lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b1575d02-fd88-65e6-2f16-70a96985087e@schaufler-ca.com>
Date:   Fri, 12 Apr 2019 08:28:07 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     "chengjian (D)" <cj.chengjian@...wei.com>, neilb@...e.com,
        Anna.Schumaker@...app.com, keescook@...omium.org,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        oleg@...hat.com, viro@...iv.linux.org.uk,
        "Xiexiuqi (Xie XiuQi)" <xiexiuqi@...wei.com>,
        Li Bin <huawei.libin@...wei.com>, yanaijie@...wei.com,
        peterz@...radead.org, mingo@...hat.com,
        Linux Security Module list 
        <linux-security-module@...r.kernel.org>, selinux@...r.kernel.org
Subject: Re: kernel BUG at kernel/cred.c:434!

On 4/11/2019 11:21 PM, chengjian (D) wrote:

Added LSM and SELinux lists.


> Hi.
>
>
> syzkaller reported the following BUG:
>
> [   73.146973] kernel BUG at kernel/cred.c:434!
> [   73.150231] invalid opcode: 0000 [#1] SMP KASAN PTI
> [   73.151928] CPU: 2 PID: 4058 Comm: syz-executor.6 Not tainted 
> 5.1.0-rc4-00062-g2d06b235815e-dirty #2
> [   73.155174] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), 
> BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> [   73.159798] RIP: 0010:commit_creds+0xadb/0xe50
> [   73.161426] Code: 8b 5b 20 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 
> 03 0f 8e 06 03 00 00 39 5d 20 0f 85 ff fa ff ff e9 0c fb ff ff e8 05 
> a2 25 00 <0f> 0b 48 c7 c7 80 56 c0 83 e8 95 22 b1 00 e8 f2 a1 25 00 0f 
> 0b 48
> [   73.167852] RSP: 0000:ffff88836e65f5d0 EFLAGS: 00010293
> [   73.169636] RAX: ffff8883767b0000 RBX: ffff88837f111300 RCX: 
> ffffffff8124b5db
> [   73.171962] RDX: 0000000000000000 RSI: ffffffff83c9b140 RDI: 
> ffff88837f111300
> [   73.174310] RBP: ffff888376610400 R08: 0000000000000000 R09: 
> 0000000000000004
> [   73.176646] R10: 0000000000000001 R11: ffffed107c655acf R12: 
> ffff8883767b0000
> [   73.178527] Process accounting resumed
> [   73.179021] R13: ffff88837f111900 R14: ffff88837f111300 R15: 
> ffff8883767b0ac0
> [   73.179029] FS:  00007f2d207f9700(0000) GS:ffff8883e3280000(0000) 
> knlGS:0000000000000000
> [   73.179034] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   73.179039] CR2: 00007f1500bd36c0 CR3: 00000003df304003 CR4: 
> 00000000000206e0
> [   73.179047] Call Trace:
> [   73.190461]  selinux_setprocattr+0x2ea/0x8f0
> [   73.191925]  ? ptrace_parent_sid+0x530/0x530
> [   73.193436]  ? proc_pid_attr_write+0x185/0x5a0
> [   73.194967]  security_setprocattr+0xa1/0x100
> [   73.196408]  proc_pid_attr_write+0x307/0x5a0
> [   73.197869]  ? mem_read+0x40/0x40
> [   73.199013]  __vfs_write+0x81/0x100
> [   73.200222]  __kernel_write+0xf8/0x330
> [   73.201562]  do_acct_process+0xca5/0x1340
> [   73.202969]  ? __ia32_sys_acct+0x1e0/0x1e0
> [   73.204498]  ? find_held_lock+0x2f/0x1e0
> [   73.205857]  ? rcu_irq_exit+0xec/0x2c0
> [   73.207160]  ? lock_downgrade+0x630/0x630
> [   73.208541]  acct_pin_kill+0x63/0x150
> [   73.209816]  pin_kill+0x16d/0x7c0
> [   73.210934]  ? lockdep_hardirqs_on+0x5e0/0x5e0
> [   73.212452]  ? xas_start+0x155/0x510
> [   73.213705]  ? pin_insert+0x50/0x50
> [   73.214903]  ? finish_wait+0x270/0x270
> [   73.216213]  ? cpumask_next+0x57/0x90
> [   73.217442]  ? mnt_pin_kill+0x68/0x1d0
> [   73.218851]  mnt_pin_kill+0x68/0x1d0
> [   73.220398]  cleanup_mnt+0x11b/0x150
> [   73.221970]  task_work_run+0x136/0x1b0
> [   73.223427]  do_exit+0x830/0x2ca0
> [   73.224586]  ? trace_hardirqs_off+0x3b/0x180
> [   73.226088]  ? mm_update_next_owner+0x6a0/0x6a0
> [   73.227622]  ? find_held_lock+0x2f/0x1e0
> [   73.228954]  ? get_signal+0x2cf/0x1c00
> [   73.230236]  ? lock_downgrade+0x630/0x630
> [   73.231628]  ? rwlock_bug.part.0+0x90/0x90
> [   73.233020]  do_group_exit+0x106/0x2f0
> [   73.234330]  get_signal+0x325/0x1c00
> [   73.235571]  do_signal+0x97/0x1670
> [   73.236739]  ? do_send_specific+0x12d/0x220
> [   73.238213]  ? lock_downgrade+0x630/0x630
> [   73.239566]  ? setup_sigcontext+0x820/0x820
> [   73.240982]  ? check_kill_permission+0x4a/0x510
> [   73.242509]  ? do_send_specific+0x156/0x220
> [   73.243905]  ? do_tkill+0x1c4/0x260
> [   73.245081]  ? do_send_specific+0x220/0x220
> [   73.246514]  ? trace_hardirqs_on_thunk+0x1a/0x1c
> [   73.248061]  ? exit_to_usermode_loop+0x97/0x1d0
> [   73.249619]  exit_to_usermode_loop+0x108/0x1d0
> [   73.251129]  do_syscall_64+0x461/0x580
> [   73.252454]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [   73.254219] RIP: 0033:0x462eb9
> [   73.255327] Code: Bad RIP value.
> [   73.256539] RSP: 002b:00007f2d207f8c58 EFLAGS: 00000246 ORIG_RAX: 
> 00000000000000c8
> [   73.259454] RAX: 0000000000000000 RBX: 000000000073bf00 RCX: 
> 0000000000462eb9
> [   73.262309] RDX: 0000000000000000 RSI: 000000000000001e RDI: 
> 0000000000000005
> [   73.265064] RBP: 0000000000000002 R08: 0000000000000000 R09: 
> 0000000000000000
> [   73.267774] R10: 0000000000000000 R11: 0000000000000246 R12: 
> 00007f2d207f96bc
> [   73.270546] R13: 00000000004c5509 R14: 00000000007042f0 R15: 
> 00000000ffffffff
> [   73.273542] Modules linked in:
> [   73.274670] Dumping ftrace buffer:
> [   73.275852]    (ftrace buffer empty)
> [   73.277187] ---[ end trace dde36a95f458175d ]---
> [   73.278834] RIP: 0010:commit_creds+0xadb/0xe50
> [   73.280549] Code: 8b 5b 20 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 
> 03 0f 8e 06 03 00 00 39 5d 20 0f 85 ff fa ff ff e9 0c fb ff ff e8 05 
> a2 25 00 <0f> 0b 48 c7 c7 80 56 c0 83 e8 95 22 b1 00 e8 f2 a1 25 00 0f 
> 0b 48
> [   73.287090] RSP: 0000:ffff88836e65f5d0 EFLAGS: 00010293
> [   73.288917] RAX: ffff8883767b0000 RBX: ffff88837f111300 RCX: 
> ffffffff8124b5db
> [   73.291390] RDX: 0000000000000000 RSI: ffffffff83c9b140 RDI: 
> ffff88837f111300
> [   73.293864] RBP: ffff888376610400 R08: 0000000000000000 R09: 
> 0000000000000004
> [   73.296370] R10: 0000000000000001 R11: ffffed107c655acf R12: 
> ffff8883767b0000
> [   73.299275] R13: ffff88837f111900 R14: ffff88837f111300 R15: 
> ffff8883767b0ac0
> [   73.301351] Process accounting resumed
> [   73.301822] FS:  00007f2d207f9700(0000) GS:ffff8883e3280000(0000) 
> knlGS:0000000000000000
> [   73.301827] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   73.301832] CR2: 0000000000462e8f CR3: 0000000003a18002 CR4: 
> 00000000000206e0
> [   73.301850] Kernel panic - not syncing: Fatal exception
> [   73.310719] Process accounting resumed
> [   73.311515] Process accounting resumed
> [   73.318916] Dumping ftrace buffer:
> [   73.318921]    (ftrace buffer empty)
> [   73.318945] Kernel Offset: disabled
> [   73.328061] Rebooting in 10 seconds..
>
>
> 425 int commit_creds(struct cred *new)
> 426 {
> 427         struct task_struct *task = current;
> 428         const struct cred *old = task->real_cred;
> 429
> 430         kdebug("commit_creds(%p{%d,%d})", new,
> 431                atomic_read(&new->usage),
> 432                read_cred_subscribers(new));
> 433
> 434         BUG_ON(task->cred != old);  // BUG here
>
>
> I find that the call chain which triggered the BUG is :
>
> do_exit
>     |-=> acct_process
>     |    -=> do_acct_process
>     |        -=> orig_cred = override_creds(file->f_cred); // cred = 
> ffff8883c1878900/real_cred = ffff8883c1878900
>     |        -=>  if (file_start_write_trylock(file)) 
> {__kernel_write(file, &ac, sizeof(acct_t), &pos);}
>     |               -=> __kernel_write+0xf8/0x330
>     |                    -=> __vfs_write+0x81/0x100
>     |                           -=> proc_pid_attr_write+0x307/0x5a0
>     |                                -=> security_setprocattr+0xa1/0x100
>     | -=>selinux_setprocattr+0x2ea/0x8f0
>     | -=>commit_creds+0xd97/0x1080  // cred = 
> ffff888379a79c00/real_cred = ffff888379a79c00
>     |       -=> revert_creds(orig_cred);   // cred = 
> ffff8883c1878900/real_cred = ffff888379a79c00
>     |-=> task_work_run
>            -=> cleanup_mnt+0x11b/0x150
>                 -=> mnt_pin_kill+0x68/0x1d0
>                     -=> pin_kill+0x16d/0x7c0
>                     -=> acct_pin_kill+0x2e/0x100
>                     -=> do_acct_process+0x1a0/0x1340
>                           -=> override_creds+0x18a/0x1c0   // cred = 
> ffff8883c1878900/real_cred = ffff888379a79c00
>                           -=>  if (file_start_write_trylock(file)) 
> {__kernel_write(file, &ac, sizeof(acct_t), &pos);}
>                                     -=>   ...... 
> -=>commit_creds+0xd97/0x1080   // new = ffff888379a6bb00, cred = 
> ffff8883c1878900, real_ceed = ffff888379a79c00 BUG here
>                           -=> revert_creds(orig_cred);
>
>
> Syzkaller Report Testcase:
>
> cat crash.log
>
> 04:05:28 executing program 3:
> clone(0x24100, 0x0, 0x0, 0x0, 0x0)
> r0 = gettid()
> perf_event_open(&(0x7f00000000c0)={0x2, 0x70, 0x4, 0x2, 0x0, 0x0, 0x0, 
> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
> 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 
> 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
> acct(&(0x7f0000000000)='./file0\x00')
> r1 = openat$smack_thread_current(0xffffffffffffff9c, 
> &(0x7f0000000000)='/proc/thread-self/attr/current\x00', 0x2, 0x0)
> fcntl$setown(r1, 0x8, r0)
> rt_tgsigqueueinfo(r0, r0, 0x1e, &(0x7f00000002c0))
> tkill(r0, 0x1e)
>
>
> Reproduce this BUG:
> ./syz-execprog -executor=./syz-executor -repeat=0 -procs=16 -cover=0 
> ./crash.log
>
>
> Can anyone help me ?
>
>
> Thanks,
>
>         Cheng Jian.
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ