From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D8E9D2B92B for ; Tue, 5 Nov 2024 13:35:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 100B16B0096; Tue, 5 Nov 2024 08:35:20 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0B1566B0098; Tue, 5 Nov 2024 08:35:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E955A6B009A; Tue, 5 Nov 2024 08:35:19 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id CBCBF6B0096 for ; Tue, 5 Nov 2024 08:35:19 -0500 (EST) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 7F05E1612D5 for ; Tue, 5 Nov 2024 13:35:19 +0000 (UTC) X-FDA: 82752137580.02.0FB3F63 Received: from fout-b6-smtp.messagingengine.com (fout-b6-smtp.messagingengine.com [202.12.124.149]) by imf14.hostedemail.com (Postfix) with ESMTP id 82660100024 for ; Tue, 5 Nov 2024 13:34:40 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="a isbAwx"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=UlOOkI14; dmarc=none; spf=pass (imf14.hostedemail.com: domain of kirill@shutemov.name designates 202.12.124.149 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730813594; a=rsa-sha256; cv=none; b=h+refDEx0pudzLoAqqaEomT7aS4L+KLLVa2mbHDbri9vMV1P1tgORYKQc4W9ycAsYsOmpZ 0NHP5WbPISM4gJiSiel9m2xuY7mrS5k4LL/yJJk7zY2PC1vbz3NCLwO0kdx20q1YKKRxep Deh7k2nrxsZzWX3hMOoXwoLD3IuKONA= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=shutemov.name header.s=fm1 header.b="a isbAwx"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=UlOOkI14; dmarc=none; spf=pass (imf14.hostedemail.com: domain of kirill@shutemov.name designates 202.12.124.149 as permitted sender) smtp.mailfrom=kirill@shutemov.name ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1730813594; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=6oqwhGf49empqu1G+xlSv+uWH5j3k5vlDScx7Tuto50=; b=2ttQQf+QiXAbnEv1tN7qWTQlcAFFiHLFN4mnqFOX+KNaeiXo6wZR3/UjocaE0LCXTlYGGp g5TyYh3Qv89wO+7/hZgz4nlSXK4rd0eBeL9mZZJIRjVmq2mRT3l7/sbubEQOq0FzAilK4V b+E7qkLKaHGM1nNfetYtUuKpvZRDabA= Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfout.stl.internal (Postfix) with ESMTP id 3D0AF1140182; Tue, 5 Nov 2024 08:35:16 -0500 (EST) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-01.internal (MEProxy); Tue, 05 Nov 2024 08:35:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to; s=fm1; t=1730813716; x= 1730900116; bh=6oqwhGf49empqu1G+xlSv+uWH5j3k5vlDScx7Tuto50=; b=a isbAwxYv56EUZ/Bnd+uGEhixRGIH9OJIHwYkN+NyaHRb2FlcalyeqCMriPx8k6Ek Skn1+c/PT6yjT+nSLLoMUcUJuaaQN59EGfDa8XTKN5c2kXCvCQnxQWECQH+LVW1t 8SoQXnsaNlyCsGhF2KpoKCFvI+CyCApUQmBUvJwHMx6jKspnnnIs8tNdLmnkLhVq 399p2bxsFw0vkRNxklKSlZpp+sMZ5JZO3KMJ80PZgp4OOr3skvtRF7CuQQ5ONdwa lo1AhvA15pf26nxjomjFqXe1092MY0Q6VXd0fv/IF2E8ojd9Z1E/gr3Gn9W4spSj Z2JEg1pWWPaAj9FWIOZlg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1730813716; x=1730900116; bh=6oqwhGf49empqu1G+xlSv+uWH5j3k5vlDSc x7Tuto50=; b=UlOOkI147dq4G7sKMhOm//TIfnYsVA8Ckr0huffIM+OQxltejGw U8gga1YKlfOTMZOxtwSIWwFK4JKqdsNBkZeI8vOmtF4wwgg/M9Xo1wLPYYuImAoN FX2DXVCXUnYKfmxHN1OCyYpsqf2/pkZHkrw+nFIQxVUq6TL5I9A6vOGHNHL033Eo zkORm762pbwavdGuHLr7cP5XwrCr/1/YNAhdBUpk0Cr1iS3471f4FVAZJHN/xx4l tE48FvhlEmlnzAA1sNevxSkxN/cG4T6Fe5txq6yqG0k35iARC7a6o2DDZzQBeJ79 XIXiBkqyQbExcwGBFYcCaBWAWqW5atuWa3g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrtddtgddvhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpeffhffvvefukfhfgggtuggjsehttdfstddttddvnecu hfhrohhmpedfmfhirhhilhhlucetrdcuufhhuhhtvghmohhvfdcuoehkihhrihhllhessh hhuhhtvghmohhvrdhnrghmvgeqnecuggftrfgrthhtvghrnhepveeifeekheelhfduffek ueegtdeuhffgkeegteeihfeltdevgedvveegfefhheehnecuffhomhgrihhnpehshiiikh grlhhlvghrrdgrphhpshhpohhtrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepkhhirhhilhhlsehshhhuthgvmhhovhdrnhgrmhgvpd hnsggprhgtphhtthhopeelpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegumhgr nhhtihhpohhvseihrghnuggvgidrrhhupdhrtghpthhtohepthgrnhguvghrshgvnhesnh gvthhflhhigidrtghomhdprhgtphhtthhopehvihhrohesiigvnhhivhdrlhhinhhugidr ohhrghdruhhkpdhrtghpthhtohepsghrrghunhgvrheskhgvrhhnvghlrdhorhhgpdhrtg hpthhtohepjhgrtghksehsuhhsvgdrtgiipdhrtghpthhtoheplhhinhhugidqfhhsuggv vhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdprhgtphhtthhopehlihhnuhigqdhmmh eskhhvrggtkhdrohhrghdprhgtphhtthhopehlvhgtqdhprhhojhgvtghtsehlihhnuhig thgvshhtihhnghdrohhrghdprhgtphhtthhopehshiiisghothdotdefvgdurghfhegtfe efvdhfjegvtdgvsgekgegssehshiiikhgrlhhlvghrrdgrphhpshhpohhtmhgrihhlrdgt ohhm X-ME-Proxy: Feedback-ID: ie3994620:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 5 Nov 2024 08:35:12 -0500 (EST) Date: Tue, 5 Nov 2024 15:35:07 +0200 From: "Kirill A. Shutemov" To: Dmitry Antipov Cc: Tycho Andersen , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, lvc-project@linuxtesting.org, syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com Subject: Re: [PATCH] exec: do not pass invalid pointer to kfree() from free_bprm() Message-ID: References: <20241105111344.2532040-1-dmantipov@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241105111344.2532040-1-dmantipov@yandex.ru> X-Rspamd-Queue-Id: 82660100024 X-Stat-Signature: oyqck9frmrpjy5yx951ggos5ywhgjsns X-Rspam-User: X-Rspamd-Server: rspam05 X-HE-Tag: 1730813680-180333 X-HE-Meta: U2FsdGVkX1+C4I6QJfdQFeOpS7pVlrEBKPlajSCIRXLcIMBDgDkvZVh2zS5cJEUyE5eIDMe2l5mXeo1BvG74DLD67iftRBqFROfIE07AdHmF9oX4nd9ig8ytq0ZjntBUXGM7q0C7haQkQsiSCYr4HiN5D241aHkAlvVQmLqAdmuKGZ2HVROeFkgsf9642n2KB0EDPPdFTJvZoFEhR85P0DdhpyOe2mkHa/hBS7TgaxBJ09YXIyV/P53mlbET2DyfjZ9/GuT7574LunvdmGCwzolXvPGKTb7/zoglm/hX+ve5REOgki1RBZKGgehmjZ7UJ+gjS7aGmR1ksRlGw3MphfUDtHeJ/qIHnUPAzWHPrubEH0YZ51vp76y4qIx4vutzyyHaxlYjUZsq8jVQ3NWtr8KkOCenSJRkIiiqdzRnDzeWcRYpKTfGnoA0RHGOafWuYTQFx+SoC3PB3vg2q4qWxLbMnB/0WspxmuznFvm6sEogalvmXQZKnHwDQ5YP6DQQEts5WQlP1vwzvjvInEuc0dcEntjzPrJyfTv9p1MiRvKMDyrAjoGQyhq3A2Ntx0jrdA60dCBVVihsNgq3swjMSj8SDLjfg6EvZk8lhfvq5a72ZmYWhfrnM/6iRaRxELwQsd2daXklAODdI71gkgxeCP5Iz0zCpe+BCn6dEcVYt70nkjIN6a/zzwV0f1ELNXu6cmrHM7brnUwSjQ6LzyR+NBkfTzKPw75gdq7h8SCdbAHMCLA16A2qcOXN4fJd5E5Br/wSbPIy4ubHqaS9G/WcEZG2J3LLJYDyTyEN3ns3MV6f/HCMLXg/xE0N6PNfa8HMXF994ODilbXK2BB8f2TXdh+f5UbJ+vrTdA2HP+UEYaJSfQ2xdnjVw28cAyUQe8sdPXJqBgHvF4qzbiWpyT1t+JXHn4qxurT7Br3/aXetwVwGqObpVgBWeQV6+6GwNvOjsoxTHbpGTY9KYcKtf9d P8twmZKC bTEbaa2xFZRxx8eoPGLUWWJ32XGTFH3yGMUtJeTl3KhJhepkmsChsr3ylen7DAKIZhJVTtGpq45GIwNc/JRJ2XXi3+sepDekr/O4zOcMaf7KXrDD+x4VejrfujwsrsbLM7YEJj+07cDJypXDGpz6sIJxzk+/WtWBK+W6n0+6QA2gsA8LoPTb3QGroV6fty4sucFHhsfdPknIh9rc2YQY1VZtKZTvqYVpKktZFAw5g7WRQycQbq+Zf+LizNIfsV7AQBeUKsO9Fgeh8ejjfVNDbnOeKPBb+IyDMMyt4isV3NFmoZnLivHHPVQgeMqMTbC2XAXlw5QV0xzH/FuLI0on0nvLXpUEUc7W7GhFKiPJZPkDlNdL7VMODbwM10P5G5UM8JQb+5ZwM6BW4q/vlvPtviP29yzLA0Z8RFnjC0sVyuLAqL3e/io3eYOetBngDt/BuoP94OVeDIua93odN6Nllxxo+etq2HWYWQ/xakLpfez/LEB4Z2/6gDNETQdjxNzdmhtbSOvvZD+Xo5AVCw0x5Plf3wE/PjoK6QRVwp2aWIgqUoXvmtEzdtUavSuTgpvy3EjHf0HnpsJm2J2jRY43t6ohAJ6LS9RDBABhUvzqw3QvsDsM/6SnltT85qtCvr8LH/pG4WobRBfyKx5dyJXg8UH/cqywf4/V9Nw08PIiY5aOIZJp+wtXn0xN5+Ur3NBZKbHKJ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Nov 05, 2024 at 02:13:44PM +0300, Dmitry Antipov wrote: > Syzbot has reported the following BUG: > > kernel BUG at arch/x86/mm/physaddr.c:23! > Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI > CPU: 2 UID: 0 PID: 5869 Comm: repro Not tainted 6.12.0-rc5-next-20241101-syzkaller #0 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 > RIP: 0010:__phys_addr+0x16a/0x170 > Code: 40 a8 7a 8e 4c 89 f6 4c 89 fa e8 b1 4d aa 03 e9 45 ff ff ff e8 a7 1a 52 00 90 0f 0b e8 9f 1a 52 00 90 0f 0b e8 97 1a 52 00 90 <0f> 0b 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 > RSP: 0018:ffffc90002f7fda0 EFLAGS: 00010293 > RAX: ffffffff8143a369 RBX: 000000007ffffff2 RCX: ffff888106df5640 > RDX: 0000000000000000 RSI: 000000007ffffff2 RDI: 000000001fffffff > RBP: 1ffff11020df6d09 R08: ffffffff8143a305 R09: 1ffffffff203a1f6 > R10: dffffc0000000000 R11: fffffbfff203a1f7 R12: dffffc0000000000 > R13: fffffffffffffff2 R14: 000000007ffffff2 R15: ffff88802bc12d58 > FS: 00007f01bd1a7600(0000) GS:ffff888062900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: fffffffffffffff8 CR3: 0000000011f80000 CR4: 00000000000006f0 > Call Trace: > > ? __die_body+0x5f/0xb0 > ? die+0x9e/0xc0 > ? do_trap+0x15a/0x3a0 > ? __phys_addr+0x16a/0x170 > ? do_error_trap+0x1dc/0x2c0 > ? __phys_addr+0x16a/0x170 > ? __pfx_do_error_trap+0x10/0x10 > ? handle_invalid_op+0x34/0x40 > ? __phys_addr+0x16a/0x170 > ? exc_invalid_op+0x38/0x50 > ? asm_exc_invalid_op+0x1a/0x20 > ? __phys_addr+0x105/0x170 > ? __phys_addr+0x169/0x170 > ? __phys_addr+0x16a/0x170 > ? free_bprm+0x2b5/0x300 > kfree+0x71/0x420 > ? free_bprm+0x295/0x300 > free_bprm+0x2b5/0x300 > do_execveat_common+0x3ae/0x750 > __x64_sys_execveat+0xc4/0xe0 > do_syscall_64+0xf3/0x230 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7f01bd0c36a9 > Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48 > RSP: 002b:00007fff034da398 EFLAGS: 00000246 ORIG_RAX: 0000000000000142 > RAX: ffffffffffffffda RBX: 0000000000403e00 RCX: 00007f01bd0c36a9 > RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000004 > RBP: 0000000000000001 R08: 0000000000001000 R09: 0000000000403e00 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff034da4b8 > R13: 00007fff034da4c8 R14: 0000000000401050 R15: 00007f01bd1dca80 > > > Since 'bprm_add_fixup_comm()' may set 'bprm->argv0' to 'ERR_PTR()', > errno-lookalike invalid pointer should not be passed to 'kfree()'. > > Reported-by: syzbot+03e1af5c332f7e0eb84b@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=03e1af5c332f7e0eb84b > Fixes: 7afad450c998 ("exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case") > Signed-off-by: Dmitry Antipov > --- > fs/exec.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index ef18eb0ea5b4..df70ed8e36fe 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1496,7 +1496,8 @@ static void free_bprm(struct linux_binprm *bprm) > if (bprm->interp != bprm->filename) > kfree(bprm->interp); > kfree(bprm->fdpath); > - kfree(bprm->argv0); > + if (!IS_ERR(bprm->argv0)) > + kfree(bprm->argv0); > kfree(bprm); > } It's better to avoid setting bprm->argv0 if strndup_user() fails. diff --git a/fs/exec.c b/fs/exec.c index ef18eb0ea5b4..9380e166eff5 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1504,6 +1504,7 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm, struct user_arg_ptr argv) { const char __user *p = get_user_arg_ptr(argv, 0); + char *argv0; /* * If p == NULL, let's just fall back to fdpath. @@ -1511,10 +1512,11 @@ static int bprm_add_fixup_comm(struct linux_binprm *bprm, if (!p) return 0; - bprm->argv0 = strndup_user(p, MAX_ARG_STRLEN); - if (IS_ERR(bprm->argv0)) - return PTR_ERR(bprm->argv0); + argv0 = strndup_user(p, MAX_ARG_STRLEN); + if (IS_ERR(argv0)) + return PTR_ERR(argv0); + bprm->argv0 = argv0; return 0; } -- Kiryl Shutsemau / Kirill A. Shutemov