lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Aug 2021 17:10:56 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     syzbot <syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com>,
        christian.koenig@....com, dongwon.kim@...el.com,
        dri-devel@...ts.freedesktop.org, kraxel@...hat.com,
        linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, sumit.semwal@...aro.org,
        syzkaller-bugs@...glegroups.com, vivek.kasireddy@...el.com
Subject: Re: [syzbot] general protection fault in udmabuf_create

On 8/10/21 4:47 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    7999516e20bd Add linux-next specific files for 20210806
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=10f15f8e300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2f518e910b029c31
> dashboard link: https://syzkaller.appspot.com/bug?extid=e9cd3122a37c5d6c51e8
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1181099a300000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11b6fce9300000
> 
> The issue was bisected to:
> 
> commit 16c243e99d335e1ef3059871897119affc98b493
> Author: Vivek Kasireddy <vivek.kasireddy@...el.com>
> Date:   Wed Jun 9 18:29:15 2021 +0000
> 
>      udmabuf: Add support for mapping hugepages (v4)
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12f73dc9300000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=11f73dc9300000
> console output: https://syzkaller.appspot.com/x/log.txt?x=16f73dc9300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com
> Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)")
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 0 PID: 6603 Comm: syz-executor127 Not tainted 5.14.0-rc4-next-20210806-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:_compound_head include/linux/page-flags.h:187 [inline]
> RIP: 0010:get_page include/linux/mm.h:1203 [inline]
> RIP: 0010:udmabuf_create+0x664/0x16f0 drivers/dma-buf/udmabuf.c:236
> Code: 03 48 89 84 24 90 00 00 00 e9 38 01 00 00 e8 23 7a f7 fc 4d 89 f4 49 c1 e4 06 4c 03 24 24 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 d3 0d 00 00 4d 8b 6c 24 08 31 ff 4c 89 eb 83
> RSP: 0018:ffffc90002d7fc70 EFLAGS: 00010202
> RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: ffff888023f69c80 RSI: ffffffff847e4f3d RDI: 0000000000000008
> RBP: 0000000000000000 R08: fffffffffffff000 R09: 0000000000000000
> R10: ffffffff847e50f5 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
> FS:  0000000000935300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002000020c CR3: 0000000018d16000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>   udmabuf_ioctl_create drivers/dma-buf/udmabuf.c:305 [inline]

The problem is wrong error handling:

	hpage = find_get_page_flags(mapping, pgoff, FGP_ACCESSED);
	if (IS_ERR(hpage)) {
		ret = PTR_ERR(hpage);
		goto err;
	}

find_get_page_flags() return NULL on failure, so this patch should work:

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index 8df761a10251..c57a609db75b 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -227,8 +227,8 @@ static long udmabuf_create(struct miscdevice *device,
  				if (!hpage) {
  					hpage = find_get_page_flags(mapping, pgoff,
  								    FGP_ACCESSED);
-					if (IS_ERR(hpage)) {
-						ret = PTR_ERR(hpage);
+					if (!hpage) {
+						ret = -EINVAL;
  						goto err;
  					}
  				}

I am not sure about ret value in case of failure, so I am looking for 
any reviews :)


>   udmabuf_ioctl+0x152/0x2c0 drivers/dma-buf/udmabuf.c:336
>   vfs_ioctl fs/ioctl.c:51 [inline]
>   __do_sys_ioctl fs/ioctl.c:874 [inline]
>   __se_sys_ioctl fs/ioctl.c:860 [inline]
>   __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
>   do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>   do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>   entry_SYSCALL_64_after_hwframe+0x44/0xae


With regards,
Pavel Skripkin

Powered by blists - more mailing lists