| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20251223-efi_fix_619-v1-0-e0146b8b9d73@debian.org>
Date: Tue, 23 Dec 2025 02:55:42 -0800
From: Breno Leitao <leitao@...ian.org>
To: Ard Biesheuvel <ardb@...nel.org>,
Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>
Cc: linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, riel@...riel.com, puranjay@...nel.org,
usamaarif642@...il.com, Breno Leitao <leitao@...ian.org>,
kernel-team@...a.com
Subject: [PATCH 0/2] arm64: efi: Fix NULL pointer crash in 6.19-rc2
I am seeing the following crash on arm64 with 6.19-rc2 (commit 9448598b22c5
("Linux 6.19-rc2"))
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c8
Call trace:
cap_capable (security/commoncap.c:82 security/commoncap.c:128) (P)
security_capable (security/security.c:?)
ns_capable_noaudit (kernel/capability.c:342 kernel/capability.c:381)
__ptrace_may_access (./include/linux/rcupdate.h:895 kernel/ptrace.c:326)
ptrace_may_access (kernel/ptrace.c:353)
do_task_stat (fs/proc/array.c:467)
proc_tgid_stat (fs/proc/array.c:673)
proc_single_show (fs/proc/base.c:803)
seq_read_iter (fs/seq_file.c:209)
seq_read (./include/linux/ioprio.h:59 ./include/linux/ioprio.h:84 ./include/linux/fs.h:2177 fs/seq_file.c:158)
vfs_read (./arch/arm64/include/asm/uaccess.h:46 fs/read_write.c:560)
ksys_read (fs/read_write.c:705)
__arm64_sys_read (fs/read_write.c:722)
invoke_syscall (arch/arm64/kernel/syscall.c:46)
el0_svc_common+0x90/0xe0
do_el0_svc (arch/arm64/kernel/syscall.c:150)
el0_svc (arch/arm64/kernel/entry-common.c:724)
el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:743)
el0t_64_sync (arch/arm64/kernel/entry.S:596)
This was bissected to commit a5baf582f4 ("arm64/efi: Call EFI runtime services without
disabling preemption").
After the commit above, it crashes arm64 with a NULL pointer dereference in
cap_capable() when running below (ocassionally). Unfortunately I still don't
have a simple reproducer, and it takes about 10 minutes to crash on my systems.
it always crash with below[1] application.
>From my investigation, the root cause is that efi_mm lacks user_ns
initialization. When kthread_use_mm(&efi_mm) temporarily adopts efi_mm
for EFI calls, LSM hooks expect mm->user_ns to be valid for credential
checks. With it being NULL, capability checks crash.
This series contains two patches:
1. efi: Initialize efi_mm.user_ns to &init_user_ns (the actual fix)
2. kthread: Add WARN_ON_ONCE() to catch similar bugs early (RFC)
The second patch is mostly an RFC that adds a warning in
kthread_use_mm() to detect any mm_struct missing user_ns initialization,
helping prevent similar NULL pointer crashes in the future.
Link: https://github.com/facebookincubator/below [1]
Signed-off-by: Breno Leitao <leitao@...ian.org>
---
Breno Leitao (2):
arm64: efi: Fix NULL pointer dereference by initializing user_ns
kthread: Warn if mm_struct lacks user_ns in kthread_use_mm()
drivers/firmware/efi/efi.c | 1 +
kernel/kthread.c | 1 +
2 files changed, 2 insertions(+)
---
base-commit: 9448598b22c50c8a5bb77a9103e2d49f134c9578
change-id: 20251223-efi_fix_619-3891ca7d2914
Best regards,
--
Breno Leitao <leitao@...ian.org>
Powered by blists - more mailing lists