* Re: Fw: WARNING: bad usercopy in fanotify_read
[not found] <20190311163004.68f936ab4119a7e8dd272f59@linux-foundation.org>
@ 2019-03-12 11:45 ` Jan Kara
2019-03-12 12:59 ` Amir Goldstein
0 siblings, 1 reply; 3+ messages in thread
From: Jan Kara @ 2019-03-12 11:45 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, Andrew Morton, linux-fsdevel
[-- Attachment #1: Type: text/plain, Size: 5310 bytes --]
Thanks for forwarding Andrew!
On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> fyi
>
> Begin forwarded message:
>
> Date: Mon, 11 Mar 2019 13:42:06 -0700
> From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> Subject: WARNING: bad usercopy in fanotify_read
>
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: amd64
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> from SLAB object 'fanotify_event' (offset 40, size 8)!
> WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> mm/usercopy.c:78
Yeah, right. We need to create fanotify_event cache so that copying of
fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
with a possible slab pointer so that won't be protected from leaking but
life is not perfect. Amir, something like attached patch?
Honza
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 7649 Comm: syz-executor381 Not tainted 5.0.0+ #17
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> panic+0x2cb/0x65c kernel/panic.c:214
> __warn.cold+0x20/0x45 kernel/panic.c:571
> report_bug+0x263/0x2b0 lib/bug.c:186
> fixup_bug arch/x86/kernel/traps.c:179 [inline]
> fixup_bug arch/x86/kernel/traps.c:174 [inline]
> do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
> do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
> invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> RIP: 0010:usercopy_warn+0xeb/0x110 mm/usercopy.c:78
> Code: c8 e8 d9 88 c0 ff 4c 8b 45 c0 4d 89 e9 4c 89 e1 48 8b 55 c8 41 57 48
> 89 de 48 c7 c7 e0 dc 74 87 ff 75 d0 41 56 e8 03 4b 93 ff <0f> 0b 48 83 c4
> 18 e9 46 ff ff ff 49 c7 c5 e0 da 74 87 4d 89 ee 4d
> RSP: 0018:ffff8880a417fb18 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffffffff8774dca0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815ad7b6 RDI: ffffed101482ff55
> RBP: ffff8880a417fb70 R08: ffff888088d78580 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8859408d
> R13: ffffffff8775d500 R14: ffffffff8774db20 R15: 0000000000000008
> __check_heap_object+0x88/0xb3 mm/slab.c:4453
> check_heap_object mm/usercopy.c:238 [inline]
> __check_object_size mm/usercopy.c:284 [inline]
> __check_object_size+0x342/0x42f mm/usercopy.c:254
> check_object_size include/linux/thread_info.h:119 [inline]
> check_copy_size include/linux/thread_info.h:150 [inline]
> copy_to_user include/linux/uaccess.h:151 [inline]
> copy_fid_to_user fs/notify/fanotify/fanotify_user.c:236 [inline]
> copy_event_to_user fs/notify/fanotify/fanotify_user.c:294 [inline]
> fanotify_read+0xde0/0x1430 fs/notify/fanotify/fanotify_user.c:362
> __vfs_read+0x8d/0x110 fs/read_write.c:416
> vfs_read+0x194/0x3e0 fs/read_write.c:452
> ksys_read+0xea/0x1f0 fs/read_write.c:578
> __do_sys_read fs/read_write.c:588 [inline]
> __se_sys_read fs/read_write.c:586 [inline]
> __x64_sys_read+0x73/0xb0 fs/read_write.c:586
> do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
> entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4456b9
> Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fb296f31db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004456b9
> RDX: 000000000000006b RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
> R13: 00007ffd8eb3d16f R14: 00007fb296f329c0 R15: 20c49ba5e353f7cf
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
[-- Attachment #2: 0001-fanotify-Allow-copying-of-file-handle-to-userspace.patch --]
[-- Type: text/x-patch, Size: 1419 bytes --]
From beb8c3a76f2740757fb1765f793bb394ad71c183 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Tue, 12 Mar 2019 12:42:37 +0100
Subject: [PATCH] fanotify: Allow copying of file handle to userspace
When file handle is embedded inside fanotify_event and usercopy checks
are enabled, we get a warning like:
Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'fanotify_event' (offset 40, size 8)!
WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
mm/usercopy.c:78
Annotate handling in fanotify_event properly to mark copying it to
userspace is fine.
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/notify/fanotify/fanotify_user.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 56992b32c6bb..84dbe1f1832c 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1092,7 +1092,8 @@ static int __init fanotify_user_setup(void)
fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
SLAB_PANIC|SLAB_ACCOUNT);
- fanotify_event_cachep = KMEM_CACHE(fanotify_event, SLAB_PANIC);
+ fanotify_event_cachep = KMEM_CACHE_USERCOPY(fanotify_event, SLAB_PANIC,
+ fid.fh);
if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS)) {
fanotify_perm_event_cachep =
KMEM_CACHE(fanotify_perm_event, SLAB_PANIC);
--
2.16.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: Fw: WARNING: bad usercopy in fanotify_read
2019-03-12 11:45 ` Fw: WARNING: bad usercopy in fanotify_read Jan Kara
@ 2019-03-12 12:59 ` Amir Goldstein
2019-03-12 16:35 ` Jan Kara
0 siblings, 1 reply; 3+ messages in thread
From: Amir Goldstein @ 2019-03-12 12:59 UTC (permalink / raw)
To: Jan Kara; +Cc: Andrew Morton, linux-fsdevel
On Tue, Mar 12, 2019 at 1:45 PM Jan Kara <jack@suse.cz> wrote:
>
> Thanks for forwarding Andrew!
>
> On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> > fyi
> >
> > Begin forwarded message:
> >
> > Date: Mon, 11 Mar 2019 13:42:06 -0700
> > From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> > To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> > Subject: WARNING: bad usercopy in fanotify_read
> >
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > userspace arch: amd64
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> > mm/usercopy.c:78
>
> Yeah, right. We need to create fanotify_event cache so that copying of
> fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
> with a possible slab pointer so that won't be protected from leaking but
> life is not perfect. Amir, something like attached patch?
I agree. We could do something like this, to first copy the inline fh
from slab to short stack buf:
static inline void *fanotify_fid_fh_user(struct fanotify_fid *fid,
unsigned int fh_len, char *fh_buf)
{
if (fh_len > FANOTIFY_INLINE_FH_LEN)
return fid->ext_fh;
memcpy(fh_buf, fid->fh, fh_len);
return fh_buf;
}
But I don't think we should bother.
Thanks,
Amir.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fw: WARNING: bad usercopy in fanotify_read
2019-03-12 12:59 ` Amir Goldstein
@ 2019-03-12 16:35 ` Jan Kara
0 siblings, 0 replies; 3+ messages in thread
From: Jan Kara @ 2019-03-12 16:35 UTC (permalink / raw)
To: Amir Goldstein; +Cc: Jan Kara, Andrew Morton, linux-fsdevel
On Tue 12-03-19 14:59:27, Amir Goldstein wrote:
> On Tue, Mar 12, 2019 at 1:45 PM Jan Kara <jack@suse.cz> wrote:
> >
> > Thanks for forwarding Andrew!
> >
> > On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> > > fyi
> > >
> > > Begin forwarded message:
> > >
> > > Date: Mon, 11 Mar 2019 13:42:06 -0700
> > > From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> > > To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> > > Subject: WARNING: bad usercopy in fanotify_read
> > >
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit: 12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> > > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > > userspace arch: amd64
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> > >
> > > ------------[ cut here ]------------
> > > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > > WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> > > mm/usercopy.c:78
> >
> > Yeah, right. We need to create fanotify_event cache so that copying of
> > fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
> > with a possible slab pointer so that won't be protected from leaking but
> > life is not perfect. Amir, something like attached patch?
>
> I agree. We could do something like this, to first copy the inline fh
> from slab to short stack buf:
>
> static inline void *fanotify_fid_fh_user(struct fanotify_fid *fid,
> unsigned int fh_len, char *fh_buf)
> {
> if (fh_len > FANOTIFY_INLINE_FH_LEN)
> return fid->ext_fh;
> memcpy(fh_buf, fid->fh, fh_len);
> return fh_buf;
> }
>
> But I don't think we should bother.
OK, pushed my fix to my tree.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-12 16:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20190311163004.68f936ab4119a7e8dd272f59@linux-foundation.org>
2019-03-12 11:45 ` Fw: WARNING: bad usercopy in fanotify_read Jan Kara
2019-03-12 12:59 ` Amir Goldstein
2019-03-12 16:35 ` Jan Kara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.