lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240809145320.77100-1-spasswolf@web.de>
Date: Fri,  9 Aug 2024 16:53:19 +0200
From: Bert Karwatzki <spasswolf@....de>
To: mingo@...nel.org
Cc: Bert Karwatzki <spasswolf@....de>,
	akpm@...ux-foundation.org,
	Oleg Nesterov <oleg@...hat.com>,
	Andy Lutomirski <luto@...nel.org>,
	Borislav Petkov <bp@...en8.de>,
	Fenghua Yu <fenghua.yu@...el.com>,
	"H . Peter Anvin" <hpa@...or.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Dave Hansen <dave.hansen@...ux.intel.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Uros Bizjak <ubizjak@...il.com>,
	linux-kernel@...r.kernel.org,
	peterz@...radead.org
Subject: Re: commit 81106b7e0b13 can break asm_int80_emulation on x86_64

I did some experimentation on the bug with the help of the following patch:

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index bcbbb433cece..70064da40f9d 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1212,6 +1212,7 @@ static int copy_from_buffer(void *dst, unsigned int offset, unsigned int size,
 	if (kbuf) {
 		memcpy(dst, kbuf + offset, size);
 	} else {
+		printk(KERN_INFO "%s: calling copy_from_user with to = %px from = %px, n = 0x%x\n", __func__, dst, ubuf + offset, size);
 		if (copy_from_user(dst, ubuf + offset, size))
 			return -EFAULT;
 	}
@@ -1257,6 +1258,8 @@ static int copy_uabi_to_xstate(struct fpstate *fpstate, const void *kbuf,
 	int i;

 	offset = offsetof(struct xregs_state, header);
+	printk(KERN_INFO "%s %d: calling copy_from buffer with offset = 0x%x, size = 0x%lx\n",
+			__func__, __LINE__, offset, sizeof(hdr));
 	if (copy_from_buffer(&hdr, offset, sizeof(hdr), kbuf, ubuf))
 		return -EFAULT;

@@ -1269,6 +1272,8 @@ static int copy_uabi_to_xstate(struct fpstate *fpstate, const void *kbuf,
 		u32 mxcsr[2];

 		offset = offsetof(struct fxregs_state, mxcsr);
+		printk(KERN_INFO "%s %d: calling copy_from buffer with offset = 0x%x, size = 0x%lx\n",
+				__func__, __LINE__, offset, sizeof(mxcsr));
 		if (copy_from_buffer(mxcsr, offset, sizeof(mxcsr), kbuf, ubuf))
 			return -EFAULT;

@@ -1292,6 +1297,8 @@ static int copy_uabi_to_xstate(struct fpstate *fpstate, const void *kbuf,
 			offset = xstate_offsets[i];
 			size = xstate_sizes[i];

+			printk(KERN_INFO "%s %d: calling copy_from buffer %d with offset = 0x%x, size = 0x%x, dst = %px, kbuf = %px, ubuf = %px\n",
+					__func__, __LINE__, i, offset, size, dst, kbuf, ubuf);
 			if (copy_from_buffer(dst, offset, size, kbuf, ubuf))
 				return -EFAULT;
 		}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
index 1bab93d049df..23b228804289 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
@@ -1183,7 +1183,7 @@ static void mt7921_ipv6_addr_change(struct ieee80211_hw *hw,
 				    struct inet6_dev *idev)
 {
 	struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
-	struct mt792x_dev *dev = mvif->phy->dev;
+	struct mt792x_dev *dev = mt792x_hw_dev(hw);
 	struct inet6_ifaddr *ifa;
 	struct in6_addr ns_addrs[IEEE80211_BSS_ARP_ADDR_LIST_LEN];
 	struct sk_buff *skb;
diff --git a/mm/slub.c b/mm/slub.c
index 513f0fb80f1b..3a62bf2f355d 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -5636,6 +5636,10 @@ void __check_heap_object(const void *ptr, unsigned long n,
 	    n <= s->useroffset - offset + s->usersize)
 		return;

+	printk(KERN_INFO "%s: ptr = %px slab = %px s = %px\n", __func__, ptr, slab, s);
+	printk(KERN_INFO "%s: offset = 0x%x s->useroffset = 0x%x\n", __func__, offset, s->useroffset);
+	printk(KERN_INFO "%s: offset - s->useroffset = 0x%x s->usersize = 0x%x\n", __func__, offset - s->useroffset, s->usersize);
+	printk(KERN_INFO "%s: n = 0x%lx s->useroffset - offset + s->usersize = 0x%x\n", __func__, n, s->useroffset - offset + s->usersize);
 	usercopy_abort("SLUB object", s->name, to_user, offset, n);
 }
 #endif /* CONFIG_HARDENED_USERCOPY */

which gives the following output (before the usual backtrace) :

[  223.785491] [  T46217] copy_uabi_to_xstate 1261: calling copy_from buffer with offset = 0x200, size = 0x40
[  223.785501] [  T46217] copy_from_buffer: calling copy_from_user with to = ffffa85f5387fd58 from = 000000003ffef840, n = 0x40
[  223.785506] [  T46217] copy_uabi_to_xstate 1275: calling copy_from buffer with offset = 0x18, size = 0x8
[  223.785509] [  T46217] copy_from_buffer: calling copy_from_user with to = ffffa85f5387fd50 from = 000000003ffef658, n = 0x8
[  223.785512] [  T46217] copy_uabi_to_xstate 1300: calling copy_from buffer 0 with offset = 0x0, size = 0xa0, dst = ffff8c819c239b80, kbuf = 0000000000000000, ubuf = 000000003ffef640
[  223.785516] [  T46217] copy_from_buffer: calling copy_from_user with to = ffff8c819c239b80 from = 000000003ffef640, n = 0xa0
[  223.785520] [  T46217] __check_heap_object: ptr = ffff8c819c239b80 slab = ffffd5368c708e00 s = ffff8c7f800d1400
[  223.785523] [  T46217] __check_heap_object: offset = 0xc00 s->useroffset = 0x0
[  223.785525] [  T46217] __check_heap_object: offset - s->useroffset = 0xc00 s->usersize = 0x0 FIXME?
[  223.785528] [  T46217] __check_heap_object: n = 0xa0 s->useroffset - offset + s->usersize = 0xfffff400
[  223.785530] [  T46217] usercopy: Kernel memory overwrite attempt detected to SLUB object 'task_struct' (offset 3072, size 160)!
[  223.785545] [  T46217] ------------[ cut here ]------------
[  223.785547] [  T46217] kernel BUG at mm/usercopy.c:102!

So the problem seems to be that the kmem_cache object *s has usersize 0. This
should be impossible in theory as kmem_cache_create_usercopy() should print
a warning in case of (!usersize && useroffset).

Bert Karwatzki


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ