lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 10 Aug 2021 18:01:12 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     syzbot <syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com>,
        christian.koenig@....com, dongwon.kim@...el.com,
        dri-devel@...ts.freedesktop.org, kraxel@...hat.com,
        linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
        linux-media@...r.kernel.org, sumit.semwal@...aro.org,
        syzkaller-bugs@...glegroups.com, vivek.kasireddy@...el.com
Subject: Re: [syzbot] general protection fault in udmabuf_create

On Tue, Aug 10, 2021 at 05:10:56PM +0300, Pavel Skripkin wrote:
> On 8/10/21 4:47 PM, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    7999516e20bd Add linux-next specific files for 20210806
> > git tree:       linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10f15f8e300000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=2f518e910b029c31
> > dashboard link: https://syzkaller.appspot.com/bug?extid=e9cd3122a37c5d6c51e8
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1181099a300000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11b6fce9300000
> > 
> > The issue was bisected to:
> > 
> > commit 16c243e99d335e1ef3059871897119affc98b493
> > Author: Vivek Kasireddy <vivek.kasireddy@...el.com>
> > Date:   Wed Jun 9 18:29:15 2021 +0000
> > 
> >      udmabuf: Add support for mapping hugepages (v4)
> > 
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=12f73dc9300000
> > final oops:     https://syzkaller.appspot.com/x/report.txt?x=11f73dc9300000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16f73dc9300000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+e9cd3122a37c5d6c51e8@...kaller.appspotmail.com
> > Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)")
> > 
> > general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> > CPU: 0 PID: 6603 Comm: syz-executor127 Not tainted 5.14.0-rc4-next-20210806-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:_compound_head include/linux/page-flags.h:187 [inline]
> > RIP: 0010:get_page include/linux/mm.h:1203 [inline]
> > RIP: 0010:udmabuf_create+0x664/0x16f0 drivers/dma-buf/udmabuf.c:236
> > Code: 03 48 89 84 24 90 00 00 00 e9 38 01 00 00 e8 23 7a f7 fc 4d 89 f4 49 c1 e4 06 4c 03 24 24 49 8d 7c 24 08 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 0f 85 d3 0d 00 00 4d 8b 6c 24 08 31 ff 4c 89 eb 83
> > RSP: 0018:ffffc90002d7fc70 EFLAGS: 00010202
> > RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000000
> > RDX: ffff888023f69c80 RSI: ffffffff847e4f3d RDI: 0000000000000008
> > RBP: 0000000000000000 R08: fffffffffffff000 R09: 0000000000000000
> > R10: ffffffff847e50f5 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
> > FS:  0000000000935300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000000002000020c CR3: 0000000018d16000 CR4: 00000000001506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >   udmabuf_ioctl_create drivers/dma-buf/udmabuf.c:305 [inline]
> 
> The problem is wrong error handling:
> 
> 	hpage = find_get_page_flags(mapping, pgoff, FGP_ACCESSED);
> 	if (IS_ERR(hpage)) {
> 		ret = PTR_ERR(hpage);
> 		goto err;
> 	}
> 
> find_get_page_flags() return NULL on failure, so this patch should work:
> 
> diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
> index 8df761a10251..c57a609db75b 100644
> --- a/drivers/dma-buf/udmabuf.c
> +++ b/drivers/dma-buf/udmabuf.c
> @@ -227,8 +227,8 @@ static long udmabuf_create(struct miscdevice *device,
>  				if (!hpage) {
>  					hpage = find_get_page_flags(mapping, pgoff,
>  								    FGP_ACCESSED);
> -					if (IS_ERR(hpage)) {
> -						ret = PTR_ERR(hpage);
> +					if (!hpage) {
> +						ret = -EINVAL;
>  						goto err;
>  					}
>  				}
> 
> I am not sure about ret value in case of failure, so I am looking for any
> reviews :)

You're right.  Smatch is sort of supposed to warn about this but
pagecache_get_page() is too complicated.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ