"divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2

"divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2

[cheung wall]

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.

HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)

Affected File: mm/page-writeback.c

File: mm/page-writeback.c

Function: bdi_set_min_bytes

Detailed Call Stack:

------------[ cut here begin]------------

RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline]
RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799
Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f
00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7
74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd
RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8
RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b
R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000
R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800
FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0
Call Trace:
<TASK>
min_bytes_store+0xba/0x120 mm/backing-dev.c:385
dev_attr_store+0x58/0x80 drivers/base/core.c:2439
sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x51e/0xc80 fs/read_write.c:679
ksys_write+0x110/0x200 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdfc7b4d513
Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f
1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513
RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001
RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000

------------[ cut here end]------------

Root Cause:

The crash is caused by a division by zero error within the Linux
kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes
function attempts to calculate a ratio using bdi_ratio_from_pages,
which internally calls div64_u64. During this calculation, a
denominator value unexpectedly becomes zero, likely due to improper
handling or validation of input data provided through the sysfs
interface during the min_bytes_store operation. This erroneous zero
value leads to a divide error exception when the kernel tries to
perform the division. The issue occurs while processing a sysfs write
operation (min_bytes_store), suggesting that invalid or uninitialized
data supplied through sysfs triggers the faulty calculation,
ultimately causing the kernel to crash.

Thank you for your time and attention.

Best regards

Wall

Re: "divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2

[Matthew Wilcox]

On Fri, Jan 03, 2025 at 03:25:01PM +0800, cheung wall wrote:
> I am writing to report a potential vulnerability identified in the
> Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> custom vulnerability discovery tool.

Your tool would be more useful if you told us what it was doing.
I suspect it's writing a very small value into the min_bytes pseudo-file.
Since that's something only root can do, this isn't a vulnerability.
This is a very annoying conversation to keep having with people who
write their own custom "vulnerability discovery tools".

That said, we could do better here.  Stefan, you wrote this code.

> RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
> RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline]
> RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799
> Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f
> 00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7
> 74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd
> RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057
> RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8
> RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b
> R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000
> R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800
> FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> min_bytes_store+0xba/0x120 mm/backing-dev.c:385
> dev_attr_store+0x58/0x80 drivers/base/core.c:2439
> sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
> kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
> new_sync_write fs/read_write.c:586 [inline]
> vfs_write+0x51e/0xc80 fs/read_write.c:679
> ksys_write+0x110/0x200 fs/read_write.c:731
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fdfc7b4d513
> Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f
> 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d
> 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
> RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513
> RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001
> RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0
> R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001
> R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000
> 
> ------------[ cut here end]------------
> 
> Root Cause:
> 
> The crash is caused by a division by zero error within the Linux
> kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes
> function attempts to calculate a ratio using bdi_ratio_from_pages,
> which internally calls div64_u64. During this calculation, a
> denominator value unexpectedly becomes zero, likely due to improper
> handling or validation of input data provided through the sysfs
> interface during the min_bytes_store operation. This erroneous zero
> value leads to a divide error exception when the kernel tries to
> perform the division. The issue occurs while processing a sysfs write
> operation (min_bytes_store), suggesting that invalid or uninitialized
> data supplied through sysfs triggers the faulty calculation,
> ultimately causing the kernel to crash.
> 
> Thank you for your time and attention.
> 
> Best regards
> 
> Wall

Re: "divide error in bdi_set_min_bytes" in Linux kernel version 6.13.0-rc2

[Stefan Roesch]

Matthew Wilcox <willy@infradead.org> writes:

> On Fri, Jan 03, 2025 at 03:25:01PM +0800, cheung wall wrote:
>> I am writing to report a potential vulnerability identified in the
>> Linux Kernel version 6.13.0-rc2. This issue was discovered using our
>> custom vulnerability discovery tool.
>
> Your tool would be more useful if you told us what it was doing.
> I suspect it's writing a very small value into the min_bytes pseudo-file.
> Since that's something only root can do, this isn't a vulnerability.
> This is a very annoying conversation to keep having with people who
> write their own custom "vulnerability discovery tools".
>
> That said, we could do better here.  Stefan, you wrote this code.
>

Thanks for the analysis Matthew. I'll have a look.
Is there a testcase?

>> RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
>> RIP: 0010:bdi_ratio_from_pages mm/page-writeback.c:695 [inline]
>> RIP: 0010:bdi_set_min_bytes+0x9f/0x1d0 mm/page-writeback.c:799
>> Code: ff 48 39 d8 0f 82 3b 01 00 00 e8 ac fd e7 ff 48 69 db 40 42 0f
>> 00 48 8d 74 24 40 48 8d 7c 24 20 e8 c6 f1 ff ff 31 d2 48 89 d8 <48> f7
>> 74 24 40 48 89 c3 3d 40 42 0f 00 0f 87 08 01 00 00 e8 79 fd
>> RSP: 0018:ffff88810a5f7b60 EFLAGS: 00010246
>> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff9c9ef057
>> RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88810a5f7ab8
>> RBP: 1ffff110214bef6c R08: 0000000000000000 R09: fffffbfff4081c7b
>> R10: ffffffffa040e3df R11: 0000000000032001 R12: ffff888105c65000
>> R13: dffffc0000000000 R14: ffff888105c65000 R15: ffff888105c65800
>> FS: 00007fdfc7c37580(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 000055adcdc786c8 CR3: 0000000104128000 CR4: 0000000000350ef0
>> Call Trace:
>> <TASK>
>> min_bytes_store+0xba/0x120 mm/backing-dev.c:385
>> dev_attr_store+0x58/0x80 drivers/base/core.c:2439
>> sysfs_kf_write+0x136/0x1a0 fs/sysfs/file.c:139
>> kernfs_fop_write_iter+0x323/0x530 fs/kernfs/file.c:334
>> new_sync_write fs/read_write.c:586 [inline]
>> vfs_write+0x51e/0xc80 fs/read_write.c:679
>> ksys_write+0x110/0x200 fs/read_write.c:731
>> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>> do_syscall_64+0xa6/0x1a0 arch/x86/entry/common.c:83
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x7fdfc7b4d513
>> Code: 8b 15 81 29 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f
>> 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d
>> 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
>> RSP: 002b:00007ffe7796ae28 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 000055adcdc766c0 RCX: 00007fdfc7b4d513
>> RDX: 0000000000000002 RSI: 000055adcdc766c0 RDI: 0000000000000001
>> RBP: 0000000000000002 R08: 000055adcdc766c0 R09: 00007fdfc7c30be0
>> R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000001
>> R13: 0000000000000002 R14: 7fffffffffffffff R15: 0000000000000000
>>
>> ------------[ cut here end]------------
>>
>> Root Cause:
>>
>> The crash is caused by a division by zero error within the Linux
>> kernel's page-writeback subsystem. Specifically, the bdi_set_min_bytes
>> function attempts to calculate a ratio using bdi_ratio_from_pages,
>> which internally calls div64_u64. During this calculation, a
>> denominator value unexpectedly becomes zero, likely due to improper
>> handling or validation of input data provided through the sysfs
>> interface during the min_bytes_store operation. This erroneous zero
>> value leads to a divide error exception when the kernel tries to
>> perform the division. The issue occurs while processing a sysfs write
>> operation (min_bytes_store), suggesting that invalid or uninitialized
>> data supplied through sysfs triggers the faulty calculation,
>> ultimately causing the kernel to crash.
>>
>> Thank you for your time and attention.
>>
>> Best regards
>>
>> Wall