write(2) sys call fuzzing. Easy to reproduce. 20231110 02:08:35 all (547/926): write2.sh panic: Assertion ti->ti_linestart < ti->ti_end failed at ../../../kern/tty_inq.c:414 cpuid = 9 time = 1699578545 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0676128970 vpanic() at vpanic+0x132/frame 0xfffffe0676128aa0 panic() at panic+0x43/frame 0xfffffe0676128b00 ttyinq_unputchar() at ttyinq_unputchar+0x52/frame 0xfffffe0676128b10 ttydisc_rubchar() at ttydisc_rubchar+0x200/frame 0xfffffe0676128b70 ttydisc_rint() at ttydisc_rint+0x58d/frame 0xfffffe0676128bb0 ttydisc_rint_simple() at ttydisc_rint_simple+0x3f/frame 0xfffffe0676128be0 ptsdev_write() at ptsdev_write+0xde/frame 0xfffffe0676128d40 dofilewrite() at dofilewrite+0x82/frame 0xfffffe0676128d90 sys_write() at sys_write+0xc2/frame 0xfffffe0676128e00 amd64_syscall() at amd64_syscall+0x153/frame 0xfffffe0676128f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe0676128f30 --- syscall (0, FreeBSD ELF64, syscall), rip = 0x822c4d2ca, rsp = 0x83b34ef48, rbp = 0x83b34efc0 --- Details @ https://people.freebsd.org/~pho/stress/log/log0495.txt
I'm not able to reproduce the panic with bb830e346bd5 reverted.
All bb830e346bd5 does is enable the IUTF8 flag by default, so this should be a regression introduced in 9e589b093857 [1], which implements the flag's functionality. I will CC Bojan, who's the author of the commit. [1] https://cgit.freebsd.org/src/commit/?id=9e589b0938579f3f4d89fa5c051f845bf754184d
Peter, can you reproduce this with bb830e346bd5 reverted, but with `stty iutf8` enabled during the test?
(In reply to Christos Margiolis from comment #3) I'll see what I can find out.
Created attachment 246260 [details] Patch for tty_rubchar (In reply to Peter Holm from comment #0) I've found the underlying issue - the code didn't check whether it reached the start of the current line, causing the next 'unputchar' to panic. I've attached a patch with the fix. Everything was stable throughout multiple "write2.sh" runs (30 or so minutes of runtime). I can easily reproduce the issue without the fix. Please let me know if you can still reproduce the issue with the patch applied.
(In reply to Bojan Novković from comment #5) I ran the problem test for 8 hours with your patch. I was not able to reproduce the panic.
Pushed the change to upstream: https://cgit.freebsd.org/src/commit/?id=c6d7be214811c315d234d64c6cbaa92d4f55d2c1
Is the bug in stable/14 and releng/14.0 as well? Looks like it, in which case the PR is not finished yet. Does this bug let an unprivileged user panic the kernel?
(In reply to Mark Johnston from comment #8) Since the tty patches have been MFC'd to stable/14.0 and releng/14.0, the bug should be present there as well.
(In reply to Mark Johnston from comment #8) Yes, the syscall fuzz test is run as an unprivileged user (nobody).
I spent some time running write2.sh with a kernel that has INVARIANTS disabled but KASAN enabled, and didn't observe any problems. In any case, I think we should ship an EN for 14.0 for this bug.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ae8387cc818a0d6a2229ee049b671482e1549519 commit ae8387cc818a0d6a2229ee049b671482e1549519 Author: Bojan Novković <bojan.novkovic@fer.hr> AuthorDate: 2023-11-13 18:02:30 +0000 Commit: Christos Margiolis <christos@FreeBSD.org> CommitDate: 2023-11-20 16:54:54 +0000 tty: properly check character position when handling IUTF8 backspaces The tty_rubchar() code handling backspaces for UTF-8 characters didn't properly check whether the beginning of the current line was reached. This resulted in a kernel panic in ttyinq_unputchar() when prodded with certain malformed UTF-8 sequences. PR: 275009 Reviewed by: christos Differential Revision: https://reviews.freebsd.org/D42564 (cherry picked from commit c6d7be214811c315d234d64c6cbaa92d4f55d2c1) sys/kern/tty_ttydisc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8647fe60b8c3cc03cf1d53d281f9306b7043543b commit 8647fe60b8c3cc03cf1d53d281f9306b7043543b Author: Bojan Novković <bojan.novkovic@fer.hr> AuthorDate: 2023-11-13 18:02:30 +0000 Commit: Christos Margiolis <christos@FreeBSD.org> CommitDate: 2023-11-20 16:57:49 +0000 tty: properly check character position when handling IUTF8 backspaces The tty_rubchar() code handling backspaces for UTF-8 characters didn't properly check whether the beginning of the current line was reached. This resulted in a kernel panic in ttyinq_unputchar() when prodded with certain malformed UTF-8 sequences. PR: 275009 Reviewed by: christos Differential Revision: https://reviews.freebsd.org/D42564 (cherry picked from commit c6d7be214811c315d234d64c6cbaa92d4f55d2c1) sys/kern/tty_ttydisc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
I see the MFC to stable/13 but 8647fe60b8c3 does not apply to releng/13.2. For the purposes of an EN only 14.0 is affected?
A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=31f6cfca851f20099162352dac8d044857b2e1f9 commit 31f6cfca851f20099162352dac8d044857b2e1f9 Author: Bojan Novković <bojan.novkovic@fer.hr> AuthorDate: 2023-11-13 18:02:30 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-12-04 14:06:29 +0000 tty: properly check character position when handling IUTF8 backspaces The tty_rubchar() code handling backspaces for UTF-8 characters didn't properly check whether the beginning of the current line was reached. This resulted in a kernel panic in ttyinq_unputchar() when prodded with certain malformed UTF-8 sequences. PR: 275009 Reviewed by: christos Differential Revision: https://reviews.freebsd.org/D42564 Approved by: so Security: FreeBSD-EN-23:21.tty (cherry picked from commit c6d7be214811c315d234d64c6cbaa92d4f55d2c1) (cherry picked from commit ae8387cc818a0d6a2229ee049b671482e1549519) sys/kern/tty_ttydisc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
Fixed in 14.0-RELEASE-p2.