lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAvOWKRXZaPd=rGc8crEiiFS+TC6GJoHT-gtRfaeusfv1Q@mail.gmail.com>
Date: Fri, 3 Jan 2025 15:21:43 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: "Matthew Wilcox (Oracle)" <willy@...radead.org>, Andrew Morton <akpm@...ux-foundation.org>
Cc: linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, 
	linux-kernel@...r.kernel.org
Subject: "divide error in bdi_set_max_bytes" in Linux kernel version 6.13.0-rc2

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.

HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)

Affected File: mm/page-writeback.c

File: mm/page-writeback.c

Function: bdi_set_max_bytes

Detailed Call Stack:

------------[ cut here begin]------------

RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline]
RIP: 0010:bdi_set_max_bytes+0xa8/0x210 mm/page-writeback.c:818
Code: ff 48 39 d8 0f 82 50 01 00 00 e8 a3 fa e7 ff 48 69 db 40 42 0f
00 48 8d 74 24 48 48 8d 7c 24 28 e8 bd ee ff ff 31 d2 48 89 d8 <48> f7
74 24 48 48 89 c3 3d 40 42 0f 00 0f 87 1d 01 00 00 e8 70 fa
loop6: detected capacity change from 0 to 1024
RSP: 0018:ffff888002287b58 EFLAGS: 00010246
RAX: 0000000000e4e1c0 RBX: 0000000000e4e1c0 RCX: ffffffff91bef057
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888002287ab0
RBP: 1ffff11000450f6c R08: 0000000000000000 R09: fffffbfff2ac1c7b
R10: ffffffff9560e3df R11: 0000000000032001 R12: ffff888105e59800
R13: dffffc0000000000 R14: ffff888105e59800 R15: ffff888105e5a000
FS: 00002ae5bb0df580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000562ba473e6b8 CR3: 0000000104c2e000 CR4: 0000000000350ef0
loop0: p1 p2 p3
Oops: divide error: 0000 [#2] PREEMPT SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 72912 Comm: sh Tainted: G UD
6.13.0-rc2-00159-gf932fb9b4074 #1
Tainted: [U]=USER, [D]=DIE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline]
RIP: 0010:bdi_set_max_bytes+0xa8/0x210 mm/page-writeback.c:818
Code: ff 48 39 d8 0f 82 50 01 00 00 e8 a3 fa e7 ff 48 69 db 40 42 0f
00 48 8d 74 24 48 48 8d 7c 24 28 e8 bd ee ff ff 31 d2 48 89 d8 <48> f7
74 24 48 48 89 c3 3d 40 42 0f 00 0f 87 1d 01 00 00 e8 70 fa
RSP: 0018:ffff88810ff5fb58 EFLAGS: 00010246
RAX: 00000010e1d04700 RBX: 00000010e1d04700 RCX: ffffffff91bef057
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810ff5fab0
RBP: 1ffff11021febf6c R08: 0000000000000000 R09: fffffbfff2ac1c7b
R10: ffffffff9560e3df R11: 0000000000032001 R12: ffff888105e59800
R13: dffffc0000000000 R14: ffff888105e59800 R15: ffff888105e5a000
FS: 00002ac2e58dc580(0000) GS:ffff88811b380000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056026cd446b8 CR3: 00000001111da000 CR4: 0000000000350ef0
Call Trace:
<TASK>
max_bytes_store+0xba/0x120 mm/backing-dev.c:413
dev_attr_store+0x58/0x80 drivers/base/core.c:2439
sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x51e/0xc80 fs/read_write.c:679
ksys_write+0x110/0x200 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x2ac2e59c8513
Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f
1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffdacd3fb18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000056026cd426b0 RCX: 00002ac2e59c8513
RDX: 000000000000000a RSI: 000056026cd426b0 RDI: 0000000000000001
RBP: 000000000000000a R08: 000056026cd426b0 R09: 00002ac2e5aabbe0
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001
R13: 000000000000000a R14: 7fffffffffffffff R15: 0000000000000000
</TASK>

------------[ cut here end]------------

Root Cause:

The crash is caused by a division by zero error within the Linux
kernel's page-writeback subsystem. Specifically, the bdi_set_max_bytes
function attempts to calculate a ratio using bdi_ratio_from_pages,
which internally calls div64_u64. During this calculation, a
denominator value unexpectedly becomes zero, likely due to an improper
handling of a capacity change from 0 to 1024 bytes as indicated by the
log message "loop6: detected capacity change from 0 to 1024". This
erroneous zero value leads to the divide error exception when the
kernel tries to perform the division operation. The issue occurs while
processing a sysfs write operation (max_bytes_store), suggesting that
invalid or uninitialized data provided through the sysfs interface
triggers the faulty calculation, ultimately causing the kernel to
crash.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ