Re: fs: NULL deref in atime_needs_update

From: Dmitry Vyukov <dvyukov@google.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller <syzkaller@googlegroups.com>,
	"Kostya Serebryany" <kcc@google.com>,
	"Alexander Potapenko" <glider@google.com>,
	"Sasha Levin" <sasha.levin@oracle.com>
Subject: Re: fs: NULL deref in atime_needs_update
Date: Sat, 20 Feb 2016 11:36:35 +0100	[thread overview]
Message-ID: <CACT4Y+aFS5UO6Xt=OmWaaa-jYO-vQS+tNoPeXpM_10FJ9J_t3w@mail.gmail.com> (raw)
In-Reply-To: <20160220032127.GA19926@ZenIV.linux.org.uk>

On Sat, Feb 20, 2016 at 4:21 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Fri, Feb 19, 2016 at 08:32:10PM +0100, Dmitry Vyukov wrote:
>> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
>
> NULL inode->i_sb, by the look of the offset, but I really don't understand
> where the hell is that code doing (or how is that instruction going to
> generate dereferencing of 0x50, for that matter).
>
>> I've hit another GPF in atime_needs_update, but this time from SyS_openat:
>>
>> kasan: GPF could be caused by NULL-ptr deref or user memory
>> accessgeneral protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
>> Modules linked in:
>> CPU: 0 PID: 20147 Comm: syz-executor Not tainted 4.5.0-rc4+ #329
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>> task: ffff88005f154740 ti: ffff88005f048000 task.ti: ffff88005f048000
>> RIP: 0010:[<ffffffff81818b5d>]  [<ffffffff81818b5d>]
>> atime_needs_update+0x2d/0x460
>> RSP: 0018:ffff88005f04fa48  EFLAGS: 00010203
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88005f04fd88
>> RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000000000000c
>> RBP: ffff88005f04fa70 R08: 0000000000000001 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000001 R12: ffff88005f04fd98
>> R13: 0000000000000000 R14: ffff88005f04fd98 R15: ffff88005f04fd78
>> FS:  00007f612639b700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> CR2: 000000002003ef84 CR3: 000000006073e000 CR4: 00000000000006f0
>> Stack:
>>  ffff88005f04fd40 ffff88005f04fe08 0000000000000000 ffff88005f04fd98
>>  ffff88005f04fd78 ffff88005f04fab8 ffffffff817e5572 ffff88005f04fd78
>>  ffff88002bcf02f8 0000000000000001 0000000000000000 ffff88002bcf02f8
>> Call Trace:
>>  [<     inline     >] get_link fs/namei.c:1006
>>  [<ffffffff817e5572>] trailing_symlink+0x142/0x760 fs/namei.c:2094
>>  [<ffffffff817ec531>] path_openat+0xbc1/0x5e30 fs/namei.c:3389
>>  [<ffffffff817f4fde>] do_filp_open+0x18e/0x250 fs/namei.c:3421
>>  [<ffffffff817b970c>] do_sys_open+0x1fc/0x420 fs/open.c:1022
>>  [<     inline     >] SYSC_openat fs/open.c:1049
>>  [<ffffffff817b99a0>] SyS_openat+0x30/0x40 fs/open.c:1043
>>  [<ffffffff86662636>] entry_SYSCALL_64_fastpath+0x16/0x7a
>> arch/x86/entry/entry_64.S:185
>> Code: 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 48 89 f3 e8 c8 32 d5
>> ff 48 8d 7b 0c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f>
>> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
>> RIP  [<ffffffff81818b5d>] atime_needs_update+0x2d/0x460 fs/inode.c:1611
>>  RSP <ffff88005f04fa48>
>
> What was the fault address here and what config are you using for those
> builds?

This is with CONFIG_KASAN. GPF happens on shadow check for NULL
address. In both cases:
RAX: dffffc0000000000
RDX: 0000000000000001
where dffffc0000000000 is shadow base and 0000000000000001 is offset.
So the original memory access was to range [8-16) (i.e. NULL with
small offset).