lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZBrhAr70pZLRAKJD6zgtV0Zk_hxozOMyEMxNMmntg9fQ@mail.gmail.com>
Date:   Thu, 8 Sep 2022 15:36:50 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     John Hubbard <jhubbard@...dia.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        syzbot <syzbot+6b3a1fd733d73b7a14d7@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        linux-usb@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        Jason Gunthorpe <jgg@...dia.com>,
        Alistair Popple <apopple@...dia.com>,
        Ralph Campbell <rcampbell@...dia.com>,
        Alex Sierra <alex.sierra@....com>,
        Dan Williams <dan.j.williams@...el.com>
Subject: Re: [syzbot] usb-testing boot error: BUG: unable to handle kernel
 paging request in follow_page_mask

On Thu, 8 Sept 2022 at 03:01, 'John Hubbard' via syzkaller-bugs
<syzkaller-bugs@...glegroups.com> wrote:
>
> On 9/6/22 17:22, Andrew Morton wrote:
> >
> > (cc some of the gup.c developers)
>
> I wrote down some of the more obvious analysis results below, but I
> don't have any insight into how this happened.
>
> >
> > On Tue, 06 Sep 2022 07:44:25 -0700 syzbot <syzbot+6b3a1fd733d73b7a14d7@...kaller.appspotmail.com> wrote:
> >
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit:    4e55e22d3d9a USB: hcd-pci: Drop the unused id parameter fr..
> >> git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=16b2d4d7080000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=3cb39b084894e9a5
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=6b3a1fd733d73b7a14d7
> >> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >>
> >> Downloadable assets:
> >> disk image: https://storage.googleapis.com/syzbot-assets/05f931abacee/disk-4e55e22d.raw.xz
> >> vmlinux: https://storage.googleapis.com/syzbot-assets/9b749a498398/vmlinux-4e55e22d.xz
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+6b3a1fd733d73b7a14d7@...kaller.appspotmail.com
> >>
> >> BUG: unable to handle page fault for address: ffffeefda00001ff
> >
> > Thanks.  A bit strange that it came from the USB tree, but I assume this
> > bug originates from Linus's current.
> >
> >> #PF: supervisor read access in kernel mode
> >> #PF: error_code(0x0000) - not-present page
> >> PGD 0 P4D 0
> >> Oops: 0000 [#1] PREEMPT SMP KASAN
> >> CPU: 1 PID: 687 Comm: kworker/u4:0 Not tainted 6.0.0-rc1-syzkaller-00049-g4e55e22d3d9a #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
> >> RIP: 0010:native_pud_val arch/x86/include/asm/pgtable_types.h:347 [inline]
> >> RIP: 0010:pud_none arch/x86/include/asm/pgtable.h:829 [inline]
> >> RIP: 0010:follow_pud_mask mm/gup.c:730 [inline]
>
> Verified in the source code: this is crashing due to a bad address
> in the pud pointer:
>
> follow_pud_mask():
>         pud = pud_offset(p4dp, address);
>         if (pud_none(*pud))  // <-- crashes here


USB tree still misses "virtio: Revert "virtio: find_vqs() add arg
sizes"" commit.
W/o that revert there are assorted memory corruptions all over the kernel.
If you don't see anything obvious, I think we can safely say:

#syz fix: virtio: Revert "virtio: find_vqs() add arg sizes"




> >> RIP: 0010:follow_p4d_mask mm/gup.c:782 [inline]
> >> RIP: 0010:follow_page_mask+0x1a9/0x1c90 mm/gup.c:846
> >> Code: 00 80 88 ff ff 4c 01 e8 4d 89 e5 49 c1 ed 1b 41 81 e5 f8 0f 00 00 49 01 c5 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 d4 18 00 00 4d 8b 75 00 31 ff 49 83 e6 9f 4c 89
> >> RSP: 0000:ffffc90001e7fb10 EFLAGS: 00010a06
> >> RAX: dffffc0000000000 RBX: ffff88810e732500 RCX: 0000000000000000
> >> RDX: 1ffff2fda00001ff RSI: ffffffff8167fdbd RDI: 0000000000000007
> >> RBP: ffffc90001e7fc48 R08: 0000000000000007 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 00007fffffffefc0
> >> R13: ffff97ed00000ff8 R14: 0000000000000000 R15: 0000000000002017
> >> FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: ffffeefda00001ff CR3: 0000000007825000 CR4: 00000000003506e0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> Call Trace:
> >>   <TASK>
> >>   __get_user_pages+0x3f2/0x1020 mm/gup.c:1193
> >>   __get_user_pages_locked mm/gup.c:1399 [inline]
> >>   __get_user_pages_remote+0x18f/0x830 mm/gup.c:2109
> >>   get_user_pages_remote+0x84/0xc0 mm/gup.c:2182
> >>   get_arg_page+0xe4/0x2a0 fs/exec.c:222
> >>   copy_string_kernel+0x169/0x460 fs/exec.c:639
> >>   copy_strings_kernel+0xb3/0x190 fs/exec.c:655
> >>   kernel_execve+0x377/0x500 fs/exec.c:2001
> >>   call_usermodehelper_exec_async+0x2e3/0x580 kernel/umh.c:112
> >>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
> >>   </TASK>
> >> Modules linked in:
> >> CR2: ffffeefda00001ff
> >> ---[ end trace 0000000000000000 ]---
> >> RIP: 0010:native_pud_val arch/x86/include/asm/pgtable_types.h:347 [inline]
> >> RIP: 0010:pud_none arch/x86/include/asm/pgtable.h:829 [inline]
> >> RIP: 0010:follow_pud_mask mm/gup.c:730 [inline]
> >> RIP: 0010:follow_p4d_mask mm/gup.c:782 [inline]
> >> RIP: 0010:follow_page_mask+0x1a9/0x1c90 mm/gup.c:846
> >> Code: 00 80 88 ff ff 4c 01 e8 4d 89 e5 49 c1 ed 1b 41 81 e5 f8 0f 00 00 49 01 c5 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 d4 18 00 00 4d 8b 75 00 31 ff 49 83 e6 9f 4c 89
> >> RSP: 0000:ffffc90001e7fb10 EFLAGS: 00010a06
> >> RAX: dffffc0000000000 RBX: ffff88810e732500 RCX: 0000000000000000
> >> RDX: 1ffff2fda00001ff RSI: ffffffff8167fdbd RDI: 0000000000000007
> >> RBP: ffffc90001e7fc48 R08: 0000000000000007 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 00007fffffffefc0
> >> R13: ffff97ed00000ff8 R14: 0000000000000000 R15: 0000000000002017
> >> FS:  0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: ffffeefda00001ff CR3: 0000000007825000 CR4: 00000000003506e0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> ----------------
> >> Code disassembly (best guess):
> >>     0:       00 80 88 ff ff 4c       add    %al,0x4cffff88(%rax)
> >>     6:       01 e8                   add    %ebp,%eax
> >>     8:       4d 89 e5                mov    %r12,%r13
> >>     b:       49 c1 ed 1b             shr    $0x1b,%r13
> >>     f:       41 81 e5 f8 0f 00 00    and    $0xff8,%r13d
> >>    16:       49 01 c5                add    %rax,%r13
> >>    19:       48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
> >>    20:       fc ff df
> >>    23:       4c 89 ea                mov    %r13,%rdx
> >>    26:       48 c1 ea 03             shr    $0x3,%rdx
> >> * 2a:        80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
>
>
> The fault address captured in CR2 (ffffeefda00001ff) matches what
> is calculated in the above line:
>
> %rdx             + (%rax * 1):
> 1ffff2fda00001ff + dffffc0000000000 == ffffeefda00001ff
>
> Note that this is an odd (as opposed to even) address, in fact it
> ends with 511. This is never a valid pointer, but it does look like
> a calculation gone wrong.
>
> I'm short of ideas as to how this happened, though.
>
> >>    2e:       0f 85 d4 18 00 00       jne    0x1908
> >>    34:       4d 8b 75 00             mov    0x0(%r13),%r14
> >>    38:       31 ff                   xor    %edi,%edi
> >>    3a:       49 83 e6 9f             and    $0xffffffffffffff9f,%r14
> >>    3e:       4c                      rex.WR
> >>    3f:       89                      .byte 0x89
> >>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ