lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 23 Feb 2022 14:54:43 +0100
From:   Vlastimil Babka <vbabka@...e.cz>
To:     Matthew Wilcox <willy@...radead.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Cc:     Miaohe Lin <linmiaohe@...wei.com>,
        Christoph Hellwig <hch@...radead.org>, Jan Kara <jack@...e.cz>,
        Takashi Iwai <tiwai@...e.de>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>, patches@...ts.linux.dev,
        LKML <linux-kernel@...r.kernel.org>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
Subject: read() data corruption with CONFIG_READ_ONLY_THP_FOR_FS=y

Hi,

we have found a bug involving CONFIG_READ_ONLY_THP_FOR_FS=y, introduced in
5.12 by cbd59c48ae2b ("mm/filemap: use head pages in
generic_file_buffered_read")
and apparently fixed in 5.17-rc1 by 6b24ca4a1a8d ("mm: Use multi-index
entries in the page cache")
The latter commit is part of folio rework so likely not stable material, so
it would be nice to have a small fix for e.g. 5.15 LTS. Preferably from
someone who understands xarray :)

The bug was found while building nodejs16, which involves running some
tests, first with a non-stripped node16 binary, and then stripping it. This
has a good chance of the stripped result becoming corrupted and not
executable anymore due to dynamic loader failures. It turns out that while
executed during tests, CONFIG_READ_ONLY_THP_FOR_FS=y allows khugepaged to
collapse the large executable mappings. Then /usr/bin/strip uses read() to
process the binary and triggers a bug introduced in cbd59c48ae2b where if a
read spans two or more collapsed THPs in the page cache, the first one will
be read multiple times instead.

Takashi Iwai has bisected using the nodejs build scenario to commit
cbd59c48ae2b.

I have distilled the scenario to the attached reproducer. There are some
assumptions for it to work:

- the passed path for file it creates/works with should be on a filesystem
such as xfs or ext4 that uses generic_file_buffered_read()
- the kernel should have e6be37b2e7bd ("mm/huge_memory.c: add missing
read-only THP checking in transparent_hugepage_enabled()") otherwise
khugepaged will not recognize the reproducer's mm as thp eligible (it had to
be some other mapping in nodejs that made it still possible to trigger this
during bisect)
- there's a pause to allow khugepaged to do its job, you can increase the
speed as instructed and verify with /proc/pid/smaps and meminfo that the
collapse in page cache has happened
- if the bug is reproduced, the reproducer will complain like this:
mismatch at offset 2097152: read value expected for offset 0 instead of 2097152

I've hacked some printk on top 5.16 (attached debug.patch)
which gives this output:

i=0 page=ffffea0004340000 page_offset=0 uoff=0 bytes=2097152
i=1 page=ffffea0004340000 page_offset=0 uoff=0 bytes=2097152
i=2 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=3 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=4 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=5 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=6 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=7 page=ffffea0004340000 page_offset=0 uoff=0 bytes=0
i=8 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=9 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=10 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=11 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=12 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=13 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0
i=14 page=ffffea0004470000 page_offset=2097152 uoff=0 bytes=0

It seems filemap_get_read_batch() should be returning pages ffffea0004340000
and ffffea0004470000 consecutively in the pvec, but returns the first one 8
times, so it's read twice and then the rest is just skipped over as it's
beyond the requested read size.

I suspect these lines:
  xas.xa_index = head->index + thp_nr_pages(head) - 1;
  xas.xa_offset = (xas.xa_index >> xas.xa_shift) & XA_CHUNK_MASK;

commit 6b24ca4a1a8d changes those to xas_advance() (introduced one patch
earlier), so some self-contained fix should be possible for prior kernels?
But I don't understand xarray well enough.

My colleagues should be credited for initial analysis of the nodejs build
scenario:

Analyzed-by: Adam Majer <amajer@...e.com>
Analyzed-by: Dirk Mueller <dmueller@...e.com>
Bisected-by: Takashi Iwai <tiwai@...e.de>

Thanks,
Vlastimil
View attachment "thp_reproducer.c" of type "text/x-csrc" (3562 bytes)

View attachment "debug.patch" of type "text/x-patch" (545 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ