lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 2 Apr 2024 18:09:21 +0300
From: Mike Rapoport <rppt@...ux.ibm.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: xingwei lee <xrivendell7@...il.com>, davem@...emloft.net,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, samsun1006219@...il.com,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
        netdev@...r.kernel.org
Subject: Re: BUG: unable to handle kernel paging request in crypto_sha3_update

On Tue, Apr 02, 2024 at 04:36:11PM +0800, Herbert Xu wrote:
> On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
> >
> >   syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
> >   res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
> >   if (res != -1)
> >     r[1] = res;
> >   res = syscall(__NR_memfd_secret, /*flags=*/0ul);
> >   if (res != -1)
> >     r[2] = res;
> 
> So this is the key to the issue.  The whole point of memfd_secret is
> to make the pages inaccessible to the kernel.  The issue is those
> pages are then gifted to the kernel through sendmsg.  Somewhere
> along the line someone is supposed to throw up an error about this,
> or map the pages properly.  I guess neither happened which is why
> we end up with a page fault.

Yeah, there was a bug in folio_is_secretmem() that should have throw an
error about this.

David Hildenbrand sent a fix, it's in Andrew's tree

https://lore.kernel.org/all/20240326143210.291116-1-david@redhat.com
 
> I'll cc the memfd_secret authors to see what should catch this.
> 
> >   syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul,
> >           /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2],
> >           /*offset=*/0ul);
> >   syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul);
> >   *(uint64_t*)0x20000180 = 0;
> >   *(uint32_t*)0x20000188 = 0;
> >   *(uint64_t*)0x20000190 = 0x20000140;
> >   *(uint64_t*)0x20000140 = 0x20000080;
> >   *(uint64_t*)0x20000148 = 0xb0;
> >   *(uint64_t*)0x20000198 = 1;
> >   *(uint64_t*)0x200001a0 = 0;
> >   *(uint64_t*)0x200001a8 = 0;
> >   *(uint32_t*)0x200001b0 = 0;
> >   syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul,
> >           /*f=*/0x47933e2b0522cf63ul);
> 
> This is the spot where the memfd_secret pages are given to the kernel
> for processing through sendmsg.
> 
> Thanks,
> -- 
> Email: Herbert Xu <herbert@...dor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

-- 
Sincerely yours,
Mike.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ