lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKFNMonaRvoUZj6kUhwrD==aB18cfyNbO4zPT89eAVNjtV4x6Q@mail.gmail.com>
Date:   Mon, 19 Sep 2022 16:05:22 +0900
From:   Ryusuke Konishi <konishi.ryusuke@...il.com>
To:     syzbot <syzbot+443228fd71f385302265@...kaller.appspotmail.com>
Cc:     linux-kernel@...r.kernel.org, linux-nilfs@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] WARNING in __virt_to_phys

On Mon, Sep 19, 2022 at 3:12 PM syzbot wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    a6b443748715 Merge branch 'for-next/core', remote-tracking..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=14fc366f080000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=14bf9ec0df433b27
> dashboard link: https://syzkaller.appspot.com/bug?extid=443228fd71f385302265
> compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
> userspace arch: arm64
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/81b491dd5861/disk-a6b44374.raw.xz
> vmlinux: https://storage.googleapis.com/69c979cdc99a/vmlinux-a6b44374.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+443228fd71f385302265@...kaller.appspotmail.com
>
> virt_to_phys used for non-linear address: 00000000b6fc6bf9 (0x44006b7369643d45)
> WARNING: CPU: 0 PID: 24583 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x80/0x98 arch/arm64/mm/physaddr.c:17
> Modules linked in:
> CPU: 0 PID: 24583 Comm: syz-executor.3 Not tainted 6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __virt_to_phys+0x80/0x98 arch/arm64/mm/physaddr.c:17
> lr : __virt_to_phys+0x7c/0x98 arch/arm64/mm/physaddr.c:12
> sp : ffff80001f993b00
> x29: ffff80001f993b00 x28: 0000000000000000 x27: ffff0000ed649d68
> x26: ffff0000fa388000 x25: 00000000ffff8000
>  x24: 0000000000000000
>
> x23: ffff000108325800 x22: 00000000ffff8000 x21: 0000000040000000
> x20: 44016b7369643d45 x19: 44006b7369643d45 x18: 00000000000001b8
> x17: ffff80000c00d6bc
>  x16: ffff80000db78658 x15: ffff0000fa388000
> x14: 0000000000000000 x13: 00000000ffffffff x12: 0000000000040000
> x11: 0000000000005389 x10: ffff800017fb2000 x9 : 48cd7cd042b5b300
> x8 : ffff80000cf0e000 x7 : ffff800008162e5c x6 : 0000000000000000
> x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
> x2 : 0000000000000007 x1 : 0000000100000000 x0 : 000000000000004f
> Call trace:
>  __virt_to_phys+0x80/0x98 arch/arm64/mm/physaddr.c:17
>  virt_to_folio include/linux/mm.h:856 [inline]
>  kfree+0x70/0x348 mm/slub.c:4556
>  nilfs_mdt_destroy+0x24/0x3c fs/nilfs2/mdt.c:497
>  nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168
>  i_callback fs/inode.c:249 [inline]
>  alloc_inode+0xdc/0x104 fs/inode.c:274
>  new_inode_pseudo fs/inode.c:1019 [inline]
>  new_inode+0x2c/0xc0 fs/inode.c:1047
>  nilfs_new_inode+0x48/0x378 fs/nilfs2/inode.c:334
>  nilfs_create+0x74/0x17c fs/nilfs2/namei.c:85
>  vfs_create+0x1c8/0x270 fs/namei.c:3115
>  do_mknodat+0x274/0x3e8 fs/namei.c:3942
>  __do_sys_mknodat fs/namei.c:3970 [inline]
>  __se_sys_mknodat fs/namei.c:3967 [inline]
>  __arm64_sys_mknodat+0x4c/0x64 fs/namei.c:3967
>  __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
>  invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
>  el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
>  do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
>  el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
>  el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
>  el0t_64_sync+0x18c/0x190
> irq event stamp: 2368
> hardirqs last  enabled at (2367): [<ffff800008162eec>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1367 [inline]
> hardirqs last  enabled at (2367): [<ffff800008162eec>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4942
> hardirqs last disabled at (2368): [<ffff80000bfc5c8c>] el1_dbg+0x24/0x5c arch/arm64/kernel/entry-common.c:395
> softirqs last  enabled at (2364): [<ffff8000080102e4>] _stext+0x2e4/0x37c
> softirqs last disabled at (2287): [<ffff800008017c48>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
> ---[ end trace 0000000000000000 ]---
> Unable to handle kernel paging request at virtual address 000fffadd38710c8
> Mem abort info:
>   ESR = 0x0000000096000004
>   EC = 0x25: DABT (current EL), IL = 32 bits
>   SET = 0, FnV = 0
>   EA = 0, S1PTW = 0
>   FSC = 0x04: level 0 translation fault
> Data abort info:
>   ISV = 0, ISS = 0x00000004
>   CM = 0, WnR = 0
> [000fffadd38710c8] address between user and kernel address ranges
> Internal error: Oops: 96000004 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 0 PID: 24583 Comm: syz-executor.3 Tainted: G        W          6.0.0-rc4-syzkaller-17255-ga6b443748715 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
> pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : _compound_head include/linux/page-flags.h:253 [inline]
> pc : virt_to_folio include/linux/mm.h:858 [inline]
> pc : kfree+0x80/0x348 mm/slub.c:4556
> lr : virt_to_folio include/linux/mm.h:856 [inline]
> lr : kfree+0x70/0x348 mm/slub.c:4556
> sp : ffff80001f993b20
> x29: ffff80001f993b30 x28: 0000000000000000 x27: ffff0000ed649d68
> x26: ffff0000fa388000 x25: 00000000ffff8000 x24: 0000000000000000
> x23: ffff000108325800
>  x22: 00000000ffff8000
>  x21: 010fffadd38710c0
> x20: ffff800008f58ab8
>  x19: 44006b7369643d45 x18: 00000000000001b8
> x17: ffff80000c00d6bc
>  x16: ffff80000db78658 x15: ffff0000fa388000
> x14: 0000000000000000
>  x13: 00000000ffffffff x12: 0000000000040000
> x11: 0000000000005389
>  x10: ffff800017fb2000 x9 : fffffc0000000000
> x8 : 0004400eb74e1c43 x7 : ffff800008162e5c x6 : 0000000000000000
> x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
> x2 : 0000000000000007 x1 : 0000000100000000 x0 : 4400eb7521c43d45
> Call trace:
>  virt_to_folio include/linux/mm.h:856 [inline]
>  kfree+0x80/0x348 mm/slub.c:4556
>  nilfs_mdt_destroy+0x24/0x3c fs/nilfs2/mdt.c:497
>  nilfs_free_inode+0x2c/0x54 fs/nilfs2/super.c:168
>  i_callback fs/inode.c:249 [inline]
>  alloc_inode+0xdc/0x104 fs/inode.c:274
>  new_inode_pseudo fs/inode.c:1019 [inline]
>  new_inode+0x2c/0xc0 fs/inode.c:1047
>  nilfs_new_inode+0x48/0x378 fs/nilfs2/inode.c:334
>  nilfs_create+0x74/0x17c fs/nilfs2/namei.c:85
>  vfs_create+0x1c8/0x270 fs/namei.c:3115
>  do_mknodat+0x274/0x3e8 fs/namei.c:3942
>  __do_sys_mknodat fs/namei.c:3970 [inline]
>  __se_sys_mknodat fs/namei.c:3967 [inline]
>  __arm64_sys_mknodat+0x4c/0x64 fs/namei.c:3967
>  __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
>  invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
>  el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
>  do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
>  el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:624
>  el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:642
>  el0t_64_sync+0x18c/0x190
> Code: d34cfc08 cb953108 b25657e9 8b081935 (f94006a8)
> ---[ end trace 0000000000000000 ]---
> ----------------
> Code disassembly (best guess):
>    0:   d34cfc08        lsr     x8, x0, #12
>    4:   cb953108        sub     x8, x8, x21, asr #12
>    8:   b25657e9        mov     x9, #0xfffffc0000000000         // #-4398046511104
>    c:   8b081935        add     x21, x9, x8, lsl #6
> * 10:   f94006a8        ldr     x8, [x21, #8] <-- trapping instruction
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

This looks like the same issue as the report [1]:

[1] https://lore.kernel.org/all/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com/T/#u

The bug fix patch for this, is queued in the vfs tree with the title
"fs: fix UAF/GPF bug in nilfs_mdt_destroy"  [2]:

[2] https://lkml.kernel.org/r/20220816040859.659129-1-dzm91@hust.edu.cn

It's found in the latest linux-next as well.
As the outlook for now, this patch would be merged to the mainline
after Linux kernel 6.0 is released, and then backported to stable
trees.

Thanks,
Ryusuke Konishi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ