Re: general protection fault in sockfs_setattr
++Al Viro
>Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7.
Oops. Apologies Tetsuo. I confirmed the bug still happens with
linux.git. Here are the Syzkaller logs around the crash along with my
kernel configs.
Syzkaller Logs: https://pastebin.com/qqQyX0Ms
Config: https://pastebin.com/aEDARPDJ
Regards,
Shankara
On Wed, Jun 6, 2018 at 3:17 AM, Tetsuo Handa
wrote:
> Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7.
> I suggest reporting to Al Viro and linux-fsdevel ML after
> confirming that this bug still happens with linux.git , in
> case this is a dentry related bug (e.g. someone is by error
> calling dput() without getting a refcount).
>
> Also, please don't eliminate kernel messages prior to the
> crash. Sometimes previous kernel messages (e.g. memory
> allocation fault injection) as-is indicate the cause.
>
> On 2018/06/06 11:19, shankarapailoor wrote:
>> Hi Cong,
>>
>> I added that check and it seems to stop the crash. Like you said, I
>> don't see where the reference count for the file is increased. The
>> inode lock also seems to be held during this call.
>>
>> Regards,
>> Shankara
>>
>>
>>
>> On Tue, Jun 5, 2018 at 12:14 PM, Cong Wang wrote:
>>> On Mon, Jun 4, 2018 at 9:53 PM, shankarapailoor
>>> wrote:
>>>> Hi,
>>>>
>>>> I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the
>>>> following crash: https://pastebin.com/ixX3RB9j
>>>>
>>>> Syzkaller isolated the cause of the bug to the following program:
>>>>
>>>> socketpair$unix(0x1, 0x1, 0x0,
>>>> &(0x7f00)={0x, 0x})
>>>> getresuid(&(0x7f80)=0x0, &(0x7fc0),
>>>> &(0x7f000700))r3 = getegid()
>>>> fchownat(r0, &(0x7f40)='\x00', r2, r3, 0x1000)
>>>> dup3(r1, r0, 0x8)
>>>>
>>>>
>>>> The problematic area appears to be here:
>>>>
>>>> static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
>>>> {
>>>> int err = simple_setattr(dentry, iattr);
>>>>
>>>> if (!err && (iattr->ia_valid & ATTR_UID)) {
>>>> struct socket *sock = SOCKET_I(d_inode(dentry));
>>>>
>>>> sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF
>>>> }
>>>> return err;
>>>> }
>>>>
>>>> If dup3 is called concurrently with fchownat then can sock->sk be NULL?
>>>
>>> Although dup3() implies a close(), fd is refcnt'ted, if dup3() runs
>>> concurrently with fchownat() it should not be closed until whoever
>>> the last closes it.
>>>
>>> Or maybe fchownat() doesn't even hold refcnt of fd, since it aims
>>> to change the file backed.
>>>
>>>
>>> Not sure if the following is sufficient, inode might need to be protected
>>> with some lock...
>>>
>>> diff --git a/net/socket.c b/net/socket.c
>>> index f10f1d947c78..6294b4b3132e 100644
>>> --- a/net/socket.c
>>> +++ b/net/socket.c
>>> @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry,
>>> struct iattr *iattr)
>>> if (!err && (iattr->ia_valid & ATTR_UID)) {
>>> struct socket *sock = SOCKET_I(d_inode(dentry));
>>>
>>> - sock->sk->sk_uid = iattr->ia_uid;
>>> + if (sock->sk)
>>> + sock->sk->sk_uid = iattr->ia_uid;
>>> + else
>>> + err = -ENOENT;
>>> }
>>>
>>> return err;
>>
>>
>>
>
--
Regards,
Shankara Pailoor
Re: general protection fault in sockfs_setattr
++Al Viro
>Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7.
Oops. Apologies Tetsuo. I confirmed the bug still happens with
linux.git. Here are the Syzkaller logs around the crash along with my
kernel configs.
Syzkaller Logs: https://pastebin.com/qqQyX0Ms
Config: https://pastebin.com/aEDARPDJ
Regards,
Shankara
On Wed, Jun 6, 2018 at 3:17 AM, Tetsuo Handa
wrote:
> Pastebin says that it was 4.17.0-rc4+ rather than 4.17-rc7.
> I suggest reporting to Al Viro and linux-fsdevel ML after
> confirming that this bug still happens with linux.git , in
> case this is a dentry related bug (e.g. someone is by error
> calling dput() without getting a refcount).
>
> Also, please don't eliminate kernel messages prior to the
> crash. Sometimes previous kernel messages (e.g. memory
> allocation fault injection) as-is indicate the cause.
>
> On 2018/06/06 11:19, shankarapailoor wrote:
>> Hi Cong,
>>
>> I added that check and it seems to stop the crash. Like you said, I
>> don't see where the reference count for the file is increased. The
>> inode lock also seems to be held during this call.
>>
>> Regards,
>> Shankara
>>
>>
>>
>> On Tue, Jun 5, 2018 at 12:14 PM, Cong Wang wrote:
>>> On Mon, Jun 4, 2018 at 9:53 PM, shankarapailoor
>>> wrote:
>>>> Hi,
>>>>
>>>> I have been fuzzing Linux 4.17-rc7 with Syzkaller and found the
>>>> following crash: https://pastebin.com/ixX3RB9j
>>>>
>>>> Syzkaller isolated the cause of the bug to the following program:
>>>>
>>>> socketpair$unix(0x1, 0x1, 0x0,
>>>> &(0x7f00)={0x, 0x})
>>>> getresuid(&(0x7f80)=0x0, &(0x7fc0),
>>>> &(0x7f000700))r3 = getegid()
>>>> fchownat(r0, &(0x7f40)='\x00', r2, r3, 0x1000)
>>>> dup3(r1, r0, 0x8)
>>>>
>>>>
>>>> The problematic area appears to be here:
>>>>
>>>> static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr)
>>>> {
>>>> int err = simple_setattr(dentry, iattr);
>>>>
>>>> if (!err && (iattr->ia_valid & ATTR_UID)) {
>>>> struct socket *sock = SOCKET_I(d_inode(dentry));
>>>>
>>>> sock->sk->sk_uid = iattr->ia_uid; //KASAN GPF
>>>> }
>>>> return err;
>>>> }
>>>>
>>>> If dup3 is called concurrently with fchownat then can sock->sk be NULL?
>>>
>>> Although dup3() implies a close(), fd is refcnt'ted, if dup3() runs
>>> concurrently with fchownat() it should not be closed until whoever
>>> the last closes it.
>>>
>>> Or maybe fchownat() doesn't even hold refcnt of fd, since it aims
>>> to change the file backed.
>>>
>>>
>>> Not sure if the following is sufficient, inode might need to be protected
>>> with some lock...
>>>
>>> diff --git a/net/socket.c b/net/socket.c
>>> index f10f1d947c78..6294b4b3132e 100644
>>> --- a/net/socket.c
>>> +++ b/net/socket.c
>>> @@ -537,7 +537,10 @@ static int sockfs_setattr(struct dentry *dentry,
>>> struct iattr *iattr)
>>> if (!err && (iattr->ia_valid & ATTR_UID)) {
>>> struct socket *sock = SOCKET_I(d_inode(dentry));
>>>
>>> - sock->sk->sk_uid = iattr->ia_uid;
>>> + if (sock->sk)
>>> + sock->sk->sk_uid = iattr->ia_uid;
>>> + else
>>> + err = -ENOENT;
>>> }
>>>
>>> return err;
>>
>>
>>
>
--
Regards,
Shankara Pailoor
Re: Slab out of bounds in setxattr
Sorry, Sent the same thing twice. Here is the updated one. On Mon, Jun 4, 2018 at 1:22 PM, shankarapailoor wrote: > Hi Dave, > > I've updated the patch accordingly. > > Regards, > Shankara > > On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp > wrote: >> On 06/04/2018 01:30 PM, shankarapailoor wrote: >>> Hi Dave, >>> >>> Attached is my proposed patch. It solves the problem as you suggest >>> and I don't see the KASAN complaint. >> >> That looks good to me. Add a description and a Signed-off-by: and I'll >> get it pushed upstream. >> >> Thanks for finding this. >> >> Shaggy >> >>> >>> Regards, >>> Shankara >>> >>> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >>> wrote: >>>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>>> Hi, >>>>> >>>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>>> no new space is allocated for the attiribute list [2] and this >>>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>>> repro I provided. >>>> >>>> I see the problem. It looks like we should be calculating max_size >>>> earlier and using that to call kmalloc(). (xattr.c#496) >>>> >>>> Shaggy >>>>> >>>>> >>>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>>> >>>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>>> wrote: >>>>>> Hi Dave et al, >>>>>> >>>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>>> slab-out-of-bounds in jfs_xattr. >>>>>> >>>>>> Attached are my kernel configs and a C reproducer. In the first >>>>>> setxattr call it appears that length is much larger than the name. In >>>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>>> actual value length. >>>>>> >>>>>> Regards, >>>>>> Shankara Pailoor > > > > -- > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Sorry, Sent the same thing twice. Here is the updated one. On Mon, Jun 4, 2018 at 1:22 PM, shankarapailoor wrote: > Hi Dave, > > I've updated the patch accordingly. > > Regards, > Shankara > > On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp > wrote: >> On 06/04/2018 01:30 PM, shankarapailoor wrote: >>> Hi Dave, >>> >>> Attached is my proposed patch. It solves the problem as you suggest >>> and I don't see the KASAN complaint. >> >> That looks good to me. Add a description and a Signed-off-by: and I'll >> get it pushed upstream. >> >> Thanks for finding this. >> >> Shaggy >> >>> >>> Regards, >>> Shankara >>> >>> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >>> wrote: >>>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>>> Hi, >>>>> >>>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>>> no new space is allocated for the attiribute list [2] and this >>>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>>> repro I provided. >>>> >>>> I see the problem. It looks like we should be calculating max_size >>>> earlier and using that to call kmalloc(). (xattr.c#496) >>>> >>>> Shaggy >>>>> >>>>> >>>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>>> >>>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>>> wrote: >>>>>> Hi Dave et al, >>>>>> >>>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>>> slab-out-of-bounds in jfs_xattr. >>>>>> >>>>>> Attached are my kernel configs and a C reproducer. In the first >>>>>> setxattr call it appears that length is much larger than the name. In >>>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>>> actual value length. >>>>>> >>>>>> Regards, >>>>>> Shankara Pailoor > > > > -- > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, I've updated the patch accordingly. Regards, Shankara On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp wrote: > On 06/04/2018 01:30 PM, shankarapailoor wrote: >> Hi Dave, >> >> Attached is my proposed patch. It solves the problem as you suggest >> and I don't see the KASAN complaint. > > That looks good to me. Add a description and a Signed-off-by: and I'll > get it pushed upstream. > > Thanks for finding this. > > Shaggy > >> >> Regards, >> Shankara >> >> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >> wrote: >>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>> Hi, >>>> >>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>> no new space is allocated for the attiribute list [2] and this >>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>> repro I provided. >>> >>> I see the problem. It looks like we should be calculating max_size >>> earlier and using that to call kmalloc(). (xattr.c#496) >>> >>> Shaggy >>>> >>>> >>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>> >>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>> wrote: >>>>> Hi Dave et al, >>>>> >>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>> slab-out-of-bounds in jfs_xattr. >>>>> >>>>> Attached are my kernel configs and a C reproducer. In the first >>>>> setxattr call it appears that length is much larger than the name. In >>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>> actual value length. >>>>> >>>>> Regards, >>>>> Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, I've updated the patch accordingly. Regards, Shankara On Mon, Jun 4, 2018 at 11:39 AM, Dave Kleikamp wrote: > On 06/04/2018 01:30 PM, shankarapailoor wrote: >> Hi Dave, >> >> Attached is my proposed patch. It solves the problem as you suggest >> and I don't see the KASAN complaint. > > That looks good to me. Add a description and a Signed-off-by: and I'll > get it pushed upstream. > > Thanks for finding this. > > Shaggy > >> >> Regards, >> Shankara >> >> On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp >> wrote: >>> On 06/01/2018 11:06 PM, shankarapailoor wrote: >>>> Hi, >>>> >>>> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >>>> then e_buf->max_size is rounded up nearest page size [1]. If a new >>>> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >>>> no new space is allocated for the attiribute list [2] and this >>>> triggers the KASAN slab out of bounds error. This is the case in the C >>>> repro I provided. >>> >>> I see the problem. It looks like we should be calculating max_size >>> earlier and using that to call kmalloc(). (xattr.c#496) >>> >>> Shaggy >>>> >>>> >>>> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >>>> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >>>> >>>> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >>>> wrote: >>>>> Hi Dave et al, >>>>> >>>>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>>>> slab-out-of-bounds in jfs_xattr. >>>>> >>>>> Attached are my kernel configs and a C reproducer. In the first >>>>> setxattr call it appears that length is much larger than the name. In >>>>> __jfs_setxattr, I don't see where the length is checked against the >>>>> actual value length. >>>>> >>>>> Regards, >>>>> Shankara Pailoor -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint. Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi Dave, Attached is my proposed patch. It solves the problem as you suggest and I don't see the KASAN complaint. Regards, Shankara On Mon, Jun 4, 2018 at 11:24 AM, Dave Kleikamp wrote: > On 06/01/2018 11:06 PM, shankarapailoor wrote: >> Hi, >> >> Looking at the crash some more, it seems that if value_len > PAGE_SIZE >> then e_buf->max_size is rounded up nearest page size [1]. If a new >> attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then >> no new space is allocated for the attiribute list [2] and this >> triggers the KASAN slab out of bounds error. This is the case in the C >> repro I provided. > > I see the problem. It looks like we should be calculating max_size > earlier and using that to call kmalloc(). (xattr.c#496) > > Shaggy >> >> >> 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 >> 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 >> >> On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor >> wrote: >>> Hi Dave et al, >>> >>> I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: >>> slab-out-of-bounds in jfs_xattr. >>> >>> Attached are my kernel configs and a C reproducer. In the first >>> setxattr call it appears that length is much larger than the name. In >>> __jfs_setxattr, I don't see where the length is checked against the >>> actual value length. >>> >>> Regards, >>> Shankara Pailoor >> >> >> -- Regards, Shankara Pailoor jfspatch Description: Binary data
Re: Slab out of bounds in setxattr
Hi, Looking at the crash some more, it seems that if value_len > PAGE_SIZE then e_buf->max_size is rounded up nearest page size [1]. If a new attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then no new space is allocated for the attiribute list [2] and this triggers the KASAN slab out of bounds error. This is the case in the C repro I provided. 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor wrote: > Hi Dave et al, > > I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: > slab-out-of-bounds in jfs_xattr. > > Attached are my kernel configs and a C reproducer. In the first > setxattr call it appears that length is much larger than the name. In > __jfs_setxattr, I don't see where the length is checked against the > actual value length. > > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor
Re: Slab out of bounds in setxattr
Hi, Looking at the crash some more, it seems that if value_len > PAGE_SIZE then e_buf->max_size is rounded up nearest page size [1]. If a new attribute is added with value_len < e_buf->max_size - EA_SIZE(ea) then no new space is allocated for the attiribute list [2] and this triggers the KASAN slab out of bounds error. This is the case in the C repro I provided. 1. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L501 2. https://elixir.bootlin.com/linux/v4.17-rc7/source/fs/jfs/xattr.c#L723 On Fri, Jun 1, 2018 at 1:52 PM, shankarapailoor wrote: > Hi Dave et al, > > I have been fuzzing linux 4.17-rc4 with JFS using Syzkaller KASAN: > slab-out-of-bounds in jfs_xattr. > > Attached are my kernel configs and a C reproducer. In the first > setxattr call it appears that length is much larger than the name. In > __jfs_setxattr, I don't see where the length is checked against the > actual value length. > > Regards, > Shankara Pailoor -- Regards, Shankara Pailoor
