| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Apr 2023 16:52:13 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: syzbot <syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com>
Cc: davem@...emloft.net, herbert@...dor.apana.org.au,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
olivia@...enic.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [crypto?] KCSAN: data-race in random_recv_done /
virtio_read (3)
On Fri, 21 Apr 2023 at 16:36, syzbot
<syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 2faac9a98f01 Merge tag 'keys-fixes-20230321' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1113f21cc80000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3eb0bb0ae89a5345
> dashboard link: https://syzkaller.appspot.com/bug?extid=726dc8c62c3536431ceb
> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/571c9c5a3db2/disk-2faac9a9.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a051e3d7c495/vmlinux-2faac9a9.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/ff5ec0d6e37d/bzImage-2faac9a9.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com
Here this:
size = min_t(unsigned int, size, vi->data_avail);
memcpy(buf, vi->data + vi->data_idx, size);
vi->data_idx += size;
vi->data_avail -= size;
runs concurrently with:
if (!virtqueue_get_buf(vi->vq, &vi->data_avail))
return;
vi->data_idx = 0;
I did not fully grasp how/where vi->data is populated, but it looks
like it can lead to use of uninit/stale random data, or even to out of
bounds access, say if vi->data_avail is already updated, but
vi->data_idx is not yet reset to 0. Then concurrent reading will read
not where it's supposed to read.
> ==================================================================
> BUG: KCSAN: data-race in random_recv_done / virtio_read
>
> read to 0xffff8881019054ec of 4 bytes by task 14079 on cpu 0:
> copy_data drivers/char/hw_random/virtio-rng.c:70 [inline]
> virtio_read+0xc3/0x3f0 drivers/char/hw_random/virtio-rng.c:92
> rng_get_data drivers/char/hw_random/core.c:197 [inline]
> rng_dev_read+0x1a7/0x5e0 drivers/char/hw_random/core.c:234
> vfs_read+0x192/0x560 fs/read_write.c:468
> ksys_read+0xeb/0x1a0 fs/read_write.c:613
> __do_sys_read fs/read_write.c:623 [inline]
> __se_sys_read fs/read_write.c:621 [inline]
> __x64_sys_read+0x42/0x50 fs/read_write.c:621
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> write to 0xffff8881019054ec of 4 bytes by interrupt on cpu 1:
> random_recv_done+0x62/0x90 drivers/char/hw_random/virtio-rng.c:45
> vring_interrupt+0x150/0x170 drivers/virtio/virtio_ring.c:2491
> __handle_irq_event_percpu+0x91/0x490 kernel/irq/handle.c:158
> handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
> handle_irq_event+0x64/0xf0 kernel/irq/handle.c:210
> handle_edge_irq+0x17f/0x5a0 kernel/irq/chip.c:819
> generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
> handle_irq arch/x86/kernel/irq.c:231 [inline]
> __common_interrupt+0x64/0x100 arch/x86/kernel/irq.c:250
> common_interrupt+0x49/0xc0 arch/x86/kernel/irq.c:240
> asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:636
>
> value changed: 0x00000000 -> 0x00000040
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 14077 Comm: syz-executor.2 Not tainted 6.3.0-rc3-syzkaller-00016-g2faac9a98f01 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
> ==================================================================
> ==================================================================
> BUG: KCSAN: data-race in detach_buf_split / virtqueue_add
>
> read to 0xffff888101a76950 of 4 bytes by task 14131 on cpu 0:
> virtqueue_add_split drivers/virtio/virtio_ring.c:553 [inline]
> virtqueue_add+0x4b9/0x2130 drivers/virtio/virtio_ring.c:2117
> virtqueue_add_inbuf+0x53/0x80 drivers/virtio/virtio_ring.c:2196
> request_entropy drivers/char/hw_random/virtio-rng.c:61 [inline]
> copy_data drivers/char/hw_random/virtio-rng.c:74 [inline]
> virtio_read+0x1c5/0x3f0 drivers/char/hw_random/virtio-rng.c:92
> rng_get_data drivers/char/hw_random/core.c:197 [inline]
> rng_dev_read+0x1a7/0x5e0 drivers/char/hw_random/core.c:234
> vfs_read+0x192/0x560 fs/read_write.c:468
> ksys_read+0xeb/0x1a0 fs/read_write.c:613
> __do_sys_read fs/read_write.c:623 [inline]
> __se_sys_read fs/read_write.c:621 [inline]
> __x64_sys_read+0x42/0x50 fs/read_write.c:621
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> read-write to 0xffff888101a76950 of 4 bytes by interrupt on cpu 1:
> detach_buf_split+0x2fc/0x570 drivers/virtio/virtio_ring.c:757
> virtqueue_get_buf_ctx_split drivers/virtio/virtio_ring.c:835 [inline]
> virtqueue_get_buf_ctx+0x3c8/0x5c0 drivers/virtio/virtio_ring.c:2311
> virtqueue_get_buf+0x1f/0x30 drivers/virtio/virtio_ring.c:2317
> random_recv_done+0x4c/0x90 drivers/char/hw_random/virtio-rng.c:42
> vring_interrupt+0x150/0x170 drivers/virtio/virtio_ring.c:2491
> __handle_irq_event_percpu+0x91/0x490 kernel/irq/handle.c:158
> handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
> handle_irq_event+0x64/0xf0 kernel/irq/handle.c:210
> handle_edge_irq+0x17f/0x5a0 kernel/irq/chip.c:819
> generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
> handle_irq arch/x86/kernel/irq.c:231 [inline]
> __common_interrupt+0x64/0x100 arch/x86/kernel/irq.c:250
> common_interrupt+0x9e/0xc0 arch/x86/kernel/irq.c:240
> asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:636
> xas_find+0x10a/0x3f0
> find_get_entry mm/filemap.c:2008 [inline]
> filemap_get_folios+0xa4/0x3f0 mm/filemap.c:2174
> mpage_map_and_submit_buffers fs/ext4/inode.c:2358 [inline]
> mpage_map_and_submit_extent fs/ext4/inode.c:2513 [inline]
> ext4_do_writepages+0x1017/0x2140 fs/ext4/inode.c:2876
> ext4_writepages+0x127/0x250 fs/ext4/inode.c:2964
> do_writepages+0x1c5/0x340 mm/page-writeback.c:2551
> filemap_fdatawrite_wbc+0xdb/0xf0 mm/filemap.c:390
> __filemap_fdatawrite_range mm/filemap.c:423 [inline]
> __filemap_fdatawrite mm/filemap.c:429 [inline]
> filemap_flush+0x95/0xc0 mm/filemap.c:456
> ext4_alloc_da_blocks+0x50/0x130 fs/ext4/inode.c:3218
> ext4_release_file+0x5f/0x1c0 fs/ext4/file.c:158
> __fput+0x245/0x570 fs/file_table.c:321
> ____fput+0x15/0x20 fs/file_table.c:349
> task_work_run+0x123/0x160 kernel/task_work.c:179
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0x600/0x1710 kernel/exit.c:869
> do_group_exit+0x101/0x150 kernel/exit.c:1019
> get_signal+0xea9/0xfe0 kernel/signal.c:2859
> arch_do_signal_or_restart+0x89/0x2b0 arch/x86/kernel/signal.c:306
> exit_to_user_mode_loop+0x6d/0xe0 kernel/entry/common.c:168
> exit_to_user_mode_prepare+0x6a/0xa0 kernel/entry/common.c:203
> irqentry_exit_to_user_mode+0x9/0x20 kernel/entry/common.c:309
> irqentry_exit+0x12/0x40 kernel/entry/common.c:412
> exc_general_protection+0x339/0x4c0 arch/x86/kernel/traps.c:728
> asm_exc_general_protection+0x26/0x30 arch/x86/include/asm/idtentry.h:564
>
> value changed: 0x00000001 -> 0x00000000
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 14098 Comm: syz-executor.1 Not tainted 6.3.0-rc3-syzkaller-00016-g2faac9a98f01 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
> ==================================================================
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
Powered by blists - more mailing lists