From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 578C2C10F04 for ; Fri, 8 Dec 2023 21:01:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A1FAF6B0088; Fri, 8 Dec 2023 16:01:22 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9CFB86B0089; Fri, 8 Dec 2023 16:01:22 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 897876B008A; Fri, 8 Dec 2023 16:01:22 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 77C926B0088 for ; Fri, 8 Dec 2023 16:01:22 -0500 (EST) Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 3F1AC1C0A00 for ; Fri, 8 Dec 2023 21:01:22 +0000 (UTC) X-FDA: 81544871604.22.B0BCD51 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by imf18.hostedemail.com (Postfix) with ESMTP id 5ADD81C0016 for ; Fri, 8 Dec 2023 21:01:18 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=linutronix.de header.s=2020 header.b=H0nb6f5x; dkim=pass header.d=linutronix.de header.s=2020e header.b=NiM7ifui; dmarc=pass (policy=none) header.from=linutronix.de; spf=pass (imf18.hostedemail.com: domain of tglx@linutronix.de designates 193.142.43.55 as permitted sender) smtp.mailfrom=tglx@linutronix.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702069279; a=rsa-sha256; cv=none; b=K+eWZV+YhcoRssv9SYkzwbwuDu6ziEReHiuF/ZlBFZ6q+cnYGXifIlnU5t4AWyiUYENqeS TXxe7Ib/ald02GGNbTBrtMKUiSaYRI6r0qLrv9eM7k5wBh5tBIa6AeRTXdV4v/dbk91uTD emyKk66qH9f8EN9R6ClJMyMUpD3mHeA= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=linutronix.de header.s=2020 header.b=H0nb6f5x; dkim=pass header.d=linutronix.de header.s=2020e header.b=NiM7ifui; dmarc=pass (policy=none) header.from=linutronix.de; spf=pass (imf18.hostedemail.com: domain of tglx@linutronix.de designates 193.142.43.55 as permitted sender) smtp.mailfrom=tglx@linutronix.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1702069279; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fyZSQoqP0KRSQHqIRkZ+i+MZQFCaydm1eRetmruXsTc=; b=izPf8XejC0aBay8/kpDtwvX18JO8BV2T7W+jU9bR2L+NcdmTAba3/usIu1QeYaebaY3Zl3 QqJO5Jl211j4eYww9XjQjbMRTDg+3uqmGmRjbcVBWFmXmf4BOXrWGPQPgLDexW6TZrFzoa ARcWsWuglbRalGK/GMhWzjn1Sh/tqss= From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1702069276; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fyZSQoqP0KRSQHqIRkZ+i+MZQFCaydm1eRetmruXsTc=; b=H0nb6f5x8zjNy08JE0H4JgU/rFJEaHUSvv5NQfmzxOe/rMD6OBP3CcO10v+t0zUpLhahem HQGtFA/zNFLQHuQHBWtTw0ljsY9glhc+T+9PjcqZHtUYGxn3uS1Jcs88qzEI1LkUWdA86I 7sJi6kRvoVH/F/Ik7epzxJWvixDK3ppyrgM5rPgpn/jjBHGl+souvMkFSxVRvXDfZR9OL2 H131Mf5X49ys0HNOZ3DGbmhh/Rcx079VQ5t5Onq/1xbxiLG6iCLCMVJj+jseDW7szgGh3K 8RI+OQA0WhuXttk/1iXqcG3czStGFqOIwuqr8qX1OtJqhPR3BK1iL1iFN2Z7Ag== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1702069276; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fyZSQoqP0KRSQHqIRkZ+i+MZQFCaydm1eRetmruXsTc=; b=NiM7ifuiSbI+Rm3HwjTlX129NUk69XhGtFXl946ccUOzRa728TtxtZp9vsSE3tqMqEHLxk 2krhN6K0fHBigCBA== To: Jann Horn , Alexei Starovoitov , Daniel Borkmann , John Fastabend , bpf Cc: syzbot , akpm@linux-foundation.org, bp@alien8.de, bp@suse.de, dave.hansen@linux.intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, luto@kernel.org, mingo@redhat.com, netdev@vger.kernel.org, peterz@infradead.org, syzkaller-bugs@googlegroups.com, x86@kernel.org Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault In-Reply-To: References: <000000000000c84343060a850bd0@google.com> <87jzqb1133.ffs@tglx> Date: Fri, 08 Dec 2023 22:01:16 +0100 Message-ID: <87r0jwquhv.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 5ADD81C0016 X-Stat-Signature: dau8rwg8yj7cb859nyskg9xzzsyk9xio X-HE-Tag: 1702069278-18306 X-HE-Meta: U2FsdGVkX18np3yjeVTRn5pVptNfuTnml7cxfucGzpbP2WdbsHDsMjW1crzhLlF/yGKO9OSjiHyZeIuDf0qkcrj1iltHHx8IZruHFVB1VqodT0NOwL02GDpPoBafJ1KMhZhN6t9deEENT6M3CRXSCg03qpurAsKfKs/YJep3EoBUw6YSvwqRGcODsuJwlK7dfDa6XwGhu60kSy3q2LCMOhqbC505eM96EyBle6OBOXHTVnYpUv5OibVPPtX6HeEG3S0nmUIWW8C05EhGxwcXir4B5RfUly69eN5e1m85xdyfXJo6jkN01PF2h6ipCPFf+jiBTZiIxrWgZnyXdxqLn7rw4+3Z+wLwjfvqSDsbSr2JMe01t5jvwvygqfc7dIaizPq6zCKX4E6Xi/WnVwIWNK/us4R95SKPfIjXXqxY+qUjOQ2YAwV+KFRZm5wyEIaQdQ8rW2eC17Jqk1gAtunxu0EeHUcU+IwzKx2trjpgAkSy/r6Ptqf7BoR4ZfZRIrfwgF7DgspEQAJ6lXbf4Uc32dEC/0vwOi2iKOlsjPilat0x1FQfZJwWwx1oJe9ekHck6WTzggpfm+dbGsdURXLUbDBC/7zQrvgfe/4Z/7Rg3SOW+nk5hOOUOGbRGUT4WHjX/QQjwgcZPnp5x4c+jlEPzBOPe5BGprAPKWtSnqbFVa/bPbzBvmJNWAqRAX0sv5Pc2hC7IR/uHDVV7pViXRGRZ21XBwFgoAyPLaM0Q0m0/TzwdE5Qgm3qkJUI4oN6MrFAoNGls6SibiNAhqBzDqHYDiKo+yybytYASHySqSWDkxBFM0rSJJj2Gjg16udRV2ieV01vq0fxvV5aY8+e/jaqF/Xmp9ZbvvHI6cOs6/eYEl7wCyW6otkJjH4WmWPmiYP/6pTRUmrk2w6tAbgbouOc7gL7dETf2hJI0QpbsUhGXV74/1s2OqGocVhSra6UX68UGZA1d2lvZ9VqnWu4pNx lRMw157I LZDhS7Ozfjk9IY2dSiCw4lyT2FC9sGRMY1kO1YgEqS0Ez7rYXrDK6e7W22bfRH8xEmznSEk/C+fgsgrBfqaVn4ARaqsP7yH3/Xd5T4Bu2DT14XXO5JiKxlO2UKcjfJe7j0jUBK48QxjMXr+GoxhuBaxJo5SevftvBKjfUNdP31b+wlzmvxmDcvHhRMaf35Luzwq38aYuSzwrNG0Kw0Ot/AkEatK3C+qhuXa4nQbleoXqKJPnWiGUzSzuid7VLMKSbYKoqAIXxBx5PElzVpRkMgjjLX2497MbCrMoa X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Dec 08 2023 at 15:11, Jann Horn wrote: > On Tue, Nov 21, 2023 at 6:13=E2=80=AFPM Thomas Gleixner wrote: >> > BUG: unable to handle page fault for address: ffffffffff600000 >> >> This is VSYSCALL_ADDR. >> >> So the real question is why the BPF program tries to copy from the >> VSYSCALL page, which is not mapped. > > The linked syz repro is: > > r0 =3D bpf$PROG_LOAD(0x5, &(0x7f00000000c0)=3D{0x11, 0xb, > &(0x7f0000000180)=3D@framed=3D{{}, [@printk=3D{@integer, {}, {}, {}, {}, > {0x7, 0x0, 0xb, 0x3, 0x0, 0x0, 0xff600000}, {0x85, 0x0, 0x0, 0x71}}]}, > &(0x7f0000000200)=3D'GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, > 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, > 0x90) > bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, > &(0x7f0000000540)=3D{&(0x7f0000000000)=3D'kfree\x00', r0}, 0x10) > > So syzkaller generated a BPF tracing program. 0x85 is BPF_JMP | > BPF_CALL, which is used to invoke BPF helpers; 0x71 is 113, which is > the number of the probe_read_kernel helper, which basically takes > arbitrary values as input and casts them to kernel pointers, and then > probe-reads them. And before that is some kinda ALU op with 0xff600000 > as immediate. > > So it looks like the answer to that question is "the BPF program tries > to copy from the VSYSCALL page because syzkaller decided to write BPF > code that does specifically that, and the BPF helper let it do that". Indeed. > copy_from_kernel_nofault() does check > copy_from_kernel_nofault_allowed() to make sure the pointer really is > a kernel pointer, and the X86 version of that rejects anything in the > userspace part of the address space. But it does not know about the > vsyscall area. That's cureable. Untested fix below. Thanks for the explanation! tglx --- diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c index 6993f026adec..8e846833aa37 100644 --- a/arch/x86/mm/maccess.c +++ b/arch/x86/mm/maccess.c @@ -3,6 +3,8 @@ #include #include =20 +#include + #ifdef CONFIG_X86_64 bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size) { @@ -15,6 +17,9 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_= src, size_t size) if (vaddr < TASK_SIZE_MAX + PAGE_SIZE) return false; =20 + if ((vaddr & PAGE_MASK) =3D=3D VSYSCALL_ADDR) + return false; + /* * Allow everything during early boot before 'x86_virt_bits' * is initialized. Needed for instruction decoding in early