Ubuntu
linux package

Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map

Bug #1517864 reported by Stephen Cross on 2015-11-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Confirmed	Undecided	SYEDFAYAZ MUJAWAR

Bug Description

This bug occurs when using ptrace to poke to a map with PROT_NONE permissions. Here's a minimal reproducer:

#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>

int main()
{
    void* address = mmap(NULL, 4096, PROT_NONE,
                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (address == MAP_FAILED) return -1;

    pid_t child = fork();
    if (child == 0)
    {
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
        raise(SIGINT);
    }
    else
    {
        wait(NULL);

printf("Poking 42 to %p\n", address);
ptrace(PTRACE_POKEDATA, child, address, 42);

        long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
        printf("Value at %p: %ld\n", address, value);
    }
    return 0;
}

Output on Ubuntu 15.10 (broken):

$ ./minimal_reproducer
Poking 42 to 0x7f0d1e547000
Segmentation fault

I've attached the dmesg output which shows the kernel bug. The system then becomes unstable with core programs such as `ps` freezing when they're run.

Output on Ubuntu 14.04 (not broken):

$ ./minimal_reproducer
Poking 42 to 0x7fe5f54a8000
Value at 0x7fe5f54a8000: 42

In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the system remains stable. Hence this is a regression.

Tags: