lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 12 Feb 2021 13:58:07 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To:     Shuah Khan <skhan@...uxfoundation.org>,
        Hillf Danton <hdanton@...a.com>,
        syzbot <syzbot+95ce4b142579611ef0a9@...kaller.appspotmail.com>
Cc:     linux-kernel@...r.kernel.org,
        Andrey Konovalov <andreyknvl@...gle.com>,
        Valentina Manea <valentina.manea.m@...il.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        syzkaller-bugs@...glegroups.com
Subject: Re: general protection fault in tomoyo_socket_sendmsg_permission

On 2021/02/12 11:22, Tetsuo Handa wrote:
> On 2021/02/12 10:34, Shuah Khan wrote:
>> On 2/10/21 6:14 PM, Tetsuo Handa wrote:
>>> (Dropping LSM ML because this is not a TOMOYO's bug.)
>>>
>>> On 2021/02/11 4:29, Shuah Khan wrote:
>>>> This is a good find. I already replied to the thread to send a complete
>>>> fix.
>>>
>>> As I said at https://lkml.kernel.org/r/f8cae6b1-8f84-0e6a-7d9c-fc4aec68f07b@i-love.sakura.ne.jp ,
>>> the as-is patch is effectively a complete fix. And applying the as-is patch should help spending
>>> syzbot resources for reproducing "general protection fault in tomoyo_socket_sendmsg_permission"
>>> with debug printk() patch applied, which in turn will help you in
>>>
>>>> Right. I would like to get a clear understanding of how this condition
>>>> is triggered. I am not saying this isn't a problem. Understanding how
>>>> it is triggered helps find the best fix.
>>>
>>> part. Therefore, I strongly expect you to apply this version now.
>>>
>>
>> Is there a reproducer for this problem?
> 
> There is no reproducer for "general protection fault in tomoyo_socket_sendmsg_permission" problem, but
> the race condition is explained at https://lkml.kernel.org/r/676d4518-0faa-9fab-15db-0db8d216d7fb@i-love.sakura.ne.jp .
> 

Here is a race window widening patch, and I locally reproduced "general protection fault in tomoyo_socket_sendmsg_permission".

diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
index 8be857a4fa13..a7c68097aa1d 100644
--- a/drivers/usb/usbip/usbip_common.h
+++ b/drivers/usb/usbip/usbip_common.h
@@ -286,6 +286,8 @@ struct usbip_device {
 	if (!IS_ERR(__k)) {						   \
 		get_task_struct(__k);					   \
 		wake_up_process(__k);					   \
+	} else {							   \
+		__k = NULL;						   \
 	}								   \
 	__k;								   \
 })
diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
index be37aec250c2..93e1271d0f5d 100644
--- a/drivers/usb/usbip/vhci_sysfs.c
+++ b/drivers/usb/usbip/vhci_sysfs.c
@@ -389,8 +389,12 @@ static ssize_t attach_store(struct device *dev, struct device_attribute *attr,
 	/* end the lock */
 
 	vdev->ud.tcp_rx = kthread_get_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
-	vdev->ud.tcp_tx = kthread_get_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
+	{
+		struct task_struct *tx = kthread_get_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
 
+		schedule_timeout_uninterruptible(HZ);
+		vdev->ud.tcp_tx = tx;
+	}
 	rh_port_connect(vdev, speed);
 
 	return count;


[  134.880383][ T7879] vhci_hcd vhci_hcd.0: pdev(2) rhport(0) sockfd(6)
[  134.883465][ T7879] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  134.904750][   T74] vhci_hcd: vhci_device speed not set
[  134.933053][ T7873] vhci_hcd: connection closed
[  134.933212][ T7870] vhci_hcd: connection closed
[  134.933415][ T4488] vhci_hcd: stop threads
[  134.942970][ T4488] vhci_hcd: release socket
[  134.944949][   T14] vhci_hcd: vhci_device speed not set
[  134.947063][ T4488] vhci_hcd: disconnect device
[  134.951508][ T4488] vhci_hcd: stop threads
[  134.953861][ T4488] vhci_hcd: release socket
[  134.957113][ T4488] vhci_hcd: disconnect device
[  135.014433][   T56] usb 15-1: enqueue for inactive port 0
[  135.065119][ T7877] vhci_hcd: connection closed
[  135.065205][ T7880] vhci_hcd: connection closed
[  135.065370][ T4480] vhci_hcd: stop threads
[  135.072854][ T4480] vhci_hcd: release socket
[  135.076490][ T4480] vhci_hcd: disconnect device
[  135.079535][ T4480] vhci_hcd: stop threads
[  135.084024][ T4480] vhci_hcd: release socket
[  135.087979][ T4480] vhci_hcd: disconnect device
[  135.134526][ T6820] vhci_hcd: vhci_device speed not set
[  135.314959][ T6821] vhci_hcd: vhci_device speed not set
[  135.621271][ T7884] vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(3)
[  135.621290][ T7885] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(3)
[  135.625072][ T7884] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.628665][ T7885] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.630109][ T7887] vhci_hcd vhci_hcd.0: pdev(1) rhport(0) sockfd(3)
[  135.630116][ T7887] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.672834][ T7895] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(6)
[  135.672863][ T7894] vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(6)
[  135.675986][ T7895] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  135.678963][ T7894] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  135.681093][ T7896] vhci_hcd vhci_hcd.0: pdev(1) rhport(0) sockfd(6)
[  135.681100][ T7896] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  135.710416][ T7904] vhci_hcd vhci_hcd.0: pdev(5) rhport(0) sockfd(3)
[  135.713445][ T7904] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.761360][ T7907] vhci_hcd vhci_hcd.0: pdev(5) rhport(0) sockfd(6)
[  135.764612][ T7907] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  135.780607][ T7911] vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(3)
[  135.783674][ T7911] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.832151][ T7914] vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(6)
[  135.835065][ T6821] vhci_hcd: vhci_device speed not set
[  135.835457][ T7914] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  135.855511][   T14] vhci_hcd: vhci_device speed not set
[  135.873043][ T7892] vhci_hcd: connection closed
[  135.873092][ T7899] vhci_hcd: connection closed
[  135.873331][ T4482] vhci_hcd: stop threads
[  135.876115][ T7897] vhci_hcd: connection closed
[  135.876272][ T7888] vhci_hcd: connection closed
[  135.878623][ T7890] vhci_hcd: connection closed
[  135.878927][ T7901] vhci_hcd: connection closed
[  135.878971][ T4482] vhci_hcd: release socket
[  135.878999][ T4482] vhci_hcd: disconnect device
[  135.879077][ T4482] vhci_hcd: stop threads
[  135.879084][ T4482] vhci_hcd: release socket
[  135.879104][ T4482] vhci_hcd: disconnect device
[  135.879262][ T4482] vhci_hcd: stop threads
[  135.904625][ T6821] usb 14-1: new full-speed USB device number 5 using vhci_hcd
[  135.905231][ T4482] vhci_hcd: release socket
[  135.907733][ T7902] vhci_hcd: sendmsg failed!, ret=-32 for 48
[  135.910718][ T4482] vhci_hcd: disconnect device
[  135.924520][ T4482] vhci_hcd: stop threads
[  135.924602][   T14] usb 6-1: new full-speed USB device number 4 using vhci_hcd
[  135.927400][ T4482] vhci_hcd: release socket
[  135.927444][ T4482] vhci_hcd: disconnect device
[  135.927612][ T4482] vhci_hcd: stop threads
[  135.927616][ T4482] vhci_hcd: release socket
[  135.927637][ T4482] vhci_hcd: disconnect device
[  135.927783][ T4482] vhci_hcd: stop threads
[  135.931827][   T14] usb 6-1: enqueue for inactive port 0
[  135.931837][   T14] usb 6-1: enqueue for inactive port 0
[  135.931844][   T14] usb 6-1: enqueue for inactive port 0
[  135.949977][ T7918] vhci_hcd vhci_hcd.0: pdev(2) rhport(0) sockfd(3)
[  135.950493][ T4482] vhci_hcd: release socket
[  135.953289][ T7918] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed)
[  135.956713][ T4482] vhci_hcd: disconnect device
[  135.962382][ T7908] vhci_hcd: connection closed
[  135.962570][ T7905] vhci_hcd: connection closed
[  135.963301][ T4482] vhci_hcd: stop threads
[  135.963305][ T4482] vhci_hcd: release socket
[  135.963329][ T4482] vhci_hcd: disconnect device
[  135.964679][   T66] usb 17-1: enqueue for inactive port 0
[  135.967048][ T4488] vhci_hcd: stop threads
[  135.967055][ T4488] vhci_hcd: release socket
[  135.996537][ T4488] vhci_hcd: disconnect device
[  136.001837][ T7921] vhci_hcd vhci_hcd.0: pdev(2) rhport(0) sockfd(6)
[  136.005729][ T7921] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed)
[  136.009523][   T14] vhci_hcd: vhci_device speed not set
[  136.033302][ T7912] vhci_hcd: connection closed
[  136.033417][ T7915] vhci_hcd: connection closed
[  136.041456][ T4479] vhci_hcd: stop threads
[  136.053100][ T4479] vhci_hcd: release socket
[  136.057791][ T4479] vhci_hcd: disconnect device
[  136.061453][ T4479] vhci_hcd: stop threads
[  136.064363][ T4479] vhci_hcd: release socket
[  136.067801][ T4479] vhci_hcd: disconnect device
[  136.193586][ T7922] vhci_hcd: connection closed
[  136.193753][ T7919] vhci_hcd: connection closed
[  136.193834][ T4479] vhci_hcd: stop threads
[  136.194633][ T6805] usb 11-1: SetAddress Request (6) to port 0
[  136.194650][ T6805] usb 11-1: new SuperSpeed Gen 1 USB device number 6 using vhci_hcd
[  136.209426][ T4479] vhci_hcd: release socket
[  136.211891][ T4479] vhci_hcd: disconnect device
[  136.214638][ T4479] vhci_hcd: stop threads
[  136.214638][   T66] usb 17-1: enqueue for inactive port 0
[  136.220796][ T4479] vhci_hcd: release socket
[  136.223414][ T4479] vhci_hcd: disconnect device
[  136.226214][ T7920] BUG: kernel NULL pointer dereference, address: 0000000000000018
[  136.229703][ T7920] #PF: supervisor read access in kernel mode
[  136.250275][ T7920] #PF: error_code(0x0000) - not-present page
[  136.254738][ T7920] PGD 0 P4D 0
[  136.258410][ T7920] Oops: 0000 [#1] PREEMPT SMP
[  136.263059][ T7920] CPU: 5 PID: 7920 Comm: vhci_tx Not tainted 5.11.0-rc7+ #8
[  136.269087][ T7920] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
[  136.278990][ T7920] RIP: 0010:tomoyo_socket_sendmsg_permission+0x2b/0x120
[  136.283875][ T7920] Code: 48 89 e5 41 57 49 89 f7 41 56 41 55 41 54 53 48 89 fb 48 83 ec 38 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 85 7a 5e ff <4c> 8b 73 18 45 0f b6 66 10 41 80 fc 02 77 32 45 84 e4 75 36 45 31
[  136.297600][ T7920] RSP: 0018:ffffc9001425fc60 EFLAGS: 00010293
[  136.302027][ T7920] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  136.306816][ T7920] RDX: ffff8881305ee280 RSI: ffffffff81d7fe1b RDI: 0000000000000000
[  136.311669][ T7920] RBP: ffffc9001425fcc0 R08: 0000000000000030 R09: 0000000000000000
[  136.315802][ T7920] R10: ffff88813432eb80 R11: 0000000000000000 R12: 0000000000000000
[  136.320276][ T7920] R13: ffffc9001425fdd0 R14: 0000000000000030 R15: ffffc9001425fdd0
[  136.324546][ T7920] FS:  0000000000000000(0000) GS:ffff888236f40000(0000) knlGS:0000000000000000
[  136.329094][ T7920] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  136.333203][ T7920] CR2: 0000000000000018 CR3: 0000000129054005 CR4: 00000000003706e0
[  136.337599][ T7920] Call Trace:
[  136.340429][ T7920]  ? __this_cpu_preempt_check+0x1d/0x30
[  136.344165][ T7920]  tomoyo_socket_sendmsg+0x26/0x30
[  136.347801][ T7920]  security_socket_sendmsg+0x40/0x70
[  136.351378][ T7920]  sock_sendmsg+0x26/0xd0
[  136.354702][ T7920]  kernel_sendmsg+0x44/0x50
[  136.358078][ T7920]  vhci_send_cmd_submit+0x269/0x520
[  136.361674][ T7920]  ? _raw_spin_unlock_irqrestore+0x5a/0x70
[  136.365796][ T7920]  vhci_tx_loop+0x52/0x180
[  136.369274][ T7920]  ? finish_wait+0x90/0x90
[  136.372657][ T7920]  kthread+0x18d/0x1c0
[  136.376299][ T7920]  ? vhci_send_cmd_unlink+0x220/0x220
[  136.380052][ T7920]  ? kthread_insert_work_sanity_check+0x90/0x90
[  136.384729][ T7920]  ret_from_fork+0x22/0x30
[  136.388347][ T7920] Modules linked in:
[  136.391571][ T7920] CR2: 0000000000000018
[  136.394835][ T7920] ---[ end trace 66ee501d798fb2fa ]---
[  136.398442][ T7920] RIP: 0010:tomoyo_socket_sendmsg_permission+0x2b/0x120
[  136.403062][ T7920] Code: 48 89 e5 41 57 49 89 f7 41 56 41 55 41 54 53 48 89 fb 48 83 ec 38 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 85 7a 5e ff <4c> 8b 73 18 45 0f b6 66 10 41 80 fc 02 77 32 45 84 e4 75 36 45 31
[  136.415061][ T2899] usb 9-1: device descriptor read/8, error -110
[  136.415245][ T7920] RSP: 0018:ffffc9001425fc60 EFLAGS: 00010293
[  136.422520][ T7920] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  136.426912][ T7920] RDX: ffff8881305ee280 RSI: ffffffff81d7fe1b RDI: 0000000000000000
[  136.431943][ T7920] RBP: ffffc9001425fcc0 R08: 0000000000000030 R09: 0000000000000000
[  136.434304][   T66] kobject: '17-1' (000000000e8a79ee): kobject_cleanup, parent 0000000000000000
[  136.436148][ T7920] R10: ffff88813432eb80 R11: 0000000000000000 R12: 0000000000000000
[  136.436153][ T7920] R13: ffffc9001425fdd0 R14: 0000000000000030 R15: ffffc9001425fdd0
[  136.436157][ T7920] FS:  0000000000000000(0000) GS:ffff888236f40000(0000) knlGS:0000000000000000
[  136.436161][ T7920] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  136.436165][ T7920] CR2: 0000000000000018 CR3: 0000000129054005 CR4: 00000000003706e0
[  136.436189][ T7920] Kernel panic - not syncing: Fatal exception
[  137.608838][ T7920] Shutting down cpus with NMI
[  149.797229][ T7920] Kernel Offset: disabled
[  149.800911][ T7920] Rebooting in 86400 seconds..

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ