lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sat, 13 Nov 2021 01:21:52 +0800
From:   kernel test robot <lkp@...el.com>
To:     Cyrill Gorcunov <gorcunov@...il.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     kbuild-all@...ts.01.org, Alexey Dobriyan <adobriyan@...il.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Andrey Vagin <avagin@...il.com>,
        Dmitry Safonov <0x7f454c46@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linux Memory Management List <linux-mm@...ck.org>
Subject: Re: [PATCH v2] prctl: PR_SET_MM - unify copying of user's auvx

Hi Cyrill,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linux/master]
[also build test WARNING on v5.15]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Cyrill-Gorcunov/prctl-PR_SET_MM-unify-copying-of-user-s-auvx/20210929-123259
base:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 5816b3e6577eaa676ceb00a848f0fd65fe2adc29
config: parisc-randconfig-s032-20210929 (attached as .config)
compiler: hppa-linux-gcc (GCC) 11.2.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # apt-get install sparse
        # sparse version: v0.6.4-dirty
        # https://github.com/0day-ci/linux/commit/37297835c68662e1781118a01b7a271277e965d0
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Cyrill-Gorcunov/prctl-PR_SET_MM-unify-copying-of-user-s-auvx/20210929-123259
        git checkout 37297835c68662e1781118a01b7a271277e965d0
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=parisc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>


sparse warnings: (new ones prefixed by >>)
>> kernel/sys.c:1997:58: sparse: sparse: incorrect type in argument 3 (different address spaces) @@     expected void const [noderef] __user *addr @@     got unsigned long long [usertype] *[addressable] auxv @@
   kernel/sys.c:1997:58: sparse:     expected void const [noderef] __user *addr
   kernel/sys.c:1997:58: sparse:     got unsigned long long [usertype] *[addressable] auxv
   kernel/sys.c:1068:32: sparse: sparse: incorrect type in argument 1 (different address spaces) @@     expected struct task_struct *p1 @@     got struct task_struct [noderef] __rcu *real_parent @@
   kernel/sys.c:1068:32: sparse:     expected struct task_struct *p1
   kernel/sys.c:1068:32: sparse:     got struct task_struct [noderef] __rcu *real_parent
   kernel/sys.c: note: in included file (through include/linux/rcuwait.h, include/linux/percpu-rwsem.h, include/linux/fs.h, ...):
   include/linux/sched/signal.h:710:37: sparse: sparse: incorrect type in argument 1 (different address spaces) @@     expected struct spinlock [usertype] *lock @@     got struct spinlock [noderef] __rcu * @@
   include/linux/sched/signal.h:710:37: sparse:     expected struct spinlock [usertype] *lock
   include/linux/sched/signal.h:710:37: sparse:     got struct spinlock [noderef] __rcu *

vim +1997 kernel/sys.c

  1968	
  1969	#ifdef CONFIG_CHECKPOINT_RESTORE
  1970	static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data_size)
  1971	{
  1972		struct prctl_mm_map prctl_map = { .exe_fd = (u32)-1, };
  1973		unsigned long user_auxv[AT_VECTOR_SIZE];
  1974		struct mm_struct *mm = current->mm;
  1975		int error;
  1976	
  1977		BUILD_BUG_ON(sizeof(user_auxv) != sizeof(mm->saved_auxv));
  1978		BUILD_BUG_ON(sizeof(struct prctl_mm_map) > 256);
  1979	
  1980		if (opt == PR_SET_MM_MAP_SIZE)
  1981			return put_user((unsigned int)sizeof(prctl_map),
  1982					(unsigned int __user *)addr);
  1983	
  1984		if (data_size != sizeof(prctl_map))
  1985			return -EINVAL;
  1986	
  1987		if (copy_from_user(&prctl_map, addr, sizeof(prctl_map)))
  1988			return -EFAULT;
  1989	
  1990		error = validate_prctl_map_addr(&prctl_map);
  1991		if (error)
  1992			return error;
  1993	
  1994		if (prctl_map.auxv_size) {
  1995			int error = copy_auxv_from_user(user_auxv,
  1996							sizeof(user_auxv),
> 1997							prctl_map.auxv,
  1998							prctl_map.auxv_size);
  1999			if (error)
  2000				return error;
  2001		}
  2002	
  2003		if (prctl_map.exe_fd != (u32)-1) {
  2004			/*
  2005			 * Check if the current user is checkpoint/restore capable.
  2006			 * At the time of this writing, it checks for CAP_SYS_ADMIN
  2007			 * or CAP_CHECKPOINT_RESTORE.
  2008			 * Note that a user with access to ptrace can masquerade an
  2009			 * arbitrary program as any executable, even setuid ones.
  2010			 * This may have implications in the tomoyo subsystem.
  2011			 */
  2012			if (!checkpoint_restore_ns_capable(current_user_ns()))
  2013				return -EPERM;
  2014	
  2015			error = prctl_set_mm_exe_file(mm, prctl_map.exe_fd);
  2016			if (error)
  2017				return error;
  2018		}
  2019	
  2020		/*
  2021		 * arg_lock protects concurrent updates but we still need mmap_lock for
  2022		 * read to exclude races with sys_brk.
  2023		 */
  2024		mmap_read_lock(mm);
  2025	
  2026		/*
  2027		 * We don't validate if these members are pointing to
  2028		 * real present VMAs because application may have correspond
  2029		 * VMAs already unmapped and kernel uses these members for statistics
  2030		 * output in procfs mostly, except
  2031		 *
  2032		 *  - @start_brk/@brk which are used in do_brk_flags but kernel lookups
  2033		 *    for VMAs when updating these members so anything wrong written
  2034		 *    here cause kernel to swear at userspace program but won't lead
  2035		 *    to any problem in kernel itself
  2036		 */
  2037	
  2038		spin_lock(&mm->arg_lock);
  2039		mm->start_code	= prctl_map.start_code;
  2040		mm->end_code	= prctl_map.end_code;
  2041		mm->start_data	= prctl_map.start_data;
  2042		mm->end_data	= prctl_map.end_data;
  2043		mm->start_brk	= prctl_map.start_brk;
  2044		mm->brk		= prctl_map.brk;
  2045		mm->start_stack	= prctl_map.start_stack;
  2046		mm->arg_start	= prctl_map.arg_start;
  2047		mm->arg_end	= prctl_map.arg_end;
  2048		mm->env_start	= prctl_map.env_start;
  2049		mm->env_end	= prctl_map.env_end;
  2050		spin_unlock(&mm->arg_lock);
  2051	
  2052		/*
  2053		 * Note this update of @saved_auxv is lockless thus
  2054		 * if someone reads this member in procfs while we're
  2055		 * updating -- it may get partly updated results. It's
  2056		 * known and acceptable trade off: we leave it as is to
  2057		 * not introduce additional locks here making the kernel
  2058		 * more complex.
  2059		 */
  2060		if (prctl_map.auxv_size)
  2061			memcpy(mm->saved_auxv, user_auxv, sizeof(user_auxv));
  2062	
  2063		mmap_read_unlock(mm);
  2064		return 0;
  2065	}
  2066	#endif /* CONFIG_CHECKPOINT_RESTORE */
  2067	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (28805 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ