lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0ca23345-28a6-07f7-0424-9aaae283caba@huawei.com>
Date:   Fri, 12 Nov 2021 10:07:47 +0800
From:   "Guozihua (Scott)" <guozihua@...wei.com>
To:     <dhowells@...hat.com>, <jarkko@...nel.org>
CC:     <keyrings@...r.kernel.org>,
        <linux-security-module@...r.kernel.org>, <jmorris@...ei.org>,
        <serge@...lyn.com>, <linux-kernel@...r.kernel.org>,
        <xuqiang36@...wei.com>, <wangweiyang2@...wei.com>,
        <xiujianfeng@...wei.com>, <yanjin.yan@...wei.com>,
        <rui.xiang@...wei.com>
Subject: kernel BUG at assoc_array.c:LINE! while adding key to keyring

Hi all,

A BUG_ON error was reported during our FUZZ test recently which happens 
while trying to insert new key into keyring.

The call stack goes like this:

kernel BUG at assoc_array.c:644!
Internal error: Oops - BUG: 0 [#1] SMP
Process syz-executor.24 (pid: 27933, stack limit = 0x000000004a6537a3)
CPU: 3 PID: 27933 Comm: syz-executor.24 Not tainted 4.19.95 #2
Hardware name: linux,dummy-virt (DT)
pstate: 20400005 (nzCv daif +PAN -UAO)
pc : assoc_array_insert_into_terminal_node+0x924/0x10c8 
root/polaris/workspace/kernel/kernel/lib/assoc_array.c:644
lr : assoc_array_insert_into_terminal_node+0x924/0x10c8 
root/polaris/workspace/kernel/kernel/lib/assoc_array.c:644
sp : fffff02972e379b0
x29: fffff02972e379b0 x28: 0000000000000011
x27: fffff029659af600 x26: fffff0297812e000
x25: fffff0298c215540 x24: 0000000000000010
x23: fffff0298c215400 x22: 00000000ffffffff
x21: fffff0298c215541 x20: 0000000000000001
x19: 000000000000000f x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 0000000000000000
x13: 0000000000000000 x12: 0000000000000000
x11: 1ffffe052e5c6f1e x10: ffff1e052e5c6f1e
x9 : dfff200000000000 x8 : 0000000000000004
x7 : 0000000000000003 x6 : fffff02972e378f4
x5 : ffff1e052e5c6f1e x4 : 1ffffe0531842aa8
x3 : ffff200084a00000 x2 : ffff200033b46000
x1 : ffffffff83600000 x0 : 000000000000357d
Call trace:
  assoc_array_insert_into_terminal_node+0x924/0x10c8 
root/polaris/workspace/kernel/kernel/lib/assoc_array.c:644
  assoc_array_insert+0x1e8/0x300 
root/polaris/workspace/kernel/kernel/lib/assoc_array.c:1005
  __key_link_begin+0xc4/0x1e0 
root/polaris/workspace/kernel/kernel/security/keys/keyring.c:1227
  construct_alloc_key 
root/polaris/workspace/kernel/kernel/security/keys/request_key.c:375 
[inline]
  construct_key_and_link 
root/polaris/workspace/kernel/kernel/security/keys/request_key.c:466 
[inline]
  request_key_and_link+0x358/0x800 
root/polaris/workspace/kernel/kernel/security/keys/request_key.c:580
  __do_sys_request_key 
root/polaris/workspace/kernel/kernel/security/keys/keyctl.c:211 [inline]
  __se_sys_request_key 
root/polaris/workspace/kernel/kernel/security/keys/keyctl.c:156 [inline]
  __arm64_sys_request_key+0x174/0x2c0 
root/polaris/workspace/kernel/kernel/security/keys/keyctl.c:156
  __invoke_syscall 
root/polaris/workspace/kernel/kernel/arch/arm64/kernel/syscall.c:36 [inline]
  invoke_syscall 
root/polaris/workspace/kernel/kernel/arch/arm64/kernel/syscall.c:48 [inline]
  el0_svc_common+0xdc/0x3a0 
root/polaris/workspace/kernel/kernel/arch/arm64/kernel/syscall.c:121
  el0_svc_handler+0x50/0xb0 
root/polaris/workspace/kernel/kernel/arch/arm64/kernel/syscall.c:193
  el0_svc+0x14/0x244 
root/polaris/workspace/kernel/kernel/arch/arm64/kernel/entry.S:1028
Code: 97e908f1 f9002efb 17fffe0d 97e038d6 (d4210000)
Modules linked in:
---[ end trace 6a3a83359c05a38f ]---

I've dug a little bit into the issue. The issue happened during the 
split node process when it trys to find two leafs to be put into the new 
node. If it fails, it gives this BUG_ON error.

I was suspecting a race condition. However when I check the 
__key_link_begin and key_unlink function there seems to be suffice 
locking. And the assoc_array seems to be robust.

It seems that this happened once before 
(https://syzkaller.appspot.com/bug?id=ae9f975f9395c1519048e29bfeb4cd162982eb6d).

Any thoughts? Thanks!

Best Regards,
Zihua Guo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ