lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Y/jOTXCgySjAQnuX@ziepe.ca>
Date:   Fri, 24 Feb 2023 10:48:45 -0400
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     Pengfei Xu <pengfei.xu@...el.com>
Cc:     baolu.lu@...el.com, yi.l.liu@...el.com, kevin.tian@...el.com,
        heng.su@...el.com, linux-kernel@...r.kernel.org
Subject: Re: [Syzkaller & bisect] There was "iommufd_test" WARNING in v6.2 in
 guest

On Fri, Feb 24, 2023 at 01:43:38PM +0800, Pengfei Xu wrote:
> Hi Jason,
> 
> Greeting!
> 
> Platform: ADL-S and x86 platforms
> Host kernel 6.2.0-rc7 which doesn't enable iommufd by host kconfig setting as
> below:
> "# CONFIG_IOMMUFD is not set"
> 
> Guest kconfig with iommufd enabled: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/kconfig_origin
> Reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/repro.c
> v6.2 problem dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/v6.2_c9c3395d5e3dcc6daee66c6908354d47bf98cb0c_dmesg.log
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/bisect_info.log
> 
> There was "iommufd_test" WARNING in v6.2 in guest:
> [   32.012827] ------------[ cut here ]------------
> [   32.013027] WARNING: CPU: 1 PID: 393 at drivers/iommu/iommufd/selftest.c:403 iommufd_test+0xb19/0x16f0
> [   32.013410] Modules linked in:

I didn't include the IOMMU_TEST_OP_MD_CHECK_REFS in the syzkaller
descriptions, how did you hit this?

Anyhow, it is a small issue in the test suite because uptr + length overflows:

--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -568,13 +568,17 @@ static int iommufd_test_md_check_refs(struct iommufd_ucmd *ucmd,
                                      void __user *uptr, size_t length,
                                      unsigned int refs)
 {
-       if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE)
+       uintptr_t end;
+
+       if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE ||
+           check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end))
                return -EINVAL;

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ