lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180820005204.GB31827@shao2-debian>
Date:   Mon, 20 Aug 2018 08:52:04 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     David Windsor <dave@...lcore.net>
Cc:     Kees Cook <keescook@...omium.org>, linux-sctp@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        LKP <lkp@...org>
Subject: [LKP] ab9ee8e38b [ 22.890412] WARNING: CPU: 0 PID: 632 at
 mm/usercopy.c:81 usercopy_warn

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012
Author:     David Windsor <dave@...lcore.net>
AuthorDate: Thu Aug 24 16:57:57 2017 -0700
Commit:     Kees Cook <keescook@...omium.org>
CommitDate: Mon Jan 15 12:08:00 2018 -0800

    sctp: Define usercopy region in SCTP proto slab cache
    
    The SCTP socket event notification subscription information need to be
    copied to/from userspace. In support of usercopy hardening, this patch
    defines a region in the struct proto slab cache in which userspace copy
    operations are allowed. Additionally moves the usercopy fields to be
    adjacent for the region to cover both.
    
    example usage trace:
    
        net/sctp/socket.c:
            sctp_getsockopt_events(...):
                ...
                copy_to_user(..., &sctp_sk(sk)->subscribe, len)
    
            sctp_setsockopt_events(...):
                ...
                copy_from_user(&sctp_sk(sk)->subscribe, ..., optlen)
    
            sctp_getsockopt_initmsg(...):
                ...
                copy_to_user(..., &sctp_sk(sk)->initmsg, len)
    
    This region is known as the slab cache's usercopy region. Slab caches
    can now check that each dynamically sized copy operation involving
    cache-managed memory falls entirely within the slab's usercopy region.
    
    This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
    whitelisting code in the last public patch of grsecurity/PaX based on my
    understanding of the code. Changes or omissions from the original code are
    mine and don't reflect the original grsecurity/PaX code.
    
    Signed-off-by: David Windsor <dave@...lcore.net>
    [kees: split from network patch, move struct members adjacent]
    [kees: add SCTPv6 struct whitelist, provide usage trace]
    Cc: Vlad Yasevich <vyasevich@...il.com>
    Cc: Neil Horman <nhorman@...driver.com>
    Cc: "David S. Miller" <davem@...emloft.net>
    Cc: linux-sctp@...r.kernel.org
    Cc: netdev@...r.kernel.org
    Signed-off-by: Kees Cook <keescook@...omium.org>

93070d339d  caif: Define usercopy region in caif proto slab cache
ab9ee8e38b  sctp: Define usercopy region in SCTP proto slab cache
1f7a4c73a7  Merge tag '9p-for-4.19-2' of git://github.com/martinetd/linux
d7857ae43d  Add linux-next specific files for 20180817
+-----------------------------------------+------------+------------+------------+---------------+
|                                         | 93070d339d | ab9ee8e38b | 1f7a4c73a7 | next-20180817 |
+-----------------------------------------+------------+------------+------------+---------------+
| boot_successes                          | 262        | 81         | 239        | 52            |
| boot_failures                           | 1          | 5          | 24         | 4             |
| Mem-Info                                | 1          |            |            |               |
| WARNING:at_mm/usercopy.c:#usercopy_warn | 0          | 5          | 24         | 4             |
| RIP:usercopy_warn                       | 0          | 5          | 24         | 4             |
+-----------------------------------------+------------+------------+------------+---------------+

Kernel tests: Boot OK!
01 00 00 00 60 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 fb 42 4d 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
[   22.708080] can: request_module (can-proto-1) failed.
[   22.853944] ------------[ cut here ]------------
[   22.855033] Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLUB object 'SCTP' (offset 1332, size 4)!
[   22.890412] WARNING: CPU: 0 PID: 632 at mm/usercopy.c:81 usercopy_warn+0x116/0x150
[   22.892304] Modules linked in:
[   22.892907] CPU: 0 PID: 632 Comm: trinity-main Not tainted 4.15.0-rc2-00026-gab9ee8e #2
[   22.907533] task: 00000000b41fece2 task.stack: 00000000f1b1aaa1
[   22.908706] RIP: 0010:usercopy_warn+0x116/0x150
[   22.909730] RSP: 0018:ffffc9000090bd48 EFLAGS: 00010292
[   22.910894] RAX: 0000000000000078 RBX: ffffffff8238882c RCX: 0000000000000000
[   22.912259] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000246
[   22.913628] RBP: ffffc9000090bd88 R08: 0000000001faf8bd R09: 000000000000b3d0
[   22.914918] R10: ffffffff8238a127 R11: 0000000000000002 R12: 0000000000000000
[   22.916308] R13: ffff88001c7eab30 R14: 0000000000000534 R15: 0000000000000534
[   22.917944] FS:  00000000017cc880(0000) GS:ffff88001f600000(0000) knlGS:0000000000000000
[   22.919809] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.921076] CR2: 0000000001047de0 CR3: 000000001ba56004 CR4: 00000000001606b0
[   22.922382] Call Trace:
[   22.922854]  __check_heap_object+0x13d/0x260
[   22.923681]  __check_object_size+0x1dd/0x320
[   22.924596]  sctp_setsockopt+0x107c/0x2e70
[   22.925379]  ? __fdget+0x13/0x20
[   22.926061]  ? sockfd_lookup_light+0xae/0x140
[   22.926906]  sock_common_setsockopt+0x14/0x20
[   22.927774]  SyS_setsockopt+0x127/0x130
[   22.928560]  do_syscall_64+0x14c/0x870
[   22.929279]  ? trace_hardirqs_off_thunk+0x1a/0x34
[   22.930315]  entry_SYSCALL64_slow_path+0x25/0x25
[   22.931270] RIP: 0033:0x45878a
[   22.931909] RSP: 002b:00007ffca1de1378 EFLAGS: 00000202 ORIG_RAX: 0000000000000036
[   22.933543] RAX: ffffffffffffffda RBX: 000000000000005c RCX: 000000000045878a
[   22.935167] RDX: 0000000000000004 RSI: 0000000000000084 RDI: 0000000000000143
[   22.936781] RBP: 0000000000000143 R08: 0000000000000004 R09: 0000000001045560
[   22.938396] R10: 0000000001b806f0 R11: 0000000000000202 R12: 000000000183af50
[   22.940003] R13: 00007ffca1de1390 R14: 000000000183af60 R15: 0000000000000002
[   22.941627] Code: 44 d0 41 50 48 c7 c0 3a a6 37 82 41 56 48 c7 c6 33 a1 38 82 41 52 48 0f 44 f0 49 89 f8 31 c0 48 c7 c7 80 a1 38 82 e8 ca 44 d9 ff <0f> ff b9 01 00 00 00 31 d2 be 01 00 00 00 48 c7 c7 38 f6 77 82 
[   22.945952] ---[ end trace 4ba3dd769a294acf ]---
[   61.066734] Writes:  Total: 2  Max/Min: 0/0   Fail: 0 

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start v4.16 v4.15 --
git bisect  bad 1388c80438e69fc01d83fbe98da3cac24c3c8731  # 15:25  B     23     2    3   3  Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 4bf772b14675411a69b3c807f73006de0fe4b649  # 15:55  G     77     0    4   4  Merge tag 'drm-for-v4.16' of git://people.freedesktop.org/~airlied/linux
git bisect  bad 7e6127c1240ed569cdda2a67c8f03836f9f28c05  # 16:28  B     18     4    1   1  Merge tag 'linux-watchdog-4.16-rc1' of git://www.linux-watchdog.org/linux-watchdog
git bisect  bad 567af7fc9d87df3228ef59864f77fe100ec0cee3  # 16:45  B     33     2    2   2  pinctrl: files should directly include apis they use
git bisect good 1726aa70e7e2f8967d60b4f836723b61f97db73e  # 17:10  G     90     0   10  10  Merge branch 'fixes-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
git bisect  bad 4141cf676b9e345d3ddeb1710dd3156a09c50244  # 17:34  B      4     1    1   1  Merge branch 'i2c/for-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
git bisect good 0771ad44a20bc512d1123bac728d3a89ea6febe6  # 18:01  G     91     0    2   2  Merge tag 'pstore-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect  bad 617aebe6a97efa539cc4b8a52adccd89596e6be0  # 18:35  B     38     5    0   0  Merge tag 'usercopy-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect good df5f3cfc52fec828af92444bf02ad8fd4e4c59e3  # 18:57  G     91     0    6   6  ufs: Define usercopy region in ufs_inode_cache slab cache
git bisect  bad 07dcd7fe89938934ddad65f738bc5aac89b8e54d  # 19:11  B      6     1    0   0  fork: Define usercopy region in mm_struct slab caches
git bisect good 8c2bc895a9347846b33c47124a75db624aa83677  # 19:39  G     91     0    7   7  ip: Define usercopy region in IP proto slab cache
git bisect  bad ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012  # 19:56  B     21     2    6   6  sctp: Define usercopy region in SCTP proto slab cache
git bisect good 93070d339d7bc6f6b07b64faf5134fd144e8ec48  # 20:17  G     88     0    7   7  caif: Define usercopy region in caif proto slab cache
# first bad commit: [ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012] sctp: Define usercopy region in SCTP proto slab cache
git bisect good 93070d339d7bc6f6b07b64faf5134fd144e8ec48  # 20:27  G    271     0   14  21  caif: Define usercopy region in caif proto slab cache
# extra tests with debug options
git bisect  bad ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012  # 20:47  B     46     2    2   2  sctp: Define usercopy region in SCTP proto slab cache
# extra tests on HEAD of linux-devel/devel-spot-201808181134
git bisect  bad d29be758fc9872a10f0e1e408674f20804bc9bac  # 20:53  B    320    29    0   7  0day head guard for 'devel-spot-201808181134'
# extra tests on tree/branch linus/master
git bisect  bad 1f7a4c73a739a63b3f108d8eda6f947fdc70dd65  # 21:18  B     27     1    0   0  Merge tag '9p-for-4.19-2' of git://github.com/martinetd/linux
# extra tests with first bad commit reverted
git bisect  bad 6aabc53d346b0c9d4abd1430164566b1c3103434  # 21:45  B      0     2   17   0  Revert "sctp: Define usercopy region in SCTP proto slab cache"
# extra tests on tree/branch linux-next/master
git bisect  bad d7857ae43dcc4b23e61672d365c8094239d7bae4  # 22:03  B     33     2    1   1  Add linux-next specific files for 20180817

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-yocto-ivb41-144:20180818195607:x86_64-randconfig-g0-08181208:4.15.0-rc2-00026-gab9ee8e:2.gz" of type "application/gzip" (13776 bytes)

Download attachment "dmesg-yocto-ivb41-10:20180818201651:x86_64-randconfig-g0-08181208:4.15.0-rc2-00025-g93070d3:2.gz" of type "application/gzip" (22183 bytes)

View attachment "reproduce-yocto-ivb41-144:20180818195607:x86_64-randconfig-g0-08181208:4.15.0-rc2-00026-gab9ee8e:2" of type "text/plain" (922 bytes)

View attachment "config-4.15.0-rc2-00026-gab9ee8e" of type "text/plain" (115700 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ