Linux-Security-Module Archive on lore.kernel.org
 help / Atom feed
* general protection fault in keyctl_pkey_params_get
@ 2018-11-03 15:48 syzbot
  2018-11-03 17:30 ` [PATCH] KEYS: fix parsing invalid pkey info string Eric Biggers
  0 siblings, 1 reply; 4+ messages in thread
From: syzbot @ 2018-11-03 15:48 UTC (permalink / raw)
  To: dhowells, jmorris, keyrings, linux-kernel, linux-security-module,
	serge, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    5f21585384a4 Merge tag 'for-linus-20181102' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ba246d400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9384ecb1c973baed
dashboard link: https://syzkaller.appspot.com/bug?extid=a22e0dc07567662c50bc
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1026dcd5400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=167e882b400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7247 Comm: syz-executor236 Not tainted 4.19.0+ #317
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
RIP: 0010:keyctl_pkey_params_get+0x2e7/0x550 security/keys/keyctl_pkey.c:96
Code: fe 48 8b 44 24 38 48 c1 e8 03 42 80 3c 28 00 0f 85 f7 01 00 00 4c 8b  
a4 24 e0 00 00 00 4c 89 e0 4c 89 e2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28  
38 d0 7f 08 84 c0 0f 85 e0 01 00 00 41 0f b6 04 24
RSP: 0018:ffff8801ce84faa0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801ce84fd60 RCX: ffffffff83429990
RDX: 0000000000000000 RSI: ffffffff8342999e RDI: 0000000000000001
RBP: ffff8801ce84fc08 R08: ffff8801ce928480 R09: ffffed0039e73310
R10: ffffed0039e73310 R11: 0000000000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffffffffffff R15: ffffffffffffffff
FS:  0000000001e1c880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000414cd0 CR3: 00000001ce5e6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  keyctl_pkey_params_get_2+0x12f/0x580 security/keys/keyctl_pkey.c:130
kasan: CONFIG_KASAN_INLINE enabled
  keyctl_pkey_verify+0xaa/0x400 security/keys/keyctl_pkey.c:293
kasan: GPF could be caused by NULL-ptr deref or user memory access
  __do_sys_keyctl security/keys/keyctl.c:1768 [inline]
  __se_sys_keyctl security/keys/keyctl.c:1637 [inline]
  __x64_sys_keyctl+0x101/0x430 security/keys/keyctl.c:1637
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x444c39
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffefdd59f88 EFLAGS: 00000286 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444c39
RDX: 00000000200002c0 RSI: 00000000200000c0 RDI: 000000000000001c
RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002e0
R10: 00000000fffffd2a R11: 0000000000000286 R12: 0000000000011956
R13: 0000000000401f80 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace e5c46bb5200c69dc ]---
general protection fault: 0000 [#2] PREEMPT SMP KASAN
RIP: 0010:keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
RIP: 0010:keyctl_pkey_params_get+0x2e7/0x550 security/keys/keyctl_pkey.c:96
CPU: 0 PID: 7401 Comm: syz-executor236 Tainted: G      D           4.19.0+  
#317
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
RIP: 0010:keyctl_pkey_params_get+0x2e7/0x550 security/keys/keyctl_pkey.c:96
Code: fe 48 8b 44 24 38 48 c1 e8 03 42 80 3c 28 00 0f 85 f7 01 00 00 4c 8b  
a4 24 e0 00 00 00 4c 89 e0 4c 89 e2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28  
38 d0 7f 08 84 c0 0f 85 e0 01 00 00 41 0f b6 04 24
Code: fe 48 8b 44 24 38 48 c1 e8 03 42 80 3c 28 00 0f 85 f7 01 00 00 4c 8b  
a4 24 e0 00 00 00 4c 89 e0 4c 89 e2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28  
38 d0 7f 08 84 c0 0f 85 e0 01 00 00 41 0f b6 04 24
RSP: 0018:ffff8801c52cfaa0 EFLAGS: 00010246
RAX: 0000000000000002 RBX: ffff8801c52cfd60 RCX: ffffffff83429990
RDX: 0000000000000000 RSI: ffffffff8342999e RDI: 0000000000000001
RBP: ffff8801c52cfc08 R08: ffff8801b8a86000 R09: ffffed0039bb1378
R10: ffffed0039bb1378 R11: 0000000000000001 R12: 0000000000000010
R13: dffffc0000000000 R14: ffffffffffffffff R15: ffffffffffffffff
FS:  0000000001e1c880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RSP: 0018:ffff8801ce84faa0 EFLAGS: 00010246
CR2: 0000000000414cd0 CR3: 00000001ce654000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
RAX: 0000000000000000 RBX: ffff8801ce84fd60 RCX: ffffffff83429990
  keyctl_pkey_params_get_2+0x12f/0x580 security/keys/keyctl_pkey.c:130
RDX: 0000000000000000 RSI: ffffffff8342999e RDI: 0000000000000001
  keyctl_pkey_verify+0xaa/0x400 security/keys/keyctl_pkey.c:293
RBP: ffff8801ce84fc08 R08: ffff8801ce928480 R09: ffffed0039e73310
R10: ffffed0039e73310 R11: 0000000000000001 R12: 0000000000000000
  __do_sys_keyctl security/keys/keyctl.c:1768 [inline]
  __se_sys_keyctl security/keys/keyctl.c:1637 [inline]
  __x64_sys_keyctl+0x101/0x430 security/keys/keyctl.c:1637
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
R13: dffffc0000000000 R14: ffffffffffffffff R15: ffffffffffffffff
FS:  0000000001e1c880(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RIP: 0033:0x444c39
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 2b ce fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffefdd59f88 EFLAGS: 00000286 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000444c39
RDX: 00000000200002c0 RSI: 00000000200000c0 RDI: 000000000000001c
RBP: 0000000000000000 R08: 0000000020000380 R09: 00000000004002e0
R10: 00000000fffffd2a R11: 0000000000000286 R12: 0000000000011a27
CR2: 0000000000414cd0 CR3: 00000001ce5e6000 CR4: 00000000001406e0
R13: 0000000000401f80 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace e5c46bb5200c69dd ]---
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
RIP: 0010:keyctl_pkey_params_parse security/keys/keyctl_pkey.c:56 [inline]
RIP: 0010:keyctl_pkey_params_get+0x2e7/0x550 security/keys/keyctl_pkey.c:96
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Code: fe 48 8b 44 24 38 48 c1 e8 03 42 80 3c 28 00 0f 85 f7 01 00 00 4c 8b  
a4 24 e0 00 00 00 4c 89 e0 4c 89 e2 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28  
38 d0 7f 08 84 c0 0f 85 e0 01 00 00 41 0f b6 04 24


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] KEYS: fix parsing invalid pkey info string
  2018-11-03 15:48 general protection fault in keyctl_pkey_params_get syzbot
@ 2018-11-03 17:30 ` Eric Biggers
  2018-11-28 23:20   ` Eric Biggers
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2018-11-03 17:30 UTC (permalink / raw)
  To: keyrings, dhowells; +Cc: linux-security-module, linux-kernel, syzkaller-bugs

From: Eric Biggers <ebiggers@google.com>

We need to check the return value of match_token() for Opt_err (-1)
before doing anything with it.

Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 security/keys/keyctl_pkey.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 783978842f13a..987fac8051d70 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
 		if (*p == '\0' || *p == ' ' || *p == '\t')
 			continue;
 		token = match_token(p, param_keys, args);
+		if (token == Opt_err)
+			return -EINVAL;
 		if (__test_and_set_bit(token, &token_mask))
 			return -EINVAL;
 		q = args[0].from;
-- 
2.19.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] KEYS: fix parsing invalid pkey info string
  2018-11-03 17:30 ` [PATCH] KEYS: fix parsing invalid pkey info string Eric Biggers
@ 2018-11-28 23:20   ` Eric Biggers
  2018-12-06 18:26     ` Eric Biggers
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2018-11-28 23:20 UTC (permalink / raw)
  To: keyrings, dhowells; +Cc: linux-security-module, linux-kernel, syzkaller-bugs

On Sat, Nov 03, 2018 at 10:30:35AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> We need to check the return value of match_token() for Opt_err (-1)
> before doing anything with it.
> 
> Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
> Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  security/keys/keyctl_pkey.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
> index 783978842f13a..987fac8051d70 100644
> --- a/security/keys/keyctl_pkey.c
> +++ b/security/keys/keyctl_pkey.c
> @@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
>  		if (*p == '\0' || *p == ' ' || *p == '\t')
>  			continue;
>  		token = match_token(p, param_keys, args);
> +		if (token == Opt_err)
> +			return -EINVAL;
>  		if (__test_and_set_bit(token, &token_mask))
>  			return -EINVAL;
>  		q = args[0].from;
> -- 
> 2.19.1

Ping.  David, are you planning to apply this?

- Eric

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] KEYS: fix parsing invalid pkey info string
  2018-11-28 23:20   ` Eric Biggers
@ 2018-12-06 18:26     ` Eric Biggers
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Biggers @ 2018-12-06 18:26 UTC (permalink / raw)
  To: keyrings, dhowells; +Cc: linux-security-module, linux-kernel, syzkaller-bugs

On Wed, Nov 28, 2018 at 03:20:20PM -0800, Eric Biggers wrote:
> On Sat, Nov 03, 2018 at 10:30:35AM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > We need to check the return value of match_token() for Opt_err (-1)
> > before doing anything with it.
> > 
> > Reported-by: syzbot+a22e0dc07567662c50bc@syzkaller.appspotmail.com
> > Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> >  security/keys/keyctl_pkey.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
> > index 783978842f13a..987fac8051d70 100644
> > --- a/security/keys/keyctl_pkey.c
> > +++ b/security/keys/keyctl_pkey.c
> > @@ -50,6 +50,8 @@ static int keyctl_pkey_params_parse(struct kernel_pkey_params *params)
> >  		if (*p == '\0' || *p == ' ' || *p == '\t')
> >  			continue;
> >  		token = match_token(p, param_keys, args);
> > +		if (token == Opt_err)
> > +			return -EINVAL;
> >  		if (__test_and_set_bit(token, &token_mask))
> >  			return -EINVAL;
> >  		q = args[0].from;
> > -- 
> > 2.19.1
> 
> Ping.  David, are you planning to apply this?
> 
> - Eric
> 

Ping.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-03 15:48 general protection fault in keyctl_pkey_params_get syzbot
2018-11-03 17:30 ` [PATCH] KEYS: fix parsing invalid pkey info string Eric Biggers
2018-11-28 23:20   ` Eric Biggers
2018-12-06 18:26     ` Eric Biggers

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox