| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Jul 2018 17:21:55 +0300
From: "Kirill A. Shutemov" <kirill@...temov.name>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: syzbot <syzbot+3f84280d52be9b7083cc@...kaller.appspotmail.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Dan Williams <dan.j.williams@...el.com>,
Jerome Glisse <jglisse@...hat.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
ldufour@...ux.vnet.ibm.com, LKML <linux-kernel@...r.kernel.org>,
Linux-MM <linux-mm@...ck.org>, Michal Hocko <mhocko@...e.com>,
Minchan Kim <minchan@...nel.org>,
Ross Zwisler <ross.zwisler@...ux.intel.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Matthew Wilcox <willy@...radead.org>, ying.huang@...el.com
Subject: Re: kernel BUG at mm/memory.c:LINE!
On Mon, Jul 09, 2018 at 12:52:21PM +0200, Dmitry Vyukov wrote:
> On Mon, Jul 9, 2018 at 12:48 PM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> > On Mon, Jul 9, 2018 at 12:15 PM, Kirill A. Shutemov
> > <kirill@...temov.name> wrote:
> >> On Sun, Jul 08, 2018 at 10:51:03PM -0700, syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot found the following crash on:
> >>>
> >>> HEAD commit: b2d44d145d2a Merge tag '4.18-rc3-smb3fixes' of git://git.s..
> >>> git tree: upstream
> >>> console output: https://syzkaller.appspot.com/x/log.txt?x=11d07748400000
> >>> kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
> >>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f84280d52be9b7083cc
> >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >>>
> >>> Unfortunately, I don't have any reproducer for this crash yet.
> >>>
> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >>> Reported-by: syzbot+3f84280d52be9b7083cc@...kaller.appspotmail.com
> >>>
> >>> next ffff8801ce5e7040 prev ffff8801d20eca50 mm ffff88019c1e13c0
> >>> prot 27 anon_vma ffff88019680cdd8 vm_ops 0000000000000000
> >>> pgoff 0 file ffff8801b2ec2d00 private_data 0000000000000000
> >>> flags: 0xff(read|write|exec|shared|mayread|maywrite|mayexec|mayshare)
> >>> ------------[ cut here ]------------
> >>> kernel BUG at mm/memory.c:1422!
> >>
> >> Looks like vma_is_anonymous() false-positive.
> >>
> >> Any clues what file is it? I would guess some kind of socket, but it's not
> >> clear from log which exactly.
> >
> >
> > From the log it looks like it was this program (number 3 matches Comm:
> > syz-executor3):
> >
> > 08:39:32 executing program 3:
> > r0 = socket$nl_route(0x10, 0x3, 0x0)
> > bind$netlink(r0, &(0x7f00000002c0)={0x10, 0x0, 0x0, 0x100000}, 0xc)
> > getsockname(r0, &(0x7f0000000000)=@...ol2tpv3in6={0x0, 0x0, {0x0,
> > <r1=>0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0,
> > @loopback}}}, &(0x7f00000000c0)=0x3a)
> > mmap(&(0x7f0000e00000/0x200000)=nil, 0x200000, 0x7fdff, 0x11, r1, 0x0)
> > ioctl$FIBMAP(r0, 0x1, &(0x7f0000000100)=0x9)
> > r2 = socket$inet6(0xa, 0x1000000000002, 0x0)
> > ioctl(r2, 0x8912, &(0x7f00000001c0)="796d05ad441e829115ac7fd77200")
> > r3 = syz_open_dev$vcsa(&(0x7f0000000140)='/dev/vcsa#\x00', 0x3, 0x2)
> > ioctl$VHOST_SET_VRING_ENDIAN(r3, 0x4008af13, &(0x7f0000000180)={0x0, 0x8})
> > sendto$inet(0xffffffffffffffff, &(0x7f0000a88f88), 0xffffffffffffff31,
> > 0x0, &(0x7f0000e68000)={0x2, 0x0, @multicast2=0xe0000002},
> > 0xfffffffffffffeb3)
> > ftruncate(r1, 0x6)
> > mmap(&(0x7f0000e00000/0x200000)=nil, 0x200000, 0x0, 0x11, r0, 0x0)
> > setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x25, &(0x7f0000000080)=0x804, 0x4)
> >
> > But take what happens here with a grain of salt, it can pretend that
> > it's doing one thing, but actually do something different.
> > So that r1 passed to ftruncate is something that getsockname returned
> > somewhere in the middle of address. And since the socket is not
> > actually ppp, it can be just some bytes in the middle of netlink
> > address, that than happened to be small and match some existing fd...
>
>
> This also happened only once so far:
> https://syzkaller.appspot.com/bug?extid=3f84280d52be9b7083cc
> and I can't reproduce it rerunning this program. So it's either a very
> subtle race, or fd in the middle of netlink address magically matched
> some fd once, or something else...
Okay, I've got it reproduced. See below.
The problem is that kcov doesn't set vm_ops for the VMA and it makes
kernel think that the VMA is anonymous.
It's not necessary the way it was triggered by syzkaller. I just found
that kcov's ->mmap doesn't set vm_ops. There can more such cases.
vma_is_anonymous() is what we need to fix.
( Although, I found logic around mmaping the file second time questinable
at best. It seems broken to me. )
It is known that vma_is_anonymous() can produce false-positives. It tried
to fix it once[1], but it back-fired[2].
I'll look at this again.
[1] https://lkml.kernel.org/r/1437133993-91885-1-git-send-email-kirill.shutemov@linux.intel.com
[2] https://lkml.kernel.org/r/20150914105346.GB23878@arm.com
#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#define KCOV_INIT_TRACE _IOR('c', 1, unsigned long)
#define KCOV_ENABLE _IO('c', 100)
#define KCOV_DISABLE _IO('c', 101)
#define COVER_SIZE (1024<<10)
#define KCOV_TRACE_PC 0
#define KCOV_TRACE_CMP 1
int main(int argc, char **argv)
{
int fd;
unsigned long *cover, n, i;
system("mount -t debugfs none /sys/kernel/debug");
fd = open("/sys/kernel/debug/kcov", O_RDWR);
ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE);
cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
munmap(cover, COVER_SIZE * sizeof(unsigned long));
cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
memset(cover, 0, COVER_SIZE * sizeof(unsigned long));
ftruncate(fd, 3UL << 20);
return 0;
}
--
Kirill A. Shutemov
Powered by blists - more mailing lists