Kernel bug in mm/memory.c when ptrace poking to PROT_NONE map

Bug #1517864 reported by Stephen Cross on 2015-11-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
SYEDFAYAZ MUJAWAR

Bug Description

This bug occurs when using ptrace to poke to a map with PROT_NONE permissions. Here's a minimal reproducer:

#include <stdio.h>
#include <sys/mman.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <unistd.h>

int main()
{
    void* address = mmap(NULL, 4096, PROT_NONE,
                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    if (address == MAP_FAILED) return -1;

    pid_t child = fork();
    if (child == 0)
    {
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
        raise(SIGINT);
    }
    else
    {
        wait(NULL);

        printf("Poking 42 to %p\n", address);
        ptrace(PTRACE_POKEDATA, child, address, 42);

        long value = ptrace(PTRACE_PEEKDATA, child, address, NULL);
        printf("Value at %p: %ld\n", address, value);
    }
    return 0;
}

Output on Ubuntu 15.10 (broken):

$ ./minimal_reproducer
Poking 42 to 0x7f0d1e547000
Segmentation fault

I've attached the dmesg output which shows the kernel bug. The system then becomes unstable with core programs such as `ps` freezing when they're run.

Output on Ubuntu 14.04 (not broken):

$ ./minimal_reproducer
Poking 42 to 0x7fe5f54a8000
Value at 0x7fe5f54a8000: 42

In this case (Ubuntu 14.04) no kernel bug is reported in dmesg and the system remains stable. Hence this is a regression.

Stephen Cross (scross) wrote :
Stephen Cross (scross) wrote :
Stephen Cross (scross) wrote :
Stephen Cross (scross) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
assignee: nobody → SYEDFAYAZ MUJAWAR (syedfayaz28)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers