Re: general protection fault in sockfs_setattr
++Al Viro >Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7. Oops. Apologies Tetsuo. I confirmed the bug still happens with linux.git. Here are the Syzkaller logs around the crash along with my kernel configs. Syzkaller Logs: https://pastebin.com/qqQyX0Ms Config: https://pastebin.com/aEDARPDJ Regards, Shankara On Wed, Jun 6, 2018 at 3:17 AM, Tetsuo Handa wrote: > Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7. > I suggest reporting to Al Viro and linux-fsdevel ML after > confirming that this bug still happens with linux.git , in > case this is a dentry related bug (e.g. someone is by error > calling dput() without getting a refcount). > > Also, please don't eliminate kernel messages prior to the > crash. Sometimes previous kernel messages (e.g. memory > allocation fault injection) as-is indicate the cause. > > On 2018/06/06 11:19, shankarapailoor wrote: >> Hi Cong, >> >> I added that check and it seems to stop the crash. Like you said, I >> don't see where the reference count for the file is increased. The >> inode lock also seems to be held during this call. >> >> Regards, >> Shankara >> >> >> >> On Tue, Jun 5, 2018 at 12:14 PM, Cong Wang wrote: >>> On Mon, Jun 4, 2018 at 9:53 PM, shankarapailoor >>> wrote: >>>> Hi, >>>> >>>> I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the >>>> following crash: https://pastebin.com/ixX3RB9j >>>> >>>> Syzkaller isolated the cause of the bug to the following program: >>>> >>>> socketpair$unix(0x1, 0x1, 0x0, >>>> &(0x7f00)={0x, 0x}) >>>> getresuid(&(0x7f80)=0x0, &(0x7fc0), >>>> &(0x7f000700))r3 = getegid() >>>> fchownat(r0, &(0x7f40)='\x00', r2, r3, 0x1000) >>>> dup3(r1, r0, 0x8) >>>> >>>> >>>> The problematic area appears to be here: >>>> >>>> static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) >>>> { >>>> int err = simple_setattr(dentry, iattr); >>>> >>>> if (!err && (iattr->ia_valid & ATTR_UID)) { >>>> struct socket *sock = SOCKET_I(d_inode(dentry)); >>>> >>>> sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF >>>> } >>>> return err; >>>> } >>>> >>>> If dup3 is called concurrently with fchownat then can sock->sk be NULL? >>> >>> Although dup3() implies a close(), fd is refcnt'ted, if dup3() runs >>> concurrently with fchownat() it should not be closed until whoever >>> the last closes it. >>> >>> Or maybe fchownat() doesn't even hold refcnt of fd, since it aims >>> to change the file backed. >>> >>> >>> Not sure if the following is sufficient, inode might need to be protected >>> with some lock... >>> >>> diff --git a/net/socket.c b/net/socket.c >>> index f10f1d947c78..6294b4b3132e 100644 >>> --- a/net/socket.c >>> +++ b/net/socket.c >>> @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry, >>> struct iattr *iattr) >>> if (!err && (iattr->ia_valid & ATTR_UID)) { >>> struct socket *sock = SOCKET_I(d_inode(dentry)); >>> >>> - sock->sk->sk_uid = iattr->ia_uid; >>> + if (sock->sk) >>> + sock->sk->sk_uid = iattr->ia_uid; >>> + else >>> + err = -ENOENT; >>> } >>> >>> return err; >> >> >> > -- Regards, Shankara Pailoor
Re: general protection fault in sockfs_setattr
++Al Viro >Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7. Oops. Apologies Tetsuo. I confirmed the bug still happens with linux.git. Here are the Syzkaller logs around the crash along with my kernel configs. Syzkaller Logs: https://pastebin.com/qqQyX0Ms Config: https://pastebin.com/aEDARPDJ Regards, Shankara On Wed, Jun 6, 2018 at 3:17 AM, Tetsuo Handa wrote: > Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7. > I suggest reporting to Al Viro and linux-fsdevel ML after > confirming that this bug still happens with linux.git , in > case this is a dentry related bug (e.g. someone is by error > calling dput() without getting a refcount). > > Also, please don't eliminate kernel messages prior to the > crash. Sometimes previous kernel messages (e.g. memory > allocation fault injection) as-is indicate the cause. > > On 2018/06/06 11:19, shankarapailoor wrote: >> Hi Cong, >> >> I added that check and it seems to stop the crash. Like you said, I >> don't see where the reference count for the file is increased. The >> inode lock also seems to be held during this call. >> >> Regards, >> Shankara >> >> >> >> On Tue, Jun 5, 2018 at 12:14 PM, Cong Wang wrote: >>> On Mon, Jun 4, 2018 at 9:53 PM, shankarapailoor >>> wrote: >>>> Hi, >>>> >>>> I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the >>>> following crash: https://pastebin.com/ixX3RB9j >>>> >>>> Syzkaller isolated the cause of the bug to the following program: >>>> >>>> socketpair$unix(0x1, 0x1, 0x0, >>>> &(0x7f00)={0x, 0x}) >>>> getresuid(&(0x7f80)=0x0, &(0x7fc0), >>>> &(0x7f000700))r3 = getegid() >>>> fchownat(r0, &(0x7f40)='\x00', r2, r3, 0x1000) >>>> dup3(r1, r0, 0x8) >>>> >>>> >>>> The problematic area appears to be here: >>>> >>>> static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) >>>> { >>>> int err = simple_setattr(dentry, iattr); >>>> >>>> if (!err && (iattr->ia_valid & ATTR_UID)) { >>>> struct socket *sock = SOCKET_I(d_inode(dentry)); >>>> >>>> sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF >>>> } >>>> return err; >>>> } >>>> >>>> If dup3 is called concurrently with fchownat then can sock->sk be NULL? >>> >>> Although dup3() implies a close(), fd is refcnt'ted, if dup3() runs >>> concurrently with fchownat() it should not be closed until whoever >>> the last closes it. >>> >>> Or maybe fchownat() doesn't even hold refcnt of fd, since it aims >>> to change the file backed. >>> >>> >>> Not sure if the following is sufficient, inode might need to be protected >>> with some lock... >>> >>> diff --git a/net/socket.c b/net/socket.c >>> index f10f1d947c78..6294b4b3132e 100644 >>> --- a/net/socket.c >>> +++ b/net/socket.c >>> @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry, >>> struct iattr *iattr) >>> if (!err && (iattr->ia_valid & ATTR_UID)) { >>> struct socket *sock = SOCKET_I(d_inode(dentry)); >>> >>> - sock->sk->sk_uid = iattr->ia_uid; >>> + if (sock->sk) >>> + sock->sk->sk_uid = iattr->ia_uid; >>> + else >>> + err = -ENOENT; >>> } >>> >>> return err; >> >> >> > -- Regards, Shankara Pailoor
Re: Slab out of bounds in setxattr
Sorry, Sent the same thing twice. Here is the updated one. On Mon, Jun 4, 2018 at 1:22 PM, shankarapailoor wrote: > Hi Dave, > > I've updated the patch accordingly. > > Regards, > Shankara > > On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp > wrote: >> On 06/04/2018 01:30 PM, shankarapailoor wrote: >>> Hi Dave, >>> >>> Attached is my proposed patch. It solves the problem as you suggest >>> and I don't see the KASAN complaint. >> >> That looks good to me. Add a description and a Signed-off-by: and I'll >> get it pushed upstream. >> >> Thanks for finding this. >> >> Shaggy >> >>> >>> Regards, >>> Shankara >>> >>> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >>> wrote: >>>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>>> Hi, >>>>> >>>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>>> no new space is allocated for the attiribute list [2] and this >>>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>>> repro I provided. >>>> >>>> I see the problem. It looks like we should be calculating max_size >>>> earlier and using that to call kmalloc(). (xattr.c#496) >>>> >>>> Shaggy >>>>> >>>>> >>>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>>> >>>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>>> wrote: >>>>>> Hi Dave et al, >>>>>> >>>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>>> slab-out-of-bounds in jfs_xattr. >>>>>> >>>>>> Attached are my kernel configs and a C reproducer. In the first >>>>>> setxattr call it appears that length is much larger than the name. In >>>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>>> actual value length. >>>>>> >>>>>> Regards, >>>>>> Shankara Pailoor > > > > -- > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Sorry, Sent the same thing twice. Here is the updated one. On Mon, Jun 4, 2018 at 1:22 PM, shankarapailoor wrote: > Hi Dave, > > I've updated the patch accordingly. > > Regards, > Shankara > > On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp > wrote: >> On 06/04/2018 01:30 PM, shankarapailoor wrote: >>> Hi Dave, >>> >>> Attached is my proposed patch. It solves the problem as you suggest >>> and I don't see the KASAN complaint. >> >> That looks good to me. Add a description and a Signed-off-by: and I'll >> get it pushed upstream. >> >> Thanks for finding this. >> >> Shaggy >> >>> >>> Regards, >>> Shankara >>> >>> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >>> wrote: >>>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>>> Hi, >>>>> >>>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>>> no new space is allocated for the attiribute list [2] and this >>>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>>> repro I provided. >>>> >>>> I see the problem. It looks like we should be calculating max_size >>>> earlier and using that to call kmalloc(). (xattr.c#496) >>>> >>>> Shaggy >>>>> >>>>> >>>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>>> >>>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>>> wrote: >>>>>> Hi Dave et al, >>>>>> >>>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>>> slab-out-of-bounds in jfs_xattr. >>>>>> >>>>>> Attached are my kernel configs and a C reproducer. In the first >>>>>> setxattr call it appears that length is much larger than the name. In >>>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>>> actual value length. >>>>>> >>>>>> Regards, >>>>>> Shankara Pailoor > > > > -- > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, I've updated the patch accordingly. Regards, Shankara On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp wrote: > On 06/04/2018 01:30 PM, shankarapailoor wrote: >> Hi Dave, >> >> Attached is my proposed patch. It solves the problem as you suggest >> and I don't see the KASAN complaint. > > That looks good to me. Add a description and a Signed-off-by: and I'll > get it pushed upstream. > > Thanks for finding this. > > Shaggy > >> >> Regards, >> Shankara >> >> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >> wrote: >>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>> Hi, >>>> >>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>> no new space is allocated for the attiribute list [2] and this >>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>> repro I provided. >>> >>> I see the problem. It looks like we should be calculating max_size >>> earlier and using that to call kmalloc(). (xattr.c#496) >>> >>> Shaggy >>>> >>>> >>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>> >>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>> wrote: >>>>> Hi Dave et al, >>>>> >>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>> slab-out-of-bounds in jfs_xattr. >>>>> >>>>> Attached are my kernel configs and a C reproducer. In the first >>>>> setxattr call it appears that length is much larger than the name. In >>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>> actual value length. >>>>> >>>>> Regards, >>>>> Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, I've updated the patch accordingly. Regards, Shankara On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp wrote: > On 06/04/2018 01:30 PM, shankarapailoor wrote: >> Hi Dave, >> >> Attached is my proposed patch. It solves the problem as you suggest >> and I don't see the KASAN complaint. > > That looks good to me. Add a description and a Signed-off-by: and I'll > get it pushed upstream. > > Thanks for finding this. > > Shaggy > >> >> Regards, >> Shankara >> >> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >> wrote: >>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>> Hi, >>>> >>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>> no new space is allocated for the attiribute list [2] and this >>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>> repro I provided. >>> >>> I see the problem. It looks like we should be calculating max_size >>> earlier and using that to call kmalloc(). (xattr.c#496) >>> >>> Shaggy >>>> >>>> >>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>> >>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>> wrote: >>>>> Hi Dave et al, >>>>> >>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>> slab-out-of-bounds in jfs_xattr. >>>>> >>>>> Attached are my kernel configs and a C reproducer. In the first >>>>> setxattr call it appears that length is much larger than the name. In >>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>> actual value length. >>>>> >>>>> Regards, >>>>> Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint. Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint. Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi, Looking at the crash some more, it seems that if value_len > PAGE_SIZE then e_buf->max_size is rounded up nearest page size [1]. If a new attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then no new space is allocated for the attiribute list [2] and this triggers the KASAN slab out of bounds error. This is the case in the C repro I provided. 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor wrote: > Hi Dave et al, > > I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: > slab-out-of-bounds in jfs_xattr. > > Attached are my kernel configs and a C reproducer. In the first > setxattr call it appears that length is much larger than the name. In > __jfs_setxattr, I don't see where the length is checked against the > actual value length. > > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor
Re: Slab out of bounds in setxattr
Hi, Looking at the crash some more, it seems that if value_len > PAGE_SIZE then e_buf->max_size is rounded up nearest page size [1]. If a new attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then no new space is allocated for the attiribute list [2] and this triggers the KASAN slab out of bounds error. This is the case in the C repro I provided. 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor wrote: > Hi Dave et al, > > I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: > slab-out-of-bounds in jfs_xattr. > > Attached are my kernel configs and a C reproducer. In the first > setxattr call it appears that length is much larger than the name. In > __jfs_setxattr, I don't see where the length is checked against the > actual value length. > > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor