| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKHoSAsMYWOYfqw6h74cEzucg1vGZaY4ShT3e35NnX2v_Ro04w@mail.gmail.com> Date: Fri, 3 Jan 2025 15:25:01 +0800 From: cheung wall <zzqq0103.hey@...il.com> To: "Matthew Wilcox (Oracle)" <willy@...radead.org>, Andrew Morton <akpm@...ux-foundation.org> Cc: linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, linux-kernel@...r.kernel.org Subject: "divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2 Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 6.13.0-rc2. This issue was discovered using our custom vulnerability discovery tool. HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2) Affected File: mm/page-writeback.c File: mm/page-writeback.c Function: bdi_set_min_bytes Detailed Call Stack: ------------[ cut here begin]------------ RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline] RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799 Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f 00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7 74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8 RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000 R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800 FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0 Call Trace: <TASK> min_bytes_store+0xba/0x120 mm/backing-dev.c:385 dev_attr_store+0x58/0x80 drivers/base/core.c:2439 sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139 kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:586 [inline] vfs_write+0x51e/0xc80 fs/read_write.c:679 ksys_write+0x110/0x200 fs/read_write.c:731 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdfc7b4d513 Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513 RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001 RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000 ------------[ cut here end]------------ Root Cause: The crash is caused by a division by zero error within the Linux kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes function attempts to calculate a ratio using bdi_ratio_from_pages, which internally calls div64_u64. During this calculation, a denominator value unexpectedly becomes zero, likely due to improper handling or validation of input data provided through the sysfs interface during the min_bytes_store operation. This erroneous zero value leads to a divide error exception when the kernel tries to perform the division. The issue occurs while processing a sysfs write operation (min_bytes_store), suggesting that invalid or uninitialized data supplied through sysfs triggers the faulty calculation, ultimately causing the kernel to crash. Thank you for your time and attention. Best regards Wall
Powered by blists - more mailing lists