| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190306094736.GN25100@shao2-debian>
Date: Wed, 6 Mar 2019 17:47:36 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: David Windsor <dave@...lcore.net>
Cc: Kees Cook <keescook@...omium.org>, linux-sctp@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
LKP <lkp@...org>
Subject: [LKP] ab9ee8e38b [ 1.978635] WARNING: CPU: 1 PID: 1 at
arch/x86/mm/dump_pagetables.c:237 note_page
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012
Author: David Windsor <dave@...lcore.net>
AuthorDate: Thu Aug 24 16:57:57 2017 -0700
Commit: Kees Cook <keescook@...omium.org>
CommitDate: Mon Jan 15 12:08:00 2018 -0800
sctp: Define usercopy region in SCTP proto slab cache
The SCTP socket event notification subscription information need to be
copied to/from userspace. In support of usercopy hardening, this patch
defines a region in the struct proto slab cache in which userspace copy
operations are allowed. Additionally moves the usercopy fields to be
adjacent for the region to cover both.
example usage trace:
net/sctp/socket.c:
sctp_getsockopt_events(...):
...
copy_to_user(..., &sctp_sk(sk)->subscribe, len)
sctp_setsockopt_events(...):
...
copy_from_user(&sctp_sk(sk)->subscribe, ..., optlen)
sctp_getsockopt_initmsg(...):
...
copy_to_user(..., &sctp_sk(sk)->initmsg, len)
This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.
This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@...lcore.net>
[kees: split from network patch, move struct members adjacent]
[kees: add SCTPv6 struct whitelist, provide usage trace]
Cc: Vlad Yasevich <vyasevich@...il.com>
Cc: Neil Horman <nhorman@...driver.com>
Cc: "David S. Miller" <davem@...emloft.net>
Cc: linux-sctp@...r.kernel.org
Cc: netdev@...r.kernel.org
Signed-off-by: Kees Cook <keescook@...omium.org>
93070d339d caif: Define usercopy region in caif proto slab cache
ab9ee8e38b sctp: Define usercopy region in SCTP proto slab cache
3717f613f4 Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
baf5a9d1f9 Add linux-next specific files for 20190305
+------------------------------------------------------------------+------------+------------+------------+---------------+
| | 93070d339d | ab9ee8e38b | 3717f613f4 | next-20190305 |
+------------------------------------------------------------------+------------+------------+------------+---------------+
| boot_successes | 0 | 0 | 15 | 12 |
| boot_failures | 113 | 28 | 13 | 17 |
| WARNING:at_arch/x86/mm/dump_pagetables.c:#note_page/0x | 113 | 28 | | |
| EIP:note_page | 113 | 28 | | |
| Mem-Info | 8 | 1 | | |
| EIP:__put_user_4 | 2 | | | |
| invoked_oom-killer:gfp_mask=0x | 3 | | | |
| Out_of_memory:Kill_process | 1 | | | |
| Kernel_panic-not_syncing:Out_of_memory_and_no_killable_processes | 1 | | | |
| WARNING:at_drivers/pci/pci-sysfs.c:#pci_mmap_resource/0x | 1 | | | |
| EIP:pci_mmap_resource | 1 | | | |
| kernel_BUG_at_mm/usercopy.c | 0 | 12 | 8 | 8 |
| invalid_opcode:#[##] | 0 | 11 | 7 | 8 |
| EIP:usercopy_abort | 0 | 11 | 9 | 11 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 9 | 7 | 10 |
| INFO:task_blocked_for_more_than#seconds | 0 | 0 | 3 | 6 |
| EIP:kvm_guest_apic_eoi_write | 0 | 0 | 1 | |
| EIP:default_idle | 0 | 0 | 1 | |
| Kernel_panic-not_syncing:hung_task:blocked_tasks | 0 | 0 | 3 | 6 |
| EIP:entry_INT80_32 | 0 | 0 | 1 | |
| Kernel_panic-not_syncing:F00atal_exception | 0 | 0 | 0 | 1 |
| EIP:ftrace_likely_update | 0 | 0 | 0 | 1 |
+------------------------------------------------------------------+------------+------------+------------+---------------+
[ 1.973317] Write protecting the kernel text: 13604k
[ 1.974554] Write protecting the kernel read-only data: 6456k
[ 1.975309] NX-protecting the kernel data: 13020k
[ 1.977070] ------------[ cut here ]------------
[ 1.977686] x86/mm: Found insecure W+X mapping at address e6a471ee/0xc00a0000
[ 1.978635] WARNING: CPU: 1 PID: 1 at arch/x86/mm/dump_pagetables.c:237 note_page+0xc72/0xf30
[ 1.979966] Modules linked in:
[ 1.980379] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00026-gab9ee8e #1
[ 1.981347] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 1.982415] task: 86b07168 task.stack: 2d7a3635
[ 1.983008] EIP: note_page+0xc72/0xf30
[ 1.983498] EFLAGS: 00210286 CPU: 1
[ 1.983959] EAX: 00000041 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 1.984872] ESI: c012df38 EDI: 80000000 EBP: c012defc ESP: c012debc
[ 1.985683] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 1.986386] CR0: 80050033 CR2: ffffffff CR3: 02a05000 CR4: 003406b0
[ 1.987195] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 1.988003] DR6: fffe0ff0 DR7: 00000400
[ 1.988505] Call Trace:
[ 1.988837] ptdump_walk_pgd_level_core+0x3be/0x470
[ 1.989474] ptdump_walk_pgd_level_checkwx+0x16/0x20
[ 1.990125] mark_rodata_ro+0x109/0x140
[ 1.990630] ? rest_init+0x230/0x230
[ 1.991103] kernel_init+0x40/0x1a0
[ 1.991562] ? schedule_tail_wrapper+0x9/0xc
[ 1.992213] ? rest_init+0x230/0x230
[ 1.992696] ret_from_fork+0x19/0x24
[ 1.993185] Code: c2 01 c7 04 24 01 00 00 00 e8 bb d0 16 00 8b 46 0c ff 05 8c 7d 50 c2 89 44 24 08 89 44 24 04 c7 04 24 88 fd 25 c2 e8 6e 11 01 00 <0f> ff 31 c9 ba 01 00 00 00 b8 38 df 48 c2 c7 04 24 01 00 00 00
[ 1.995747] ---[ end trace 303490e4e1917754 ]---
[ 1.998068] x86/mm: Checked W+X mappings: FAILED, 96 W+X pages found.
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start v4.16 v4.15 --
git bisect bad 1388c80438e69fc01d83fbe98da3cac24c3c8731 # 10:59 B 1 1 1 1 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 4bf772b14675411a69b3c807f73006de0fe4b649 # 11:23 G 28 0 28 28 Merge tag 'drm-for-v4.16' of git://people.freedesktop.org/~airlied/linux
git bisect bad 7e6127c1240ed569cdda2a67c8f03836f9f28c05 # 11:44 B 3 11 3 3 Merge tag 'linux-watchdog-4.16-rc1' of git://www.linux-watchdog.org/linux-watchdog
git bisect bad 567af7fc9d87df3228ef59864f77fe100ec0cee3 # 12:01 B 0 2 17 0 pinctrl: files should directly include apis they use
git bisect good 1726aa70e7e2f8967d60b4f836723b61f97db73e # 12:17 G 27 0 27 27 Merge branch 'fixes-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
git bisect bad 4141cf676b9e345d3ddeb1710dd3156a09c50244 # 12:39 B 2 6 2 2 Merge branch 'i2c/for-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
git bisect good 0771ad44a20bc512d1123bac728d3a89ea6febe6 # 12:53 G 28 0 28 28 Merge tag 'pstore-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect bad 617aebe6a97efa539cc4b8a52adccd89596e6be0 # 13:10 B 4 7 4 4 Merge tag 'usercopy-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
git bisect good df5f3cfc52fec828af92444bf02ad8fd4e4c59e3 # 13:36 G 28 0 28 28 ufs: Define usercopy region in ufs_inode_cache slab cache
git bisect bad 07dcd7fe89938934ddad65f738bc5aac89b8e54d # 13:59 B 0 5 20 0 fork: Define usercopy region in mm_struct slab caches
git bisect good 8c2bc895a9347846b33c47124a75db624aa83677 # 14:10 G 28 0 28 28 ip: Define usercopy region in IP proto slab cache
git bisect bad ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012 # 14:22 B 1 3 1 1 sctp: Define usercopy region in SCTP proto slab cache
git bisect good 93070d339d7bc6f6b07b64faf5134fd144e8ec48 # 14:38 G 28 0 28 28 caif: Define usercopy region in caif proto slab cache
# first bad commit: [ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012] sctp: Define usercopy region in SCTP proto slab cache
git bisect good 93070d339d7bc6f6b07b64faf5134fd144e8ec48 # 14:42 G 81 0 81 109 caif: Define usercopy region in caif proto slab cache
# extra tests with debug options
git bisect bad ab9ee8e38b292f9a6698a4fedbb6ff8d08ce2012 # 14:50 B 0 1 16 0 sctp: Define usercopy region in SCTP proto slab cache
# extra tests on HEAD of linux-devel/devel-hourly-2019030523
git bisect bad ceb3e480165118da2ede5eb7dfaf922ce034dec0 # 14:50 B 9 3 0 3 0day head guard for 'devel-hourly-2019030523'
# extra tests on tree/branch linus/master
git bisect bad 3717f613f48df0222311f974cf8a06c8a6c97bae # 15:05 B 0 1 16 0 Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
# extra tests on tree/branch linux-next/master
git bisect bad baf5a9d1f9b95eb97e9eb54932e20dbbf814771c # 15:50 B 17 11 7 7 Add linux-next specific files for 20190305
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-yocto-vm-yocto-107:20190306142158:i386-randconfig-b0-03060220:4.15.0-rc2-00026-gab9ee8e:1.gz" of type "application/gzip" (13124 bytes)
Download attachment "dmesg-yocto-vm-yocto-101:20190306143947:i386-randconfig-b0-03060220:4.15.0-rc2-00025-g93070d3:2.gz" of type "application/gzip" (17928 bytes)
View attachment "reproduce-yocto-vm-yocto-107:20190306142158:i386-randconfig-b0-03060220:4.15.0-rc2-00026-gab9ee8e:1" of type "text/plain" (920 bytes)
View attachment "config-4.15.0-rc2-00026-gab9ee8e" of type "text/plain" (125078 bytes)
Powered by blists - more mailing lists