lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <55F1B78A.8070101@codeaurora.org>
Date:	Thu, 10 Sep 2015 13:02:02 -0400
From:	Christopher Covington <cov@...eaurora.org>
To:	David Howells <dhowells@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: OverlayFS Bug?

Hi David,

The commit below causes this error message when chrooting into an overlayfs
filesystem with a 9p underlay. We're still investigating to see if this
patch is actually at fault, or just triggering something in the 9p code
that was working before when it shouldn't have been:

[   15.072028] Unable to handle kernel paging request at virtual address 40021006c
[   15.072869] pgd = fffffe00602a0000
[   15.073194] [40021006c] *pgd=0000000000000000, *pud=0000000000000000, *pmd=0000000000000000
[   15.073912] Internal error: Oops: 94000006 [#1] SMP
[   15.074412] Modules linked in:
[   15.075283] CPU: 0 PID: 246 Comm: chroot Not tainted 4.1.0-rc3+ #62
[   15.075849] Hardware name: linux,dummy-virt (DT)
[   15.076402] task: fffffe00ffe92a00 ti: fffffe00601f8000 task.ti: fffffe00601f8000
[   15.077145] PC is at v9fs_fid_find+0x40/0x8c
[   15.077424] LR is at v9fs_fid_find+0x2c/0x8c
[   15.077682] pc : [<fffffe0000296aa4>] lr : [<fffffe0000296a90>] pstate: 20000145
[   15.078048] sp : fffffe00601fbac0
[   15.078288] x29: fffffe00601fbac0 x28: fffffe00601fbd00
[   15.078678] x27: 0000000000000000 x26: fffffe00d002b940
[   15.079011] x25: 0000000000000000 x24: fffffe00ff2e7338
[   15.079343] x23: 00000000000000a0 x22: 00000000ffffffff
[   15.079662] x21: fffffe00d002a740 x20: 00000000ffffffff
[   15.079991] x19: 0000000000000000 x18: 000003fffffff730
[   15.080318] x17: 00000000005798c0 x16: fffffe0000189898
[   15.080638] x15: ffffffffffffffff x14: fffffe00008d1000
[   15.081047] x13: 0000020000000000 x12: 0000000000000038
[   15.081483] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
[   15.081845] x9 : fffffdfee04fcb80 x8 : 0000000000000000
[   15.082170] x7 : 0000000000000000 x6 : 000000000000bc56
[   15.082498] x5 : fffffe00d002a440 x4 : fffffe0060054000
[   15.082817] x3 : 0000000400210088 x2 : 0000000000000000
[   15.083144] x1 : 00000000000a000a x0 : 0000000400210048
[   15.083476]
[   15.083637] Process chroot (pid: 246, stack limit = 0xfffffe00601f8020)
[   15.084047] Stack: (0xfffffe00601fbac0 to 0xfffffe00601fc000)
[   15.084721] bac0: 601fbaf0 fffffe00 00296c48 fffffe00 00000000 00000000 d002a440 fffffe00
[   15.085247] bae0: ff2e7080 fffffe00 00296c34 fffffe00 601fbb40 fffffe00 00296e10 fffffe00
[   15.085863] bb00: 00000000 00000000 e0066700 fffffe00 40000c00 fffffe00 ff2fb000 fffffe00
[   15.086420] bb20: 00000000 00000000 00000000 00000000 00000041 00000000 d002b940 fffffe00
[   15.086955] bb40: 601fbb50 fffffe00 00296e74 fffffe00 601fbb60 fffffe00 00295488 fffffe00
[   15.087731] bb60: 601fbba0 fffffe00 00181134 fffffe00 e0066700 fffffe00 40000c00 fffffe00
[   15.088178] bb80: e0066700 fffffe00 e0066710 fffffe00 002953e8 fffffe00 0018c03c fffffe00
[   15.088619] bba0: 601fbbe0 fffffe00 00181fec fffffe00 e0066700 fffffe00 00020020 00000000
[   15.089070] bbc0: e0066700 fffffe00 d002b940 fffffe00 e0043020 fffffe00 d0027080 fffffe00
[   15.089502] bbe0: 601fbc00 fffffe00 0018f34c fffffe00 601fbe08 fffffe00 00020020 00020020
[   15.089947] bc00: 601fbcc0 fffffe00 00191060 fffffe00 601fbd00 fffffe00 601fbe08 fffffe00
[   15.090395] bc20: 00000001 00000000 fffffc08 000003ff fffffc30 000003ff e0067900 fffffe00
[   15.090831] bc40: 0000011a 00000000 00000000 00000000 00612000 fffffe00 601f8000 fffffe00
[   15.091260] bc60: 00000054 00000000 602d0290 fffffe00 00000000 00000000 00000001 00000000
[   15.091710] bc80: 601f8000 fffffe00 00000000 00000021 00520000 00000000 601123c0 01fffe00
[   15.092156] bca0: 00000000 00000000 d00135a0 fffffe00 e0043020 fffffe00 d002a440 fffffe00
[   15.092610] bcc0: 601fbdd0 fffffe00 00187620 fffffe00 ffe92a00 fffffe00 60045000 fffffe00
[   15.093077] bce0: 60045000 fffffe00 0018ef14 fffffe00 601fbdc0 fffffe00 fffffffe ffffffff
[   15.093526] bd00: e0043020 fffffe00 d002a440 fffffe00 6c5e8994 00000007 ff2e6b80 fffffe00
[   15.093981] bd20: e0043020 fffffe00 d002a740 fffffe00 d00135a0 fffffe00 00000101 00000000
[   15.094442] bd40: 00000084 00000000 00000000 00000001 601fbd58 fffffe00 e0043020 fffffe00
[   15.094900] bd60: d002ba00 fffffe00 ff2e7b40 fffffe00 00000000 00000000 d0013390 fffffe00
[   15.095358] bd80: 00000000 fffffe00 00101148 fffffe00 e0067900 fffffe00 60045000 fffffe00
[   15.095807] bda0: 601fbdd0 fffffe00 000d65a4 fffffe00 ffe92a00 fffffe00 60045000 fffffe00
[   15.096250] bdc0: 00000000 00000000 00000002 ffffff9c 601fbe20 fffffe00 0018928c fffffe00
[   15.096711] bde0: ffe92a00 fffffe00 60045000 fffffe00 ffffff9c 00000000 fffffc08 000003ff
[   15.097164] be00: 601fbe20 fffffe00 00020020 00000000 00000021 00000100 00000001 fffffe00
[   15.097613] be20: 601fbea0 fffffe00 00189690 fffffe00 00000000 00000000 00000000 00000000
[   15.098057] be40: ffffffff ffffffff b7e5db98 000003ff 00000000 00000000 00000015 00000000
[   15.098503] be60: 0000011a 00000000 000000dd 00000000 00612000 fffffe00 601f8000 fffffe00
[   15.098933] be80: 00000000 00000000 00000000 00000000 00000000 00000000 ffe92dc0 fffffe00
[   15.099379] bea0: 601fbeb0 fffffe00 001898b8 fffffe00 fffff960 000003ff 00093970 fffffe00
[   15.099836] bec0: fffffc08 000003ff fffffc30 000003ff fffff937 000003ff fffffc08 000003ff
[   15.100291] bee0: fffffc30 000003ff 00000010 00000000 ffffff48 000003ff 6e2e3974 e02e736f
[   15.100750] bf00: fffff94d 000003ff 68637261 6c2d3436 000000dd 00000000 90d0c58a 9ed08b8f
[   15.101201] bf20: 7f7f7f7f 7f7f7f7f 01010101 01010101 00000010 00000000 ffffffff ffffffff
[   15.101649] bf40: 00000000 ffffffff ffffffff ffffffff b7e5e178 000003ff 005798c0 00000000
[   15.102101] bf60: fffff730 000003ff ffffff2b 000003ff 00000000 00000000 fffffc08 000003ff
[   15.102548] bf80: ffffff41 000003ff fffffc30 000003ff 00000061 00000000 fffff94e 000003ff
[   15.103004] bfa0: 00000020 00000000 b7db06f0 000003ff fffff937 000003ff fffff960 000003ff
[   15.103457] bfc0: b7e5e5f4 000003ff fffff8f0 000003ff b7e5db98 000003ff 00000000 00000000
[   15.103912] bfe0: fffff937 000003ff 000000dd 00000000 00000000 00000000 00000000 00000000
[   15.104406] Call trace:
[   15.104710] [<fffffe0000296aa4>] v9fs_fid_find+0x40/0x8c
[   15.105039] [<fffffe0000296c44>] v9fs_fid_lookup_with_uid+0xf8/0x294
[   15.105376] [<fffffe0000296e0c>] v9fs_fid_lookup+0x2c/0x88
[   15.105671] [<fffffe0000296e70>] v9fs_fid_clone+0x8/0x2c
[   15.105983] [<fffffe0000295484>] v9fs_file_open+0x9c/0x140
[   15.106313] [<fffffe0000181130>] do_dentry_open.isra.16+0x1c4/0x2ec
[   15.106674] [<fffffe0000181fe8>] vfs_open+0x50/0x60
[   15.106957] [<fffffe000018f348>] path_openat+0x344/0xe50
[   15.107258] [<fffffe000019105c>] do_filp_open+0x60/0xdc
[   15.107604] [<fffffe000018761c>] do_open_execat+0x64/0x178
[   15.107950] [<fffffe0000189288>] do_execveat_common+0x1b0/0x598
[   15.108310] [<fffffe000018968c>] do_execve+0x1c/0x28
[   15.108686] [<fffffe00001898b4>] SyS_execve+0x1c/0x2c
[   15.109147] Code: b4000263 d1010060 b4000120 35000113 (b9402403)
[   15.110138] ---[ end trace 906aabc092a718a3 ]---

4bacc9c9234c7c8eec44f5ed4e960d9f96fa0f01 is the first bad commit
commit 4bacc9c9234c7c8eec44f5ed4e960d9f96fa0f01
Author: David Howells <dhowells@...hat.com>
Date:   Thu Jun 18 14:32:31 2015 +0100

    overlayfs: Make f_path always point to the overlay and f_inode to the underlay

    Make file->f_path always point to the overlay dentry so that the path in
    /proc/pid/fd is correct and to ensure that label-based LSMs have access to the
    overlay as well as the underlay (path-based LSMs probably don't need it).

    Using my union testsuite to set things up, before the patch I see:

        [root@...romeda union-testsuite]# bash 5</mnt/a/foo107
        [root@...romeda union-testsuite]# ls -l /proc/$$/fd/
        ...
        lr-x------. 1 root root 64 Jun  5 14:38 5 -> /a/foo107
        [root@...romeda union-testsuite]# stat /mnt/a/foo107
        ...
        Device: 23h/35d Inode: 13381       Links: 1
        ...
        [root@...romeda union-testsuite]# stat -L /proc/$$/fd/5
        ...
        Device: 23h/35d Inode: 13381       Links: 1
        ...

    After the patch:

        [root@...romeda union-testsuite]# bash 5</mnt/a/foo107
        [root@...romeda union-testsuite]# ls -l /proc/$$/fd/
        ...
        lr-x------. 1 root root 64 Jun  5 14:22 5 -> /mnt/a/foo107
        [root@...romeda union-testsuite]# stat /mnt/a/foo107
        ...
        Device: 23h/35d Inode: 40346       Links: 1
        ...
        [root@...romeda union-testsuite]# stat -L /proc/$$/fd/5
        ...
        Device: 23h/35d Inode: 40346       Links: 1
        ...

    Note the change in where /proc/$$/fd/5 points to in the ls command.  It was
    pointing to /a/foo107 (which doesn't exist) and now points to /mnt/a/foo107
    (which is correct).

    The inode accessed, however, is the lower layer.  The union layer is on device
    25h/37d and the upper layer on 24h/36d.

    Signed-off-by: David Howells <dhowells@...hat.com>
    Signed-off-by: Al Viro <viro@...iv.linux.org.uk>

Thanks,
Christopher Covington

-- 
Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, 
a Linux Foundation Collaborative Project
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ