From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 805D5C43334
	for <linux-mm@archiver.kernel.org>; Sun, 12 Jun 2022 20:53:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6A02C6B010D; Sun, 12 Jun 2022 16:53:51 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 64F656B010E; Sun, 12 Jun 2022 16:53:51 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4F0308D0135; Sun, 12 Jun 2022 16:53:51 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 3C6166B010D
	for <linux-mm@kvack.org>; Sun, 12 Jun 2022 16:53:51 -0400 (EDT)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id EE91360A14
	for <linux-mm@kvack.org>; Sun, 12 Jun 2022 20:53:50 +0000 (UTC)
X-FDA: 79570785420.14.E8C5B1E
Received: from mail-vs1-f51.google.com (mail-vs1-f51.google.com [209.85.217.51])
	by imf21.hostedemail.com (Postfix) with ESMTP id 9F1001C0098
	for <linux-mm@kvack.org>; Sun, 12 Jun 2022 20:53:50 +0000 (UTC)
Received: by mail-vs1-f51.google.com with SMTP id f13so4210880vsp.1
        for <linux-mm@kvack.org>; Sun, 12 Jun 2022 13:53:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=OJfotZiRzuoS+7CnA5NemSTVt7fepw5ufihdBDzzgQQ=;
        b=KXAKuvYoZX6voVfebZciqsFuaOT1xlylP/bXjRsOd3khGsexHMExqDJTGaXDWkxC/U
         WlW9rLB4Cr8X2AUypnU3qY/y2zOoEz16xqXUOu5B6oONQeMTaS0YctoXDzusseC91Jt3
         vVo0FCJdanTfiSAqu9vlWRrSwP8vwe3u+1Oyw9sPI5znsSlnmfaPPOkja8qDqE/t88ab
         lp8Azxs0YfoAzd3PW853IDmhZzK+gOdz55CuV2HJfv49q8OS0+fpFcSHJQSBkigHnSlY
         +hw/tW99NN1hNhtjRA8eosw2rzmBWa+OJutfNW0W0K/BWfEOslmyoX71i+wHeiVO9YIh
         dAfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=OJfotZiRzuoS+7CnA5NemSTVt7fepw5ufihdBDzzgQQ=;
        b=2Te09N4LzpYob2feW0CDBCmuu0P1WriBNW7Y7z4jO7hG9STBraBspKBr28igED3dvj
         nrV1rmLxqWs4zsRPApHOmZ0LORyHufMUi6n8vBUwulsQEx4vCiQhGzi9VHoPZRCsEY07
         BnP/Jru24GYGZstGLHToWgnV0ccTlw/Mlp/cqZ+Ba48fq46jaZGdSk6RDaKe0/XbYcsv
         BO146CoBwTPit5MOTLi+4HPMNpx0n1G1XvLwQFwBMLUJ34tcdHOA8F8M8z+OSOB/UAfX
         fSs+mxwNrobyhAzvgYQYDUL1qkLkD6aWhXR/2V9SjzyQtq/qecInzOUzJqRpH7cITzhq
         pRLQ==
X-Gm-Message-State: AOAM532hLoxl+CuOqBsDLwUz0OqP+K+R65GjfEbQlR5POb0ZikInYqyY
	+RKs95dKi6sl03HTcM8XNgyqoBfQtz2bbUrh04tT6w==
X-Google-Smtp-Source: ABdhPJwBVf+WBAiEXjrt+ydVOHqQ5Be67mgqqSivacZ32Q88vfjoi97jW7UtQXBof9HP9JSki187Blq+rKsVWaKI6/o=
X-Received: by 2002:a67:f3d0:0:b0:34b:b52d:d676 with SMTP id
 j16-20020a67f3d0000000b0034bb52dd676mr16027842vsn.6.1655067229790; Sun, 12
 Jun 2022 13:53:49 -0700 (PDT)
MIME-Version: 1.0
References: <Yp9pHV14OqvH0n02@li-4a3a4a4c-28e5-11b2-a85c-a8d192c6f089.ibm.com>
 <20220608021922.n2izu7n4yoadknkx@zlang-mailbox> <YqD0yAELzHxdRBU6@li-4a3a4a4c-28e5-11b2-a85c-a8d192c6f089.ibm.com>
 <20220612044230.murerhsa765akogj@zlang-mailbox> <YqXU+oU7wayOcmCe@casper.infradead.org>
 <YqXkGMY9xtUvPR5D@pc638.lan> <YqYh0xyJvoNsSOpy@casper.infradead.org>
 <CAOUHufbBkcjChkMfF8exh3=6=JM09-GCU71KXhUGmz4UdOhUmg@mail.gmail.com>
 <YqYq846zFUInllTw@casper.infradead.org> <CAOUHufan8+uombVMSSrKra-8Cu5pSJj80LVa6QrGbFzBmUQHxg@mail.gmail.com>
 <YqZD/5sUmeJJMonT@casper.infradead.org>
In-Reply-To: <YqZD/5sUmeJJMonT@casper.infradead.org>
From: Yu Zhao <yuzhao@google.com>
Date: Sun, 12 Jun 2022 14:53:13 -0600
Message-ID: <CAOUHufZujyohTuqeMqk+yzba17wHSmT2NxbwO_98ApO+LgJ0XA@mail.gmail.com>
Subject: Re: [Bug 216073] New: [s390x] kernel BUG at mm/usercopy.c:101!
 usercopy: Kernel memory exposure attempt detected from vmalloc 'n o area'
 (offset 0, size 1)!
To: Matthew Wilcox <willy@infradead.org>
Cc: Uladzislau Rezki <urezki@gmail.com>, Zorro Lang <zlang@redhat.com>, 
	Alexander Gordeev <agordeev@linux.ibm.com>, bugzilla-daemon@kernel.org, 
	linux-s390@vger.kernel.org, linux-xfs@vger.kernel.org, 
	Andrew Morton <akpm@linux-foundation.org>, Linux-MM <linux-mm@kvack.org>, 
	Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1655067230; a=rsa-sha256;
	cv=none;
	b=iBDkLyiXHYya3OhkntQ6MRsftbPXRCXIVFL7B+FZntE1BcdrYwq2GgMnAUqyY4uKwu9E8m
	z9Y4uv7jlMM+kZeyYFyqxf23E33DAAOLF3QpRb/XtflkvXwoFD6V0KVLimOhxT2tyl9iQK
	vSD9LtF0xOAgegDzoPQ7Yi+9pMDV/lc=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=KXAKuvYo;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf21.hostedemail.com: domain of yuzhao@google.com designates 209.85.217.51 as permitted sender) smtp.mailfrom=yuzhao@google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1655067230;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=OJfotZiRzuoS+7CnA5NemSTVt7fepw5ufihdBDzzgQQ=;
	b=08sV3KU7hfq47XQGU/SHN3Ux0AWy/xyh8i3DvBV28if4/sZ9eunlCmEvdjMzFZlL/R48Ox
	0yQL68aLZQgkKo6skVeNNbQrkaXN0nJoj2uoCvmtFeAamEbyeL2dfEOasFWkhLOjXrlk1W
	AI+lrRnQqQ9AWZhDwsLlYKmAA4CeE7k=
X-Stat-Signature: th75trkxadrycs7ifdtyi1ped61568xs
X-Rspamd-Queue-Id: 9F1001C0098
X-Rspam-User: 
X-Rspamd-Server: rspam10
Authentication-Results: imf21.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=KXAKuvYo;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf21.hostedemail.com: domain of yuzhao@google.com designates 209.85.217.51 as permitted sender) smtp.mailfrom=yuzhao@google.com
X-HE-Tag: 1655067230-357978
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Sun, Jun 12, 2022 at 1:52 PM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Sun, Jun 12, 2022 at 12:43:45PM -0600, Yu Zhao wrote:
> > On Sun, Jun 12, 2022 at 12:05 PM Matthew Wilcox <willy@infradead.org> wrote:
> > >
> > > On Sun, Jun 12, 2022 at 11:59:58AM -0600, Yu Zhao wrote:
> > > > Please let me know if there is something we want to test -- I can
> > > > reproduce the problem reliably:
> > > >
> > > > ------------[ cut here ]------------
> > > > kernel BUG at mm/usercopy.c:101!
> > >
> > > The line right before cut here would have been nice ;-)
> >
> > Right.
> >
> > $ grep usercopy:
> > usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> > 2882303761517129920, size 11)!
> > usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> > 8574853690513436864, size 11)!
> > usercopy: Kernel memory exposure attempt detected from vmalloc (offset
> > 7998392938210013376, size 11)!
>
> That's a different problem.  And, er, what?  How on earth do we have
> an offset that big?!
>
>                 struct vm_struct *area = find_vm_area(ptr);
>                 offset = ptr - area->addr;
>                 if (offset + n > get_vm_area_size(area))
>                         usercopy_abort("vmalloc", NULL, to_user, offset, n);
>
> That first offset is 0x2800'0000'0000'30C0
>
> You said it was easy to replicate; can you add:
>
>                         printk("addr:%px ptr:%px\n", area->addr, ptr);
>
> so that we can start to understand how we end up with such a bogus
> offset?

Here you go:

addr:96ffffdfebcd4000 ptr:ffffffdfebcd70c0
usercopy: Kernel memory exposure attempt detected from vmalloc (offset
7566047373982445760, size 11)!

And, not sure if it'd be helpful, with the vmap:

va_start:ffffffd83db0d000 va_end:ffffffd83db13000
addr:44ffffd83db0d000 ptr:ffffffd83db100c0
usercopy: Kernel memory exposure attempt detected from vmalloc (offset
13474770085092536512, size 11)!

which seems to explain why the fix worked.

+               if (offset + n > get_vm_area_size(area)) {
+                       struct vmap_area *vmap =
find_vmap_area((unsigned long)ptr);
+
+                       if (vmap)
+                               printk("va_start:%px va_end:%px\n",
vmap->va_start, vmap->va_end);
+                       printk("addr:%px ptr:%px\n", area->addr, ptr);
                        usercopy_abort("vmalloc", NULL, to_user, offset, n);
+               }