lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <37aa2b6e-02ab-414d-8443-42bbd214ed6a@lucifer.local>
Date: Thu, 5 Dec 2024 07:48:10 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: "Lai, Yi" <yi1.lai@...ux.intel.com>
Cc: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Namhyung Kim <namhyung@...nel.org>,
        Mark Rutland <mark.rutland@....com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Jiri Olsa <jolsa@...nel.org>, Ian Rogers <irogers@...gle.com>,
        Adrian Hunter <adrian.hunter@...el.com>,
        Kan Liang <kan.liang@...ux.intel.com>,
        linux-perf-users@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, Matthew Wilcox <willy@...radead.org>,
        David Hildenbrand <david@...hat.com>, yi1.lai@...el.com
Subject: Re: [PATCH v2] perf: map pages in advance

On Thu, Dec 05, 2024 at 07:09:18AM +0000, Lorenzo Stoakes wrote:
> On Thu, Dec 05, 2024 at 10:16:51AM +0800, Lai, Yi wrote:
> [snip]
> > > --
> > > 2.47.1
> >
> > Hi Lorenzo Stoakes,
> >
> > Greetings!
> >
> > I used Syzkaller and found that there is general protection fault in perf_mmap_to_page in linux-next next-20241203.
> >
> > After bisection and the first bad commit is:
> > "
> > eca51ce01d49 perf: Map pages in advance
>
> Thanks, I can repro locally.
>
> Will investigate and address as a priority.

So this is because the 'rb' local variable is being used for something
other than just being a handy alias for event->rb, for some reason...

There is a specific code path where ret == 0 _and_ rb == NULL, which
obviously means we null ptr deref.

Specifically in this case it's because vma->vm_pgoff == 0, so we don't
assign rb, then after the again label it's:

again:
	mutex_lock(&event->mmap_mutex);
	if (event->rb) {
		if (...) {
			...
		}

		if (...) {
			...
		}

		goto unlock; <- ret == 0, rb == NULL
	}

I had assumed, clearly mistakenly, that we would not reach the end of the
function with ret == 0 _and_ rb == NULL, since we need rb, or rather
event->rb to do anything.

I think the correct thing to do here, since we assign rb with rb_alloc()
but do an rcu assignment to event->rb for some reason (possibly now not
necessary actually), is to just add an rb = event->rb here.

Will send a v3.

Thanks!

>
> > "
> >
> > All detailed into can be found at:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page
> > Syzkaller repro code:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page/repro.c
> > Syzkaller repro syscall steps:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page/repro.prog
> > Syzkaller report:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page/repro.report
> > Kconfig(make olddefconfig):
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page/kconfig_origin
> > Bisect info:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/241204_084442_perf_mmap_to_page/bisect_info.log
> > bzImage:
> > https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/241204_084442_perf_mmap_to_page/bzImage_c245a7a79602ccbee780c004c1e4abcda66aec32
> > Issue dmesg:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/241204_084442_perf_mmap_to_page/c245a7a79602ccbee780c004c1e4abcda66aec32_dmesg.log
> >
> > "
> > [   22.133358] KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f]
> > [   22.133907] CPU: 0 UID: 0 PID: 727 Comm: repro Not tainted 6.13.0-rc1-next-20241203-c245a7a79602 #1
> > [   22.134557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> > [   22.135371] RIP: 0010:perf_mmap_to_page+0x39/0x500
> > [   22.135763] Code: 41 56 41 55 41 54 49 89 f4 53 48 89 fb e8 3f 5f c2 ff 48 8d bb 78 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e9 03 00 00 4c 63 ab 78 01 00
> > [   22.137075] RSP: 0018:ffff888020f0f798 EFLAGS: 00010202
> > [   22.137465] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
> > [   22.137980] RDX: 000000000000002f RSI: ffffffff81a5ccf1 RDI: 0000000000000178
> > [   22.138495] RBP: ffff888020f0f7c0 R08: 0000000000000001 R09: ffffed10025fbdb0
> > [   22.139012] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
> > [   22.139530] R13: 0000000000000000 R14: 0000000020002000 R15: ffff888011cce3c0
> > [   22.140047] FS:  00007f7f57f30600(0000) GS:ffff88806c400000(0000) knlGS:0000000000000000
> > [   22.140630] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   22.141052] CR2: 00000000200000c0 CR3: 0000000014e10004 CR4: 0000000000770ef0
> > [   22.141570] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [   22.142088] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
> > [   22.142606] PKRU: 55555554
> > [   22.142815] Call Trace:
> > [   22.143005]  <TASK>
> > [   22.143173]  ? show_regs+0x6d/0x80
> > [   22.143455]  ? die_addr+0x45/0xb0
> > [   22.143720]  ? exc_general_protection+0x1ae/0x340
> > [   22.144102]  ? asm_exc_general_protection+0x2b/0x30
> > [   22.144486]  ? perf_mmap_to_page+0x21/0x500
> > [   22.144810]  ? perf_mmap_to_page+0x39/0x500
> > [   22.145130]  ? perf_mmap_to_page+0x21/0x500
> > [   22.145448]  perf_mmap+0xbd9/0x1ce0
> > [   22.145729]  __mmap_region+0x10e7/0x25a0
> > [   22.146038]  ? __pfx___mmap_region+0x10/0x10
> > [   22.146376]  ? mark_lock.part.0+0xf3/0x17b0
> > [   22.146712]  ? __pfx_mark_lock.part.0+0x10/0x10
> > [   22.147071]  ? __kasan_check_read+0x15/0x20
> > [   22.147403]  ? mark_lock.part.0+0xf3/0x17b0
> > [   22.147744]  ? __sanitizer_cov_trace_const_cmp1+0x1e/0x30
> > [   22.148162]  ? trace_cap_capable+0x78/0x1e0
> > [   22.148500]  ? cap_capable+0xa4/0x250
> > [   22.148792]  mmap_region+0x248/0x2f0
> > [   22.149086]  do_mmap+0xb29/0x12a0
> > [   22.149355]  ? __pfx_do_mmap+0x10/0x10
> > [   22.149651]  ? __pfx_down_write_killable+0x10/0x10
> > [   22.150027]  ? __this_cpu_preempt_check+0x21/0x30
> > [   22.150393]  vm_mmap_pgoff+0x235/0x3e0
> > [   22.150699]  ? __pfx_vm_mmap_pgoff+0x10/0x10
> > [   22.151037]  ? __fget_files+0x1fb/0x3a0
> > [   22.151352]  ksys_mmap_pgoff+0x3dc/0x520
> > [   22.151664]  __x64_sys_mmap+0x139/0x1d0
> > [   22.151975]  x64_sys_call+0x2001/0x2140
> > [   22.152283]  do_syscall_64+0x6d/0x140
> > [   22.152572]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > [   22.152960] RIP: 0033:0x7f7f57c3ee5d
> > [   22.153251] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
> > [   22.154593] RSP: 002b:00007ffd805489f8 EFLAGS: 00000212 ORIG_RAX: 0000000000000009
> > [   22.155156] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7f57c3ee5d
> > [   22.155683] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 0000000020002000
> > [   22.156210] RBP: 00007ffd80548a20 R08: 0000000000000003 R09: 0000000000000000
> > [   22.156739] R10: 0000000000006053 R11: 0000000000000212 R12: 00007ffd80548b38
> > [   22.157263] R13: 0000000000401126 R14: 0000000000403e08 R15: 00007f7f57f77000
> > [   22.157799]  </TASK>
> > [   22.157975] Modules linked in:
> > [   22.158322] ---[ end trace 0000000000000000 ]---
> > [   22.158694] RIP: 0010:perf_mmap_to_page+0x39/0x500
> > [   22.159061] Code: 41 56 41 55 41 54 49 89 f4 53 48 89 fb e8 3f 5f c2 ff 48 8d bb 78 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e e9 03 00 00 4c 63 ab 78 01 00
> > [   22.160388] RSP: 0018:ffff888020f0f798 EFLAGS: 00010202
> > [   22.160782] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: dffffc0000000000
> > [   22.161304] RDX: 000000000000002f RSI: ffffffff81a5ccf1 RDI: 0000000000000178
> > [   22.161824] RBP: ffff888020f0f7c0 R08: 0000000000000001 R09: ffffed10025fbdb0
> > [   22.162344] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
> > [   22.162877] R13: 0000000000000000 R14: 0000000020002000 R15: ffff888011cce3c0
> > [   22.163403] FS:  00007f7f57f30600(0000) GS:ffff88806c400000(0000) knlGS:0000000000000000
> > [   22.163988] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   22.164417] CR2: 00000000200000c0 CR3: 0000000014e10004 CR4: 0000000000770ef0
> > [   22.165409] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [   22.165956] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
> > [   22.166918] PKRU: 55555554
> > "
> >
> > I hope you find it useful.
> >
> > Regards,
> > Yi Lai
> >
> > ---
> >
> > If you don't need the following environment to reproduce the problem or if you
> > already have one reproduced environment, please ignore the following information.
> >
> > How to reproduce:
> > git clone https://gitlab.com/xupengfe/repro_vm_env.git
> > cd repro_vm_env
> > tar -xvf repro_vm_env.tar.gz
> > cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
> >   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
> >   // You could change the bzImage_xxx as you want
> >   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> > You could use below command to log in, there is no password for root.
> > ssh -p 10023 root@...alhost
> >
> > After login vm(virtual machine) successfully, you could transfer reproduced
> > binary to the vm by below way, and reproduce the problem in vm:
> > gcc -pthread -o repro repro.c
> > scp -P 10023 repro root@...alhost:/root/
> >
> > Get the bzImage for target kernel:
> > Please use target kconfig and copy it to kernel_src/.config
> > make olddefconfig
> > make -jx bzImage           //x should equal or less than cpu num your pc has
> >
> > Fill the bzImage file into above start3.sh to load the target kernel in vm.
> >
> >
> > Tips:
> > If you already have qemu-system-x86_64, please ignore below info.
> > If you want to install qemu v7.1.0 version:
> > git clone https://github.com/qemu/qemu.git
> > cd qemu
> > git checkout -f v7.1.0
> > mkdir build
> > cd build
> > yum install -y ninja-build.x86_64
> > yum -y install libslirp-devel.x86_64
> > ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> > make
> > make install
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ