From: Yu Zhao <yuzhao@google.com>
To: Matthew Wilcox <willy@infradead.org>,
Uladzislau Rezki <urezki@gmail.com>
Cc: Zorro Lang <zlang@redhat.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
bugzilla-daemon@kernel.org, linux-s390@vger.kernel.org,
linux-xfs@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>, Kees Cook <keescook@chromium.org>
Subject: Re: [Bug 216073] New: [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)!
Date: Sun, 12 Jun 2022 11:59:58 -0600 [thread overview]
Message-ID: <CAOUHufbBkcjChkMfF8exh3=6=JM09-GCU71KXhUGmz4UdOhUmg@mail.gmail.com> (raw)
In-Reply-To: <YqYh0xyJvoNsSOpy@casper.infradead.org>
On Sun, Jun 12, 2022 at 11:27 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Sun, Jun 12, 2022 at 03:03:20PM +0200, Uladzislau Rezki wrote:
> > > @@ -181,8 +181,9 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
> > > return;
> > > }
> > >
> > > - offset = ptr - area->addr;
> > > - if (offset + n > get_vm_area_size(area))
> > > + /* XXX: We should also abort for free vmap_areas */
> > > + offset = (unsigned long)ptr - area->va_start;
> > >
> > I was a bit confused about "offset" and why it is needed here. It is always zero.
> > So we can get rid of it to make it less confused. From the other hand a zero offset
> > contributes to nothing.
>
> I don't think offset is necessarily zero. 'ptr' is a pointer somewhere
> in the object, not necessarily the start of the object.
>
> > >
> > > + if (offset + n >= area->va_end)
> > >
> > I think it is a bit wrong. As i see it, "n" is a size and what we would like to do
> > here is boundary check:
> >
> > <snip>
> > if (n > va_size(area))
> > usercopy_abort("vmalloc", NULL, to_user, 0, n);
> > <snip>
>
> Hmm ... we should probably be more careful about wrapping.
>
> if (n > area->va_end - addr)
> usercopy_abort("vmalloc", NULL, to_user, offset, n);
>
> ... and that goes for the whole function actually. I'll split that into
> a separate change.
Please let me know if there is something we want to test -- I can
reproduce the problem reliably:
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:101!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
CPU: 4 PID: 3259 Comm: iptables Not tainted 5.19.0-rc1-lockdep+ #1
pc : usercopy_abort+0x9c/0xa0
lr : usercopy_abort+0x9c/0xa0
sp : ffffffc010bd78d0
x29: ffffffc010bd78e0 x28: 42ffff80ac08d8ec x27: 42ffff80ac08d8ec
x26: 42ffff80ac08d8c0 x25: 000000000000000a x24: ffffffdf4c7e5120
x23: 000000000bec44c2 x22: efffffc000000000 x21: ffffffdf2896b0c0
x20: 0000000000000001 x19: 000000000000000b x18: 0000000000000000
x17: 2820636f6c6c616d x16: 0000000000000042 x15: 6574636574656420
x14: 74706d6574746120 x13: 0000000000000018 x12: 000000000000000d
x11: ff80007fffffffff x10: 0000000000000001 x9 : db174b7f89103400
x8 : db174b7f89103400 x7 : 0000000000000000 x6 : 79706f6372657375
x5 : ffffffdf4d9c617e x4 : 0000000000000000 x3 : ffffffdf4b7d017c
x2 : ffffff80eb188b18 x1 : 42ffff80ac08d8c8 x0 : 0000000000000066
Call trace:
usercopy_abort+0x9c/0xa0
__check_object_size+0x38c/0x400
xt_obj_to_user+0xe4/0x200
xt_compat_target_to_user+0xd8/0x18c
compat_copy_entries_to_user+0x278/0x424
do_ipt_get_ctl+0x7bc/0xb2c
nf_getsockopt+0x7c/0xb4
ip_getsockopt+0xee8/0xfa4
raw_getsockopt+0xf4/0x23c
sock_common_getsockopt+0x48/0x54
__sys_getsockopt+0x11c/0x2f8
__arm64_sys_getsockopt+0x60/0x70
el0_svc_common+0xfc/0x1cc
do_el0_svc_compat+0x38/0x5c
el0_svc_compat+0x68/0xf4
el0t_32_sync_handler+0xc0/0xf0
el0t_32_sync+0x190/0x194
Code: aa0903e4 a9017bfd 910043fd 9438be18 (d4210000)
---[ end trace 0000000000000000 ]---
next prev parent reply other threads:[~2022-06-12 18:01 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-216073-27@https.bugzilla.kernel.org/>
2022-06-06 22:13 ` [Bug 216073] New: [s390x] kernel BUG at mm/usercopy.c:101! usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area' (offset 0, size 1)! Andrew Morton
2022-06-07 15:05 ` Alexander Gordeev
2022-06-08 2:19 ` Zorro Lang
2022-06-08 19:13 ` Alexander Gordeev
2022-06-09 2:49 ` Zorro Lang
2022-06-12 4:42 ` Zorro Lang
2022-06-12 11:58 ` Matthew Wilcox
2022-06-12 13:03 ` Uladzislau Rezki
2022-06-12 17:26 ` Matthew Wilcox
2022-06-12 17:59 ` Yu Zhao [this message]
2022-06-12 18:05 ` Matthew Wilcox
2022-06-12 18:43 ` Yu Zhao
2022-06-12 19:52 ` Matthew Wilcox
2022-06-12 20:53 ` Yu Zhao
2022-06-12 19:07 ` Uladzislau Rezki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOUHufbBkcjChkMfF8exh3=6=JM09-GCU71KXhUGmz4UdOhUmg@mail.gmail.com' \
--to=yuzhao@google.com \
--cc=agordeev@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=bugzilla-daemon@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=urezki@gmail.com \
--cc=willy@infradead.org \
--cc=zlang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.