linux-serial.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	syzbot <syzbot+f4f1e871965064ae689e@syzkaller.appspotmail.com>,
	Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
	asierra@xes-inc.com, ext-kimmo.rautkoski@vaisala.com,
	Jiri Slaby <jslaby@suse.com>,
	kai heng feng <kai.heng.feng@canonical.com>,
	LKML <linux-kernel@vger.kernel.org>,
	linux-serial <linux-serial@vger.kernel.org>,
	mika.westerberg@linux.intel.com, o.barta89@gmail.com,
	paulburton@kernel.org, sr@denx.de,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	yegorslists@googlemail.com
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in mem_serial_out
Date: Sat, 14 Dec 2019 19:28:02 +0900	[thread overview]
Message-ID: <1634f244-543c-28c6-c322-c3d981c3a973@i-love.sakura.ne.jp> (raw)
In-Reply-To: <20191214090905.GA3322570@kroah.com>

On 2019/12/14 18:09, Greg KH wrote:
> On Sat, Dec 14, 2019 at 05:39:02PM +0900, Tetsuo Handa wrote:
>> On 2019/12/14 16:55, Greg KH wrote:
>>>>>> That suggestion got no response for two months.
>>>>>>
>>>>>>   https://lkml.kernel.org/r/3e4e2b6b-7828-54ab-cf28-db1a396d7e20@i-love.sakura.ne.jp
>>>>>>
>>>>>> Unless we add such kernel config option to upstream kernels, it will become
>>>>>> a whack-a-mole game.
>>>>>
>>>>> It will be a whack-a-mole game no matter what.
>>>>>
>>>>> Yes, /dev/mem/ makes no sense to fuzz.  Neither does other things (like
>>>>> serial port memory addresses.)
>>>>
>>>> /dev/mem makes sense to fuzz. Ditto for other things.
>>>
>>> What?  What are you going to find if you randomly start to write to
>>> /dev/mem?  How are we supposed to "fix" that?
>>>
>>
>> When did I say "writing to random addresses" ? If you saw my suggestion, you
>> will find that "fuzzer will be able to test reading from random addresses,
>> writing to safe addresses (in order to find new lock dependency which would
>> otherwise be unnoticed)".
> 
> I don't remember the suggestion specifically, sorry.  But how would you
> figure out what those "safe addresses" really are?  They will change on
> every single platform.

----------
+#ifdef CONFIG_KERNEL_BUILT_FOR_FUZZ_TESTING
+static char dummybuf[PAGE_SIZE];
+#endif
----------

----------
                        ptr = xlate_dev_mem_ptr(p);
                        if (!ptr) {
                                if (written)
                                        break;
                                return -EFAULT;
                        }
+#ifndef CONFIG_KERNEL_BUILT_FOR_FUZZ_TESTING
                        copied = copy_from_user(ptr, buf, sz);
+#else
+                       copied = copy_from_user(dummybuf, buf, min(sizeof(dummybuf), sz));
+#endif
                        unxlate_dev_mem_ptr(p, ptr);
----------

How dummybuf cannot be "safe address" ?

> 
> And why would this even help anything?  What lock dependency?
> 

copy_from_user() can trigger page fault which involves memory allocation.
And direct reclaim which is performed within memory allocation operation
is full of subtle dependency bugs. :-(

  reply	other threads:[~2019-12-14 10:28 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-07  6:25 BUG: unable to handle kernel NULL pointer dereference in mem_serial_out syzbot
2019-12-12 10:57 ` Greg KH
2019-12-13  9:02   ` Dmitry Vyukov
2019-12-13  9:33     ` Greg KH
2019-12-13 10:00       ` Dmitry Vyukov
2019-12-13 10:10         ` Greg KH
2019-12-13 10:39           ` Dmitry Vyukov
2019-12-13 11:26             ` Greg KH
2019-12-17 10:48               ` Dmitry Vyukov
2020-01-07 17:02                 ` Dmitry Vyukov
2019-12-13 14:31         ` Tetsuo Handa
2019-12-13 16:07           ` Greg KH
2019-12-14  0:48             ` Tetsuo Handa
2019-12-14  7:55               ` Greg KH
2019-12-14  8:39                 ` Tetsuo Handa
2019-12-14  9:09                   ` Greg KH
2019-12-14 10:28                     ` Tetsuo Handa [this message]
2019-12-14 11:25                       ` Greg KH
2019-12-18  0:55         ` Tetsuo Handa
2019-12-18  6:53           ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1634f244-543c-28c6-c322-c3d981c3a973@i-love.sakura.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=asierra@xes-inc.com \
    --cc=dvyukov@google.com \
    --cc=ext-kimmo.rautkoski@vaisala.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jslaby@suse.com \
    --cc=kai.heng.feng@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-serial@vger.kernel.org \
    --cc=mika.westerberg@linux.intel.com \
    --cc=o.barta89@gmail.com \
    --cc=paulburton@kernel.org \
    --cc=sr@denx.de \
    --cc=syzbot+f4f1e871965064ae689e@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=torvalds@linux-foundation.org \
    --cc=yegorslists@googlemail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).