lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAP145pjYqza9jH-i4rjyA=dEuDLdnLzb_RKnTFX8Zc2rocjrbw@mail.gmail.com>
Date:	Sat, 20 Feb 2016 03:07:19 +0100
From:	Robert Święcki <robert@...ecki.net>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	Paolo Bonzini <pbonzini@...hat.com>,
	Dmitry Vyukov <dvyukov@...gle.com>, syzkaller@...glegroups.com
Subject: NULL-ptr deref in irqfd_update (via KVM)

Works under both AMD and Intel

[7]kdb> summary
sysname    Linux
release    4.5.0-rc4
version    #1 SMP PREEMPT Tue Feb 16 04:24:23 CET 2016
machine    x86_64
nodename   jag-l2
domainname (none)
ccversion  CCVERSION
date       2016-02-20 01:57:30 tz_minuteswest 0
uptime     00:06
load avg   0.35 0.14 0.04

MemTotal:       16409820 kB
MemFree:        16054940 kB
Buffers:           37564 kB


[   70.223390] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000120
[   70.224535] IP: [<ffffffff81009f69>] kvm_irq_map_gsi+0x12/0x5a
[   70.225400] PGD bd3ca067 PUD bd0ed067 PMD 0
[   70.226018] Oops: 0000 [#1] PREEMPT SMP

Entering kdb (current=0xffff88042a4ae040, pid 4403) on processor 7 Oops: (null)
due to oops @ 0xffffffff81009f69
CPU: 7 PID: 4403 Comm: o Not tainted 4.5.0-rc4 #1
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Crosshair
V Formula, BIOS 1703 10/17/2012
task: ffff88042a4ae040 ti: ffff8800bb0ec000 task.ti: ffff8800bb0ec000
RIP: 0010:[<ffffffff81009f69>]  [<ffffffff81009f69>] kvm_irq_map_gsi+0x12/0x5a
RSP: 0018:ffff8800bb0efc90  EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8804228fc000 RCX: 0000000000000000
RDX: 0000000000000003 RSI: ffff8800bb0efca0 RDI: ffff8800bb1dc000
RBP: ffff8800bb0efc90 R08: 0000000000000007 R09: 00000000000000ff
R10: ffff8800bb0efd70 R11: 0000000000000212 R12: ffff8800bb0efca0
R13: 0000000000000001 R14: ffff8804228fc000 R15: ffff8800bb1dca50
FS:  00007f44d4e1b700(0000) GS:ffff88043d5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000120 CR3: 00000000bb018000 CR4: 00000000000406e0
Stack:
 ffff8800bb0efd78 ffffffff81008e6d ffff8800bb1dc158 ffff8800bb1dc120
 ffff8800bb0efce0 ffff8800bb1dc101 0000000000000002 ffff8804228fc0a8
 ffff8800bb0efd50 ffffffff81168356 0000000000000000 ffffffff81167aed
Call Trace:
 [<ffffffff81008e6d>] irqfd_update+0x37/0x78
 [<ffffffff81168356>] ? __synchronize_srcu+0xdf/0x12a
 [<ffffffff81167aed>] ? trace_raw_output_rcu_utilization+0x60/0x60
 [<ffffffff813ca0cd>] ? __this_cpu_preempt_check+0x13/0x15
 [<ffffffff811685f0>] ? __srcu_read_lock+0x43/0x56
 [<ffffffff81009ae1>] kvm_irqfd+0x3f2/0x53f
 [<ffffffff810066a1>] kvm_vm_ioctl+0x2f9/0x65f
 [<ffffffff8115b065>] ? __raw_write_unlock+0x11/0x23
 [<ffffffff81ba6c16>] ? _raw_spin_unlock+0xe/0x10
 [<ffffffff812315dd>] vfs_ioctl+0x18/0x34
 [<ffffffff81231fae>] do_vfs_ioctl+0x493/0x514
 [<ffffffff8108e1f1>] ? __do_page_fault+0x2b0/0x324
 [<ffffffff81232086>] SyS_ioctl+0x57/0x79
 [<ffffffff81ba70b2>] entry_SYSCALL_64_fastpath+0x16/0x71
Code: 5b 41 5c 41 5d 41 5e 5d c3 55 be c0 80 40 02 48 89 e5 e8 d9 a2
20 00 5d c3 0f 1f 44 00 00 55 48 8b 8f 08 2e 00 00 31 c0 48 89 e5 <39>
91 20 01 00 00 76 3e 48 63 d2 49 89 f1 48 8b 94 d1 28 01 00

Testcase:
===================================
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_syz_open_dev
#define SYS_syz_open_dev 1000001
#endif
#ifndef SYS_ioctl
#define SYS_ioctl 16
#endif
#ifndef SYS_eventfd
#define SYS_eventfd 284
#endif

long r[26];

int main()
{
  memset(r, -1, sizeof(r));
  r[0] = syscall(SYS_mmap, 0x20000000ul, 0x17000ul, 0x3ul, 0x32ul,
                 0xfffffffffffffffful, 0x0ul);
  memcpy((void*)0x2000c000, "\x2f\x64\x65\x76\x2f\x6b\x76\x6d\x00", 9);
  r[2] =
      syscall(SYS_open, 0x2000c000ul, 0x0ul, 0x400ul, 0, 0, 0);
  r[3] = syscall(SYS_ioctl, r[2], 0xae01ul, 0x0ul, 0, 0, 0);
  r[4] = syscall(SYS_eventfd, 0x5ul, 0, 0, 0, 0, 0);
  *(uint32_t*)0x2000cfef = r[4];
  *(uint32_t*)0x2000cff3 = (uint32_t)0x3;
  *(uint32_t*)0x2000cff7 = (uint32_t)0x2;
  *(uint32_t*)0x2000cffb = r[4];
  *(uint8_t*)0x2000cfff = (uint8_t)0x0;
  *(uint8_t*)0x2000d000 = (uint8_t)0x0;
  *(uint8_t*)0x2000d001 = (uint8_t)0x0;
  *(uint8_t*)0x2000d002 = (uint8_t)0x0;
  *(uint8_t*)0x2000d003 = (uint8_t)0x0;
  *(uint8_t*)0x2000d004 = (uint8_t)0x0;
  *(uint8_t*)0x2000d005 = (uint8_t)0x0;
  *(uint8_t*)0x2000d006 = (uint8_t)0x0;
  *(uint8_t*)0x2000d007 = (uint8_t)0x0;
  *(uint8_t*)0x2000d008 = (uint8_t)0x0;
  *(uint8_t*)0x2000d009 = (uint8_t)0x0;
  *(uint8_t*)0x2000d00a = (uint8_t)0x0;
  *(uint8_t*)0x2000d00b = (uint8_t)0x0;
  *(uint8_t*)0x2000d00c = (uint8_t)0x0;
  *(uint8_t*)0x2000d00d = (uint8_t)0x0;
  *(uint8_t*)0x2000d00e = (uint8_t)0x0;
  r[25] = syscall(SYS_ioctl, r[3], 0x4020ae76ul, 0x2000cfeful, 0, 0, 0);
  return 0;
}
===================================

>From KGDB:
>>> target remote /dev/ttyUSB0
Remote debugging using /dev/ttyUSB0
Ignoring packet error, continuing...
warning: unrecognized item "timeout" in "qSupported" response
kvm_irq_map_gsi (kvm=0xffff8800bb1dc000, entries=0xffff8800bb0efca0,
gsi=3) at arch/x86/kvm/../../../virt/kvm/irqchip.c:43
43 if (gsi < irq_rt->nr_rt_entries) {
─── Assembly ────────
0xffffffff81009f5d kvm_irq_map_gsi+6  mov    0x2e08(%rdi),%rcx
0xffffffff81009f64 kvm_irq_map_gsi+13 xor    %eax,%eax
0xffffffff81009f66 kvm_irq_map_gsi+15 mov    %rsp,%rbp
0xffffffff81009f69 kvm_irq_map_gsi+18 cmp    %edx,0x120(%rcx)  <--
THIS INSN CAUSES GPF
0xffffffff81009f6f kvm_irq_map_gsi+24 jbe    0xffffffff81009faf
<kvm_irq_map_gsi+88>
0xffffffff81009f71 kvm_irq_map_gsi+26 movslq %edx,%rdx
0xffffffff81009f74 kvm_irq_map_gsi+29 mov    %rsi,%r9
─── Expressions ───────
─── History ──────────
─── Memory ──────────
─── Registers ─────────
   rax 0x0000000000000000        rbx 0xffff8804228fc000        rcx
0x0000000000000000        rdx 0x0000000000000003
   rsi 0xffff8800bb0efca0        rdi 0xffff8800bb1dc000        rbp
0xffff8800bb0efc90        rsp 0xffff8800bb0efc90
    r8 0x0000000000000007         r9 0x00000000000000ff        r10
0xffff8800bb0efd70        r11 0x0000000000000212
   r12 0xffff8800bb0efca0        r13 0x0000000000000001        r14
0xffff8804228fc000        r15 0xffff8800bb1dca50
   rip 0xffffffff81009f69     eflags [ PF ZF RF ]               cs
0x00000010                 ss 0x00000018
    ds 0x00000000                 es 0x00000000                 fs
0x00000000                 gs 0x00000000
─── Source ──────────
38 struct kvm_kernel_irq_routing_entry *e;
39 int n = 0;
40
41 irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
42 lockdep_is_held(&kvm->irq_lock));
43 if (gsi < irq_rt->nr_rt_entries) {   <--- THIS LINE CAUSES GPF
44 hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
45 entries[n] = *e;
46 ++n;
47 }
─── Stack ─────
[0] from 0xffffffff81009f69 in kvm_irq_map_gsi+18 at
arch/x86/kvm/../../../virt/kvm/irqchip.c:43
arg kvm = 0xffff8800bb1dc000
arg entries = 0xffff8800bb0efca0
arg gsi = 3
[1] from 0xffffffff81008e6d in irqfd_update+55 at
arch/x86/kvm/../../../virt/kvm/eventfd.c:251
arg kvm = <optimized out>
arg irqfd = 0xffff8804228fc000
[+]

>>> bt
#0  kvm_irq_map_gsi (kvm=0xffff8800bb1dc000,
entries=0xffff8800bb0efca0, gsi=3) at
arch/x86/kvm/../../../virt/kvm/irqchip.c:43
#1  0xffffffff81008e6d in irqfd_update (kvm=<optimized out>,
irqfd=0xffff8804228fc000) at
arch/x86/kvm/../../../virt/kvm/eventfd.c:251
#2  0xffffffff81009ae1 in kvm_irqfd_assign (args=<optimized out>,
kvm=<optimized out>) at arch/x86/kvm/../../../virt/kvm/eventfd.c:389
#3  kvm_irqfd (kvm=0xffff8800bb1dc000, args=<optimized out>) at
arch/x86/kvm/../../../virt/kvm/eventfd.c:570
#4  0xffffffff810066a1 in kvm_vm_ioctl (filp=<optimized out>,
ioctl=1075883638, arg=536924143) at
arch/x86/kvm/../../../virt/kvm/kvm_main.c:2792
#5  0xffffffff812315dd in vfs_ioctl (filp=<optimized out>,
cmd=<optimized out>, arg=<optimized out>) at fs/ioctl.c:43
#6  0xffffffff81231fae in do_vfs_ioctl (filp=0xffff8804228c8100,
fd=<optimized out>, cmd=<optimized out>, arg=536924143) at
fs/ioctl.c:674
#7  0xffffffff81232086 in SYSC_ioctl (arg=<optimized out>,
cmd=<optimized out>, fd=<optimized out>) at fs/ioctl.c:689
#8  SyS_ioctl (fd=4, cmd=1075883638, arg=536924143) at fs/ioctl.c:680
#9  0xffffffff81ba70b2 in entry_SYSCALL_64_fastpath () at
arch/x86/entry/entry_64.S:185

-- 
Robert Święcki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ