Re: Fw: WARNING: bad usercopy in fanotify_read

Re: Fw: WARNING: bad usercopy in fanotify_read

[Jan Kara]

[-- Attachment #1: Type: text/plain, Size: 5310 bytes --]

Thanks for forwarding Andrew!

On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> fyi
> 
> Begin forwarded message:
> 
> Date: Mon, 11 Mar 2019 13:42:06 -0700
> From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> Subject: WARNING: bad usercopy in fanotify_read
> 
> 
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: amd64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> Bad or missing usercopy whitelist? Kernel memory exposure attempt detected  
> from SLAB object 'fanotify_event' (offset 40, size 8)!
> WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110  
> mm/usercopy.c:78

Yeah, right. We need to create fanotify_event cache so that copying of
fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
with a possible slab pointer so that won't be protected from leaking but
life is not perfect. Amir, something like attached patch?

								Honza


> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 7649 Comm: syz-executor381 Not tainted 5.0.0+ #17
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x172/0x1f0 lib/dump_stack.c:113
>   panic+0x2cb/0x65c kernel/panic.c:214
>   __warn.cold+0x20/0x45 kernel/panic.c:571
>   report_bug+0x263/0x2b0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
>   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> RIP: 0010:usercopy_warn+0xeb/0x110 mm/usercopy.c:78
> Code: c8 e8 d9 88 c0 ff 4c 8b 45 c0 4d 89 e9 4c 89 e1 48 8b 55 c8 41 57 48  
> 89 de 48 c7 c7 e0 dc 74 87 ff 75 d0 41 56 e8 03 4b 93 ff <0f> 0b 48 83 c4  
> 18 e9 46 ff ff ff 49 c7 c5 e0 da 74 87 4d 89 ee 4d
> RSP: 0018:ffff8880a417fb18 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffffffff8774dca0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815ad7b6 RDI: ffffed101482ff55
> RBP: ffff8880a417fb70 R08: ffff888088d78580 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8859408d
> R13: ffffffff8775d500 R14: ffffffff8774db20 R15: 0000000000000008
>   __check_heap_object+0x88/0xb3 mm/slab.c:4453
>   check_heap_object mm/usercopy.c:238 [inline]
>   __check_object_size mm/usercopy.c:284 [inline]
>   __check_object_size+0x342/0x42f mm/usercopy.c:254
>   check_object_size include/linux/thread_info.h:119 [inline]
>   check_copy_size include/linux/thread_info.h:150 [inline]
>   copy_to_user include/linux/uaccess.h:151 [inline]
>   copy_fid_to_user fs/notify/fanotify/fanotify_user.c:236 [inline]
>   copy_event_to_user fs/notify/fanotify/fanotify_user.c:294 [inline]
>   fanotify_read+0xde0/0x1430 fs/notify/fanotify/fanotify_user.c:362
>   __vfs_read+0x8d/0x110 fs/read_write.c:416
>   vfs_read+0x194/0x3e0 fs/read_write.c:452
>   ksys_read+0xea/0x1f0 fs/read_write.c:578
>   __do_sys_read fs/read_write.c:588 [inline]
>   __se_sys_read fs/read_write.c:586 [inline]
>   __x64_sys_read+0x73/0xb0 fs/read_write.c:586
>   do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4456b9
> Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
> ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fb296f31db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004456b9
> RDX: 000000000000006b RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
> R13: 00007ffd8eb3d16f R14: 00007fb296f329c0 R15: 20c49ba5e353f7cf
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

[-- Attachment #2: 0001-fanotify-Allow-copying-of-file-handle-to-userspace.patch --]
[-- Type: text/x-patch, Size: 1419 bytes --]

From beb8c3a76f2740757fb1765f793bb394ad71c183 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Tue, 12 Mar 2019 12:42:37 +0100
Subject: [PATCH] fanotify: Allow copying of file handle to userspace

When file handle is embedded inside fanotify_event and usercopy checks
are enabled, we get a warning like:

Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'fanotify_event' (offset 40, size 8)!
WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
mm/usercopy.c:78

Annotate handling in fanotify_event properly to mark copying it to
userspace is fine.

Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/notify/fanotify/fanotify_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 56992b32c6bb..84dbe1f1832c 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1092,7 +1092,8 @@ static int __init fanotify_user_setup(void)
 
 	fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
 					 SLAB_PANIC|SLAB_ACCOUNT);
-	fanotify_event_cachep = KMEM_CACHE(fanotify_event, SLAB_PANIC);
+	fanotify_event_cachep = KMEM_CACHE_USERCOPY(fanotify_event, SLAB_PANIC,
+			fid.fh);
 	if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS)) {
 		fanotify_perm_event_cachep =
 			KMEM_CACHE(fanotify_perm_event, SLAB_PANIC);
-- 
2.16.4

Re: Fw: WARNING: bad usercopy in fanotify_read

[Amir Goldstein]

On Tue, Mar 12, 2019 at 1:45 PM Jan Kara <jack@suse.cz> wrote:
>
> Thanks for forwarding Andrew!
>
> On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> > fyi
> >
> > Begin forwarded message:
> >
> > Date: Mon, 11 Mar 2019 13:42:06 -0700
> > From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> > To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> > Subject: WARNING: bad usercopy in fanotify_read
> >
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > userspace arch: amd64
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> > mm/usercopy.c:78
>
> Yeah, right. We need to create fanotify_event cache so that copying of
> fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
> with a possible slab pointer so that won't be protected from leaking but
> life is not perfect. Amir, something like attached patch?

I agree. We could do something like this, to first copy the inline fh
from slab to short stack buf:

static inline void *fanotify_fid_fh_user(struct fanotify_fid *fid,
                                    unsigned int fh_len, char *fh_buf)
{
        if (fh_len > FANOTIFY_INLINE_FH_LEN)
                return fid->ext_fh;
        memcpy(fh_buf, fid->fh, fh_len);
        return fh_buf;
}

But I don't think we should bother.

Thanks,
Amir.

Re: Fw: WARNING: bad usercopy in fanotify_read

[Jan Kara]

On Tue 12-03-19 14:59:27, Amir Goldstein wrote:
> On Tue, Mar 12, 2019 at 1:45 PM Jan Kara <jack@suse.cz> wrote:
> >
> > Thanks for forwarding Andrew!
> >
> > On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> > > fyi
> > >
> > > Begin forwarded message:
> > >
> > > Date: Mon, 11 Mar 2019 13:42:06 -0700
> > > From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> > > To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> > > Subject: WARNING: bad usercopy in fanotify_read
> > >
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> > > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > > userspace arch: amd64
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> > >
> > > ------------[ cut here ]------------
> > > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > > WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> > > mm/usercopy.c:78
> >
> > Yeah, right. We need to create fanotify_event cache so that copying of
> > fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
> > with a possible slab pointer so that won't be protected from leaking but
> > life is not perfect. Amir, something like attached patch?
> 
> I agree. We could do something like this, to first copy the inline fh
> from slab to short stack buf:
> 
> static inline void *fanotify_fid_fh_user(struct fanotify_fid *fid,
>                                     unsigned int fh_len, char *fh_buf)
> {
>         if (fh_len > FANOTIFY_INLINE_FH_LEN)
>                 return fid->ext_fh;
>         memcpy(fh_buf, fid->fh, fh_len);
>         return fh_buf;
> }
> 
> But I don't think we should bother.

OK, pushed my fix to my tree.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR