| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <77ace07b-3f84-46ac-8a29-e782d7f60078@redhat.com> Date: Wed, 31 Jan 2024 11:54:25 +0100 From: David Hildenbrand <david@...hat.com> To: Mike Rapoport <rppt@...nel.org> Cc: Pengfei Xu <pengfei.xu@...el.com>, rdunlap@...radead.org, akpm@...ux-foundation.org, heng.su@...el.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org, lkp@...el.com Subject: Re: [Syzkaller & bisect] There is BUG: unable to handle kernel paging request in fuse_copy_one in intel-6.8-rc2 On 31.01.24 11:48, Mike Rapoport wrote: > On Wed, Jan 31, 2024 at 10:15:11AM +0100, David Hildenbrand wrote: >> On 31.01.24 03:01, Pengfei Xu wrote: >>> Hi Mike, >>> >>> Greeting! >>> >>> There is "unable to handle kernel paging request in fuse_copy_one" BUG in >>> intel-6.8-rc2: >>> >>> All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240130_184751_fuse_copy_one >>> Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/240130_184751_fuse_copy_one/repro.c >>> Syzkaller repro syscall steps: https://github.com/xupengfe/syzkaller_logs/blob/main/240130_184751_fuse_copy_one/repro.prog >>> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/240130_184751_fuse_copy_one/bisect_info.log >>> Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/240130_184751_fuse_copy_one/41bccc98fb7931d63d03f326a746ac4d429c1dd3_dmesg.log >>> bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/240130_184751_fuse_copy_one/bzImage_v6.8-rc2.tar.gz >>> Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/240130_184751_fuse_copy_one/kconfig_origin >>> >>> Bisected and found first bad commit is: >>> b758fe6df50da mm/secretmem: make it on by default >> >> Sounds like we manage to access a page that has its direct map removed -- >> either because it's actual secretmem memory, or because we fail to restore >> the direct map. > > Judging by the repro code and the registers, it's an access to secretmem. > > The call > syscall(__NR_write, /*fd=*/r[0], /*arg=*/0x20000040ul, /*len=*/0x50ul); > > will eventually get to > > memcpy(0xffff88800e2afa80, 0xffff8880119a5040, 0x0000000000000010) > > and I think that 0x20000040 in repro address space maps to > 0xffff8880119a5040 in the direct map. > > So it looks like secretmem actually works :) Good. How can we prevent triggering BUGs? The write system call should fail gracefully (and I thought it would). -- Cheers, David / dhildenb
Powered by blists - more mailing lists