) {
     long l;

     setbuf (stdout, NULL);
     signal (SIGABRT, handler_fail);

     l = ptrace(PTRACE_ATTACH,1,0,0);
     if (l<0) {
        error (0, errno,"PTRACE_ATTACH to pid 1, retvalue %ld",l);
        return 1;
    }
     return 0;
} //end main


Error message:


kernel: BUG: unable to handle kernel NULL pointer dereference at 
0000000000000028

kernel: IP: [<ffffffff8025104c>] get_utrace_lock_attached+0x34/0x57
kernel: PGD a0da067 PUD c41c067 PMD 0
kernel: Oops: 0000 [1] SMP
kernel: CPU 0

kernel: Modules linked in: parport_pc lp parport autofs4 sunrpc 
dm_mirror dm_log dm_mod ata_piix libata sd_mod scsi_mod [last unloaded: 
x_tables]

kernel: Pid: 3012, comm: ptrace-attach-1 Tainted: G        W 2.6.27-rc1 #1

kernel: RIP: 0010:[<ffffffff8025104c>]  [<ffffffff8025104c>] 
get_utrace_lock_attached+0x34/0x57

kernel: RSP: 0018:ffff88000a141e98  EFLAGS: 00010246
kernel: RAX: ffff88000c56b5a0 RBX: ffff88000c56b5a0 RCX: 0000000000000000
kernel: RDX: 0000000000000301 RSI: 0000000000000000 RDI: ffff88000c56b5d0
kernel: RBP: ffff88000f8af810 R08: ffff88000f918400 R09: ffff88000f915000
kernel: R10: 0000000000000000 R11: ffffffff803066a8 R12: 0000000000000000
kernel: R13: 0000000000000000 R14: 0000000000000006 R15: 0000000000000000

kernel: FS:  00007fdd03c1c6e0(0000) GS:ffffffff80590a80(0000) 
knlGS:0000000000000000

kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
kernel: CR2: 0000000000000028 CR3: 000000000a17c000 CR4: 00000000000006e0
kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400

kernel: Process ptrace-attach-1 (pid: 3012, threadinfo ffff88000a140000, 
task ffff88000f0ed850)
kernel: Stack:  0000000000000000 ffff88000f8af810 00000000ffffffea 
ffffffff80252513

kernel:  ffffffff80475de0 ffff88000f8af810 ffff88000d9fb4e0 0000000000000202
kernel:  ffff88000f8af810 00000000ffffffff 0000000000000000 ffff88000f8afce0
kernel: Call Trace:
kernel:  [<ffffffff80252513>] ? utrace_control+0x2b/0x205
kernel:  [<ffffffff80235b70>] ? ptrace_detach_utrace+0xe/0x2d
kernel:  [<ffffffff8023643b>] ? ptrace_attach+0x151/0x178
kernel:  [<ffffffff8023672b>] ? sys_ptrace+0x4b/0xa2
kernel:  [<ffffffff8020b11b>] ? system_call_fastpath+0x16/0x1b
kernel:
kernel:

kernel: Code: 53 48 8b 9f b8 04 00 00 48 85 db 74 35 83 bf 10 01 00 00 
20 74 2c 48 8d 7b 30 e8 41 39 21 00 48 8b 85 b8 04 00 00 48 39 d8 75 0e 
<49> 81 7c 24 28 c0 c2 47 80 48 89 d8 75 10 48 8d 7b 30 e8 ee 38

kernel: RIP  [<ffffffff8025104c>] get_utrace_lock_attached+0x34/0x57
kernel:  RSP <ffff88000a141e98>
kernel: CR2: 0000000000000028
kernel: ---[ end trace 4eaa2a86a8e2da22 ]---

Regards,
Wenji























					Reply via email to