Hi all,
While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel, I've stumbled on the following spew:
[ 2775.284941] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 2775.285681] Dumping ftrace buffer:
[ 2775.286124] (ftrace buffer empty)
[ 2775.286612] Modules linked in:
[ 2775.286999] CPU: 15 PID: 29531 Comm: trinity-c307 Tainted: G B 3.18.0-next-20141219-sasha-00047-gaab33f6-dirty #1627
[ 2775.288272] task: ffff8805c49aa000 ti: ffff8808f7734000 task.ti: ffff8808f7734000
[ 2775.289081] RIP: module_attr_store (kernel/params.c:894)
[ 2775.290021] RSP: 0018:ffff8808f7737c98 EFLAGS: 00010246
[ 2775.290021] RAX: dfffe90000000000 RBX: ffff88090b3b82f0 RCX: 0000000000001000
[ 2775.290021] RDX: ffff88061852c290 RSI: ffff88090b3bbd98 RDI: ffff88090b3b82f0
[ 2775.290021] RBP: ffff8808f7737cb8 R08: 0000000000000000 R09: 0000000000000000
[ 2775.290021] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88090b3bbd98
[ 2775.290021] R13: ffffffffb04544a0 R14: ffff88061852c290 R15: ffff88090b3bbd98
[ 2775.290021] FS: 00007f727b070700(0000) GS:ffff88064c400000(0000) knlGS:0000000000000000
[ 2775.290021] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2775.290021] CR2: 0000000077d9d000 CR3: 00000008f52e6000 CR4: 00000000000006a0
[ 2775.290021] DR0: ffffffff81000000 DR1: a200000080000000 DR2: 0000000000000000
[ 2775.290021] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 2775.290021] Stack:
[ 2775.290021] ffff8808f7737d08 ffffffffa09e85f7 ffff8802757c7480 ffffffffa04723b0
[ 2775.290021] ffff8808f7737d08 ffffffffa0c6d0b9 000000000000000f ffffffffa0c6952e
[ 2775.290021] ffff8808f7737cf8 ffff88061852c290 0000000000001000 ffff8805b1ae1948
[ 2775.290021] Call Trace:
[ 2775.290021] ? __kmalloc (mm/slub.c:3298)
[ 2775.290021] ? module_attr_show (kernel/params.c:883)
[ 2775.290021] sysfs_kf_write (fs/sysfs/file.c:132)
[ 2775.290021] ? kernfs_fop_write (include/linux/slab.h:436 fs/kernfs/file.c:287)
[ 2775.290021] ? sysfs_kf_bin_read (fs/sysfs/file.c:124)
[ 2775.290021] kernfs_fop_write (fs/kernfs/file.c:311)
[ 2775.290021] do_loop_readv_writev (fs/read_write.c:722)
[ 2775.290021] ? kernfs_vma_page_mkwrite (fs/kernfs/file.c:271)
[ 2775.290021] ? kernfs_vma_page_mkwrite (fs/kernfs/file.c:271)
[ 2775.290021] do_readv_writev (fs/read_write.c:854)
[ 2775.290021] ? preempt_count_sub (kernel/sched/core.c:2620)
[ 2775.290021] ? _raw_spin_unlock (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:183)
[ 2775.290021] ? vtime_account_user (kernel/sched/cputime.c:701)
[ 2775.290021] vfs_writev (fs/read_write.c:893)
[ 2775.290021] SyS_writev (fs/read_write.c:926 fs/read_write.c:917)
[ 2775.290021] tracesys_phase2 (arch/x86/kernel/entry_64.S:529)
[ 2775.290021] Code: 00 00 00 00 e9 ff df 48 89 fe 48 c1 ee 03 80 3c 06 00 75 35 48 83 7b 18 00 74 25 48 85 db 74 64 f6 c3 07 75 5f 4c 89 e6 48 89 df <ff> 53 18 48 98 48 83 c4 10 5b 41 5c 5d c3 0f 1f 80 00 00 00 00
All code
========
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: e9 ff df 48 89 jmpq 0xffffffff8948e008
9: fe 48 c1 decb -0x3f(%rax)
c: ee out %al,(%dx)
d: 03 80 3c 06 00 75 add 0x7500063c(%rax),%eax
13: 35 48 83 7b 18 xor $0x187b8348,%eax
18: 00 74 25 48 add %dh,0x48(%rbp,%riz,1)
1c: 85 db test %ebx,%ebx
1e: 74 64 je 0x84
20: f6 c3 07 test $0x7,%bl
23: 75 5f jne 0x84
25: 4c 89 e6 mov %r12,%rsi
28: 48 89 df mov %rbx,%rdi
2b:* ff 53 18 callq *0x18(%rbx) <-- trapping instruction
2e: 48 98 cltq
30: 48 83 c4 10 add $0x10,%rsp
34: 5b pop %rbx
35: 41 5c pop %r12
37: 5d pop %rbp
38: c3 retq
39: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
...
Code starting with the faulting instruction
===========================================
0: ff 53 18 callq *0x18(%rbx)
3: 48 98 cltq
5: 48 83 c4 10 add $0x10,%rsp
9: 5b pop %rbx
a: 41 5c pop %r12
c: 5d pop %rbp
d: c3 retq
e: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
...
[ 2775.290021] RIP module_attr_store (kernel/params.c:894)
[ 2775.290021] RSP <ffff8808f7737c98>
Thanks,
Sasha
Sasha Levin <[email protected]> writes:
> Hi all,
>
> While fuzzing with trinity inside a KVM tools guest running the latest -next
> kernel, I've stumbled on the following spew:
Nice catch!
Thanks for the report,
Rusty.
Subject: param: initialize store function to NULL if not available.
I rebased Kees' 'param: do not set store func without write perm'
on top of my 'params: cleanup sysfs allocation'. However, my patch
uses krealloc which doesn't zero memory, leaving .store unset.
Reported-by: Sasha Levin <[email protected]>
Cc: Kees Cook <[email protected]>
Signed-off-by: Rusty Russell <[email protected]>
diff --git a/kernel/params.c b/kernel/params.c
index 0af9b2c4e56c..bd65d136a470 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -648,6 +648,8 @@ static __modinit int add_sysfs_param(struct module_kobject *mk,
/* Do not allow runtime DAC changes to make param writable. */
if ((kp->perm & (S_IWUSR | S_IWGRP | S_IWOTH)) != 0)
mk->mp->attrs[mk->mp->num].mattr.store = param_attr_store;
+ else
+ mk->mp->attrs[mk->mp->num].mattr.store = NULL;
mk->mp->attrs[mk->mp->num].mattr.attr.name = (char *)name;
mk->mp->attrs[mk->mp->num].mattr.attr.mode = kp->perm;
mk->mp->num++;