lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 20 Feb 2019 10:23:09 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     syzbot <syzbot+8bf19ee2aa580de7a2a7@...kaller.appspotmail.com>,
        Alexei Starovoitov <ast@...nel.org>, kafai@...com,
        LKML <linux-kernel@...r.kernel.org>,
        Andy Lutomirski <luto@...capital.net>,
        Network Development <netdev@...r.kernel.org>,
        Song Liu <songliubraving@...com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Will Drewry <wad@...omium.org>, Yonghong Song <yhs@...com>
Subject: Re: BUG: assuming atomic context at kernel/seccomp.c:LINE

On Wed, Feb 20, 2019 at 2:00 AM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 02/20/2019 10:32 AM, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    abf446c90405 Add linux-next specific files for 20190220
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=17f250d8c00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=463cb576ac40e350
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8bf19ee2aa580de7a2a7
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+8bf19ee2aa580de7a2a7@...kaller.appspotmail.com
> >
> > BUG: assuming atomic context at kernel/seccomp.c:271
> > in_atomic(): 0, irqs_disabled(): 0, pid: 12803, name: syz-executor.5
> > no locks held by syz-executor.5/12803.
> > CPU: 1 PID: 12803 Comm: syz-executor.5 Not tainted 5.0.0-rc7-next-20190220 #39
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> >  __cant_sleep kernel/sched/core.c:6218 [inline]
> >  __cant_sleep.cold+0xa3/0xbb kernel/sched/core.c:6195
> >  seccomp_run_filters kernel/seccomp.c:271 [inline]
> >  __seccomp_filter+0x12b/0x12b0 kernel/seccomp.c:801
> >  __secure_computing+0x101/0x360 kernel/seccomp.c:932
> >  syscall_trace_enter+0x5bf/0xe10 arch/x86/entry/common.c:120
> >  do_syscall_64+0x479/0x610 arch/x86/entry/common.c:280
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> False positive; bpf-next only. Pushing this out in a bit:
>
> From d56547070162a105ff666f3324e558fa6492aedd Mon Sep 17 00:00:00 2001
> From: Daniel Borkmann <daniel@...earbox.net>
> Date: Wed, 20 Feb 2019 10:51:17 +0100
> Subject: [PATCH bpf-next] bpf, seccomp: fix false positive preemption splat for
>  cbpf->ebpf progs
>
> In 568f196756ad ("bpf: check that BPF programs run with preemption disabled")
> a check was added for BPF_PROG_RUN() that for every invocation preemption is
> disabled to not break eBPF assumptions (e.g. per-cpu map). Of course this does
> not count for seccomp because only cBPF -> eBPF is loaded here and it does not
> make use of any functionality that would require this assertion. Fix this false
> positive by adding and using __BPF_PROG_RUN() variant that does not have the
> cant_sleep(); check.
>
> Fixes: 568f196756ad ("bpf: check that BPF programs run with preemption disabled")
> Reported-by: syzbot+8bf19ee2aa580de7a2a7@...kaller.appspotmail.com
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>

Acked-by: Kees Cook <keescook@...omium.org>

-Kees

> ---
>  include/linux/filter.h | 9 ++++++++-
>  kernel/seccomp.c       | 2 +-
>  2 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/filter.h b/include/linux/filter.h
> index f32b3ec..2f3e29a 100644
> --- a/include/linux/filter.h
> +++ b/include/linux/filter.h
> @@ -533,7 +533,14 @@ struct sk_filter {
>         struct bpf_prog *prog;
>  };
>
> -#define BPF_PROG_RUN(filter, ctx)  ({ cant_sleep(); (*(filter)->bpf_func)(ctx, (filter)->insnsi); })
> +#define bpf_prog_run__non_preempt(prog, ctx)   \
> +       ({ cant_sleep(); __BPF_PROG_RUN(prog, ctx); })
> +/* Native eBPF or cBPF -> eBPF transitions. Preemption must be disabled. */
> +#define BPF_PROG_RUN(prog, ctx)                        \
> +       bpf_prog_run__non_preempt(prog, ctx)
> +/* cBPF -> eBPF only, but not for native eBPF. */
> +#define __BPF_PROG_RUN(prog, ctx)              \
> +       (*(prog)->bpf_func)(ctx, (prog)->insnsi)
>
>  #define BPF_SKB_CB_LEN QDISC_CB_PRIV_LEN
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index e815781..826d4e4 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -268,7 +268,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
>          * value always takes priority (ignoring the DATA).
>          */
>         for (; f; f = f->prev) {
> -               u32 cur_ret = BPF_PROG_RUN(f->prog, sd);
> +               u32 cur_ret = __BPF_PROG_RUN(f->prog, sd);
>
>                 if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
>                         ret = cur_ret;
> --
> 2.9.5



-- 
Kees Cook

Powered by blists - more mailing lists