lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZgvDe6fdJzgb8aZZ@gondor.apana.org.au>
Date: Tue, 2 Apr 2024 16:36:11 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: xingwei lee <xrivendell7@...il.com>
Cc: davem@...emloft.net, linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
	samsun1006219@...il.com, Mike Rapoport <rppt@...ux.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org
Subject: Re: BUG: unable to handle kernel paging request in crypto_sha3_update

On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
>
>   syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
>   res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
>   if (res != -1)
>     r[1] = res;
>   res = syscall(__NR_memfd_secret, /*flags=*/0ul);
>   if (res != -1)
>     r[2] = res;

So this is the key to the issue.  The whole point of memfd_secret is
to make the pages inaccessible to the kernel.  The issue is those
pages are then gifted to the kernel through sendmsg.  Somewhere
along the line someone is supposed to throw up an error about this,
or map the pages properly.  I guess neither happened which is why
we end up with a page fault.

I'll cc the memfd_secret authors to see what should catch this.

>   syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul,
>           /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2],
>           /*offset=*/0ul);
>   syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul);
>   *(uint64_t*)0x20000180 = 0;
>   *(uint32_t*)0x20000188 = 0;
>   *(uint64_t*)0x20000190 = 0x20000140;
>   *(uint64_t*)0x20000140 = 0x20000080;
>   *(uint64_t*)0x20000148 = 0xb0;
>   *(uint64_t*)0x20000198 = 1;
>   *(uint64_t*)0x200001a0 = 0;
>   *(uint64_t*)0x200001a8 = 0;
>   *(uint32_t*)0x200001b0 = 0;
>   syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul,
>           /*f=*/0x47933e2b0522cf63ul);

This is the spot where the memfd_secret pages are given to the kernel
for processing through sendmsg.

Thanks,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ