2018-01-10 12:58:59

by syzbot

[permalink] [raw]
Subject: general protection fault in cgroup_fd_array_put_ptr

Hello,

syzkaller hit the following crash on
b4464bcab38d3f7fe995a7cb960eeac6889bec08
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.

audit: type=1400 audit(1515570486.989:11): avc: denied { map_read
map_write } for pid=3529 comm="syzkaller307587"
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf
permissive=1
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.15.0-rc7-next-20180110+ #93
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events bpf_map_free_deferred
RIP: 0010:css_put include/linux/cgroup.h:386 [inline]
RIP: 0010:cgroup_put include/linux/cgroup.h:415 [inline]
RIP: 0010:cgroup_fd_array_put_ptr+0x71/0x2a0 kernel/bpf/arraymap.c:573
RSP: 0018:ffff8801d98c7490 EFLAGS: 00010a07
RAX: 16c80037600001c6 RBX: 1ffff1003b318e92 RCX: ffffffff81821495
RDX: 0000000000000000 RSI: ffff8801cb5fd6a4 RDI: b64001bb00000e35
RBP: ffff8801d98c7518 R08: 1ffff1003b318e70 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: b64001bb00000dc9
R13: ffff8801d98c74f0 R14: dffffc0000000000 R15: b64001bb00000dc9
FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020680fe4 CR3: 0000000006822003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
fd_array_map_delete_elem kernel/bpf/arraymap.c:420 [inline]
bpf_fd_array_map_clear kernel/bpf/arraymap.c:461 [inline]
cgroup_fd_array_free+0xd2/0x150 kernel/bpf/arraymap.c:578
bpf_map_free_deferred+0xb0/0xe0 kernel/bpf/syscall.c:217
process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2112
worker_thread+0x223/0x1990 kernel/workqueue.c:2246
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x4b/0x60 arch/x86/entry/entry_64.S:547
Code: 45 88 30 14 82 81 c7 00 f1 f1 f1 f1 c7 40 04 00 f2 f2 f2 c7 40 08 f3
f3 f3 f3 e8 5b 4e ee ff 49 8d 7c 24 6c 48 89 f8 48 c1 e8 03 <42> 0f b6 14
30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f
RIP: css_put include/linux/cgroup.h:386 [inline] RSP: ffff8801d98c7490
RIP: cgroup_put include/linux/cgroup.h:415 [inline] RSP: ffff8801d98c7490
RIP: cgroup_fd_array_put_ptr+0x71/0x2a0 kernel/bpf/arraymap.c:573 RSP:
ffff8801d98c7490
---[ end trace f8866c4ec1ba1916 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.


Attachments:
config.txt (131.01 kB)
raw.log (7.32 kB)
repro.txt (490.00 B)
repro.c (9.86 kB)
Download all attachments

2018-01-10 15:30:30

by Daniel Borkmann

[permalink] [raw]
Subject: Re: general protection fault in cgroup_fd_array_put_ptr

On 01/10/2018 01:58 PM, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08
> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers

Currently looking into all of the reports. Looks they're all related to fd array
map. Will get back once I have some more data & managed to reproduce.

Thanks,
Daniel

2018-01-10 16:23:44

by Daniel Borkmann

[permalink] [raw]
Subject: Re: general protection fault in cgroup_fd_array_put_ptr

On 01/10/2018 04:30 PM, Daniel Borkmann wrote:
> On 01/10/2018 01:58 PM, syzbot wrote:
>> Hello,
>>
>> syzkaller hit the following crash on b4464bcab38d3f7fe995a7cb960eeac6889bec08
>> git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>> C reproducer is attached
>> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
>> for information about syzkaller reproducers
>
> Currently looking into all of the reports. Looks they're all related to fd array
> map. Will get back once I have some more data & managed to reproduce.

Ok, I know what's going on. Very roughly, we need something like the below
to check for overflows, this definitely fixes it for me. Cooking a proper
patch and doing some more analysis around it.

diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index aaa3198..454f52c 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -76,11 +76,17 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
max_entries = attr->max_entries;
index_mask = roundup_pow_of_two(max_entries) - 1;

- if (unpriv)
+ if (unpriv) {
/* round up array size to nearest power of 2,
* since cpu will speculate within index_mask limits
*/
max_entries = index_mask + 1;
+ if (max_entries < attr->max_entries)
+ return ERR_PTR(-E2BIG);
+ }

array_size = sizeof(*array);
if (percpu)