Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753516AbdCaFkK (ORCPT ); Fri, 31 Mar 2017 01:40:10 -0400 Received: from mail-ve1eur01on0097.outbound.protection.outlook.com ([104.47.1.97]:41573 "EHLO EUR01-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752083AbdCaFkI (ORCPT ); Fri, 31 Mar 2017 01:40:08 -0400 Authentication-Results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=nokia.com; Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78! To: Dave Jones , Kees Cook , Linux-MM , LKML , Laura Abbott , Ingo Molnar , Josh Poimboeuf , Mark Rutland , Eric Biggers References: <20170330194143.cbracica3w3ijrcx@codemonkey.org.uk> <20170330200100.zcyndf3kimepg77o@codemonkey.org.uk> From: Tommi Rantala Message-ID: <81379c63-674c-a37f-a6f6-5af385138a25@nokia.com> Date: Fri, 31 Mar 2017 08:40:00 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <20170330200100.zcyndf3kimepg77o@codemonkey.org.uk> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [131.228.2.26] X-ClientProxiedBy: AM5P189CA0008.EURP189.PROD.OUTLOOK.COM (10.161.53.21) To AM5PR0701MB2355.eurprd07.prod.outlook.com (10.169.152.141) X-MS-Office365-Filtering-Correlation-Id: 29f3f29b-53d1-4543-4483-08d477f8624f X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(201703131423075)(201703031133081);SRVR:AM5PR0701MB2355; X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2355;3:01L/iioubvAW0GuRP7QvTOYqXX6AzI3V6zmgglbW1mUx3agJZkU5FZRIPl6d/QmxjuCvZnJdL6lajKUsX7dA1s5vd6oJxI4O/xPgm+9y4B+2RArELhYLOld6/2gUt4oEJn3kWsBMr296of02ZIAXB/WJGYlBZ7ylT/Eayu1VtcwLQo9YH4XmjKWi/SQnTTsp8FLBH3RHtQfajuFLObCEncyBZ6575002KFvkc9WXPwl8OMcg9ZXy+x4V2OkY7uoM+vww51oQgq+Z3detLYmtfGHhEMwvaVsOulg2srJsutpaHJaa31nIiUhW0prs9Ckgi/DaReYoqgP29kRrr87cWvTvwyeeyyi8Pvv37kf+GCk=;25:MaDICu3/HAsI7DiHsb0LMWy4gSPlu4LwLFgud2TEcvT84Hcv7jxgcyGmxq1DM2o2RwmLQ7TUUFaBIcfPqPz6bHUTHQ/zyjqE9TIKpu7Er9vh91dG/nRIfRzgOGIKgqJk5nAUtuPda0ijQqe+W9UQHaK86LZYgkZZNW1tIB/HhbNKijKXWWSoGtn4BhCkccR3kMvq3HFsr6gHxcHXxwKR65M7FrpzdXJ52yCndrgXK2ZQ0ZEm58yHbEtt/OTb+oS0feVmD5iPL+k3tDxa/X6osHHzLwyytMMIALe/Zi8aJ+T6Q3h5ydQyZHHiR/+qdS1Vs+xuce8W+eifWy199IPgLZUO6oau0Pwa1jVYej+Hoqwlm3N6spyZAEH3o8/DvrjkIMdEMoJ6PhYNU57s0jx2CbgApPLCHe6d4ey1wuSnNfz2g70BPdrpGnz0qjcABW44NULjnZqTOYaLUs4mrSoNiA== X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2355;31:u7Ww0d+d4s1D/S96sfx+I/zIy9ucxGxv8WAmEpBHDdXd2lPIEwAm6T+haaST3skV8zosKaCGmN1ZfQHTJxf49ZaXUzbLgr7R1mRYK5m+t+ntlKtSRgZdYnbN+RRofWm5SZCgWjKBTn2N7EYuIsquXNEbT88vrL2qgNbncpGccO+L0I/+rmTuJszcatPUee54UhYi+lVFwQ00LzJwkukeOKrQGFEWyeYtboS/nJ7X43X+8gkJ8JsVdTsr+AYk3h36AVszod51xpAi9mP2nI2DWQ==;20:w8p8+9/DtYYXXbL2sICYXw4rXUippbqqC+RwI6wBGC7roaFaL++E9rdBL78en10qkbvBPDTc5Y36YL7+erEnd3eXnwrgr89mg/zDzw/KillGeN3rmO5CligZMo/vk1TivO7hsbO+JPYZfmIk9sdBYYW4yU21E+nERK2wA0gj3iZND6YtYBeabR641Va/5+dgZM74Z+cXeJzRflqUEGaLqzK7dtddITuMr8pf5yIvwtZ/A2Vz0bKDtx5M2fBPVLFYLvp0waR4NMrjMJQILvHOe/aUw1xFHLlu8GRRPYFaHa6WVkd2XQicBwgF+zc8xntW4zfvUbmH9cgyO5nwC8lh06I4PNnYkF6L57f6VqRH4G9P+J2stv+AvsfKrv6KUM3+MveKulXafvisy7HxhSIXxbwhiE6kydpNkNZT6duJoMbMz2o8ss3ekix5TiDEIQfXaUwvya4QpvmXcw7BZ3zPqjJAs6hJFLl7Jq1HTUtigWJhWyvSvo9M++Cif7QcQLfC/nIHcl6e/L+6H+urdDym8TLg3cOOl0GIVaxu1RxumUsB2HzqQKyKD9jLnsr4OXSuBl0bAScXeRuCDcWjGhhRioRqHp4nNiHggXsmmfWe0jQ= X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(82608151540597); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(93006090)(93001090)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(6072148);SRVR:AM5PR0701MB2355;BCL:0;PCL:0;RULEID:;SRVR:AM5PR0701MB2355; X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2355;4:rCLGL8q6HjTA37NyNryUN43ZhpLT2Iz0sdISnzTDn1njfxAiYCt7BCmOgPBbgth2te+EAW16JdkaQi0vmS/kqFfUedfZJEhx+GRUVxkyMh0JLf/z3iI1uMhKCHMZEDIsXODKN1xHUqtq21ZRs8rmYArXfx0iWNX9IKZ9Tpau8rkxj776h1p+vCTB4kzQAbRup7uhaEx0HBiBWEGPndEDhYUFSEO/VAZDxzF3/zEzIrw0JCXaR6Cx8MftkaInD8pJQTEkOsCJPkdHOynTDGCMhj/yMXPWZ2Tg+084v5JrLOrl25LBbuU0v8DNn20wsQOIGmw4N2SeICPN6a+2zM0A2E0v3vdx0l3v6AuKyHG3bAA/YkLSuaNZBf+c0cVzIpYRpNLeTpxuw8Vm5FWML1nUg7AGMxTwsN+A8SuXVozlGB9gUXOJYBPOhSVOKF7S/NdNaEmeJroZH5EXzNVOZvic/v/oe8z8swGwVg+LBpXXXNCdXgAnmWEUOdxqKHmf+y1rTYKXSTuSfuSB8QmszEMCf8pT7meKiZiZnQ6XVkyQPZwuK+M7Rdtyj7O0CQo0GgPGzGr03b3HBYXvEG73+akhRuCCwsA3HKZODicFE+XyECODeB1de3fEWomWu0Ve6X888nrJvMoNYGjuBnUfr/USVNYPK8pyu4pRyEbv7Bz7eEGSpG0Yvy4MPKNsfzqqQoEdumt3xISB9almfqs6vnPZQp6M/LNy7gY1VhYyRTqHINoVwfSuLY2jj7uetit471VoZe/mmVNJvQbLcS4ZNsFttQ== X-Forefront-PRVS: 02638D901B X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6009001)(6049001)(39410400002)(39850400002)(39400400002)(39840400002)(39450400003)(39860400002)(377454003)(24454002)(6116002)(8676002)(3846002)(54356999)(76176999)(50986999)(64126003)(2906002)(226693001)(230700001)(189998001)(77096006)(4001350100001)(31686004)(47776003)(65956001)(65806001)(66066001)(90366009)(33646002)(6486002)(53936002)(23746002)(65826007)(93886004)(81166006)(5660300001)(305945005)(7736002)(36756003)(50466002)(42186005)(6306002)(31696002)(38730400002)(86362001)(25786009)(6246003)(229853002)(2950100002)(53546009)(83506001)(6666003);DIR:OUT;SFP:1102;SCL:1;SRVR:AM5PR0701MB2355;H:[10.144.182.168];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;AM5PR0701MB2355;23:tjl+YeelZcmsRQoG5whYG2r5R7kRNdmga7r?= =?Windows-1252?Q?4L5kaCePCXuegnvnwTV2yYRwqL6kO7LHG4fVcB19iUXfpJh/W+sgSG1A?= =?Windows-1252?Q?N5c5T5G+8HfsBhRFeJy9VdoaKERFOk2LAtQ/De/iXN2XvM8o7XQtCNmG?= =?Windows-1252?Q?muy/YZnHdAoxgMjgoLLR7WiP9SfHa/kslSZp0iIejkYUzoLGAgBWBaZW?= =?Windows-1252?Q?lpmoWB0O5dK24s3TzJJafnQJN3Ayfoee6jW1ImMsjU4GZrz4z+WvrZGh?= =?Windows-1252?Q?HsF5q00h8bytaK9CjGQJ1+cdWBvj8w7c6reQ+kSsqOMrFns9q5J+svGW?= =?Windows-1252?Q?M9jkASj1Sus13L9o99O2XBrwbvHl+iV/Uyx+sePJVPH3kUXKgGT5NzXW?= =?Windows-1252?Q?Hjint3iu2S/JL1wnuS0aGwlm+KbdRMsoa1k0imMH9BvaLSIXBZ4NB9hf?= =?Windows-1252?Q?IyewAcF3QXMjxafLK4QsC96d9Rg7ZmazMJQChDMgroGdPkG17Lr3D0Bw?= =?Windows-1252?Q?KN4C/xOTfpDLlSW9Lljqz41PwPksaOR9GMDj/RsKJO0AT3t+ElT1/Ihc?= =?Windows-1252?Q?wFmGr06h1mzKRcTfKF3v6TNd1EKJ2JYWQPpuI5VBSLkPNbLHOg8Mnn6o?= =?Windows-1252?Q?qCo0hVVdPjTqCLNE7ddyTwMw46Sjb5nF6ZtgMFUs0ZvRzf3uliZZNuRl?= =?Windows-1252?Q?bZarLW5TF5sMguhY0slCzkp8AEvzDe3Jy3+RhFkK7oqPg2HpXUFO6dly?= =?Windows-1252?Q?XtTPKWJlAPXJzYiqGK6FTRqVtI3AqeRGumgWtdT8bnMsdFPF4oc7/Da2?= =?Windows-1252?Q?r0WhHfrxPhB7LyuuN0GmeL5etNQw56Nx1ZS/n9u+4PANdgfxUaSriOYV?= =?Windows-1252?Q?/V/c/qNRjJ3HGsNDhCJysWdmWk5hv4y4xqDHm8WPzMKWFtEmujvsVUcx?= =?Windows-1252?Q?6uUETfgD67VsTwlCOS6KD9NvjF0OXnR40FTaI2sH2KnHBRRsQrN3QfHC?= =?Windows-1252?Q?3kZQiznpb4cCOs2Bbm9pTGFvStsHVs9SOhiPqtmPipQL/i+wLmu0HqSF?= =?Windows-1252?Q?lUPTUw/6GyH3KHSynYeYK//kn+0Zd9M78UHFYVhmkn7aCzgKWJSb91sH?= =?Windows-1252?Q?upDzi+MeVZCdDM9+S4SYUcH6wD4a2CybVK/iXlPqhd8PpVY8OW/Zgy1I?= =?Windows-1252?Q?myusLCdruQ7oFPVT3zzfSSOHG6oJRIcqPRcaacueopsGyyCn2p6JpGtH?= =?Windows-1252?Q?2ELlNyxii5P2WmmKeZ7XBQwMlJ6QJyaQnv6goUR7uyymHwMPTL1IE6g8?= =?Windows-1252?Q?8iq8sPYWwjcP86uKdZ8nzHjcFw6i37o+8nYcy0JIiuxdBHm9ywgMMnvg?= =?Windows-1252?Q?Ih6wIblZl5lKp+Ae3gSKaXH8SY2EMW+iTRTVOktU0Hdwpko0Qvmayt/U?= =?Windows-1252?Q?qQPmdmdMI0QGAKQij+Z0n?= X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2355;6:VD05WLARAQTTg0hPf/ONt+e0nnwSn6hecbzJBol2i0hIAGQHgVfSZKpQdEWnc1uP4d1t7FxehLWex2gQ9q/A4HhfjU2Xgx54LfUeg4snBDMRPTI/Riea8i2Ff9fGV7AJCKaqf2LwcrpFJ1TXD9xn6EtDOV8+WlFR4QwEv6wAthYLwhA/HNh4CgLErykA7XttN2Iy4phuePS3beYpUPPdpN7dEb83Vz0kM22ih4q0GLEUfRfhmpxHXV13R58EE1DednJ2reTjvt+CEC1KaKIOOhLa74Otuibgqiy6Dc1byM6yH6YeAxzcXzYpqMhBXzzse8S1vwqQL4gD6kUfBMGRcsBlx9EXWw60oU72GahKeInHY24wfQETNC3vVd3Zv/mt0IzapYMp6xOzuMZ4sz49LRR5Up/sSgWEy8hIp1g3z78=;5:krIa2TwUPYLoPHAjLnjtcFuf1IyvveE5FOdSfc9ZNUk7QaUHyXzntdB711jI0zES0/CejTw/rjsCAh+VPw5kkHoLoQyPDprplbYiV88sbOjKgPwX3XTtz35q/bR7wnbvvQdzNhyvSfO+pHiFue12jw==;24:ZgtMQdeMAMC55PAfRtvqqcL9driBX+nxo9kMXKeOHlZqDe2l8x/Tc3ukoxzB7OnekJOcDoCNzqqGZb63q0uLGMVCHnuKCRfeIakgy5xS50E= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;AM5PR0701MB2355;7:MMN1eym+BfXq0W+zVdmlMdF8rAzFs2JTVqZ+HTcTqZa8cUyuPkBtH9QsT5ZlZfS5P+GTuAjtNp3my+ttuniZPPL/XjY8saiood6nHmc5gNf0dDawqDWp/S6h1+Dlj9x9tfs09SvrIrLXDxjQTlvqfyAkq5jZYRV8drRlPrr/lPiokKnrftkNTPvAY+UNQDBH1G87vffqId68ZNX0M0rXWQ609u+jSLdEG7G+CsMYa2wxhnvLPLa9eQ/E2esokXGYVQbw/hsfieyjMFwr9DkO2AEQEeSyeiU7RmzadIKstw6iVuq9Tv8REx0e5PrIQV20Zd1RJt+h+JoDzbUqlmcKGg== X-OriginatorOrg: nokia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 05:40:04.7266 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2355 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3244 Lines: 78 On 30.03.2017 23:01, Dave Jones wrote: > On Thu, Mar 30, 2017 at 12:52:31PM -0700, Kees Cook wrote: > > On Thu, Mar 30, 2017 at 12:41 PM, Dave Jones wrote: > > > On Thu, Mar 30, 2017 at 09:45:26AM -0700, Kees Cook wrote: > > > > On Wed, Mar 29, 2017 at 11:44 PM, Tommi Rantala > > > > wrote: > > > > > Hi, > > > > > > > > > > Running: > > > > > > > > > > $ sudo x86info -a > > > > > > > > > > On this HP ZBook 15 G3 laptop kills the x86info process with segfault and > > > > > produces the following kernel BUG. > > > > > > > > > > $ git describe > > > > > v4.11-rc4-40-gfe82203 > > > > > > > > > > It is also reproducible with the fedora kernel: 4.9.14-200.fc25.x86_64 > > > > > > > > > > Full dmesg output here: https://pastebin.com/raw/Kur2mpZq > > > > > > > > > > [ 51.418954] usercopy: kernel memory exposure attempt detected from > > > > > ffff880000090000 (dma-kmalloc-256) (4096 bytes) > > > > > > > > This seems like a real exposure: the copy is attempting to read 4096 > > > > bytes from a 256 byte object. > > > > > > The code[1] is doing a 4k read from /dev/mem in the range 0x90000 -> 0xa0000 > > > According to arch/x86/mm/init.c:devmem_is_allowed, that's still valid.. > > > > > > Note that the printk is using the direct mapping address. Is that what's > > > being passed down to devmem_is_allowed now ? If so, that's probably what broke. > > > > So this is attempting to read physical memory 0x90000 -> 0xa0000, but > > that's somehow resolving to a virtual address that is claimed by > > dma-kmalloc?? I'm confused how that's happening... > > The only thing that I can think of would be a rogue ptr in the bios > table, but that seems unlikely. Tommi, can you put strace of x86info -mp somewhere? > That will confirm/deny whether we're at least asking the kernel to do sane things. Indeed the bug happens when reading from /dev/mem: https://pastebin.com/raw/ZEJGQP1X # strace -f -y x86info -mp [...] open("/dev/mem", O_RDONLY) = 3 lseek(3, 1038, SEEK_SET) = 1038 read(3, "\300\235", 2) = 2 lseek(3, 646144, SEEK_SET) = 646144 read(3, "\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024 lseek(3, 1043, SEEK_SET) = 1043 read(3, "w\2", 2) = 2 lseek(3, 645120, SEEK_SET) = 645120 read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024 lseek(3, 654336, SEEK_SET) = 654336 read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024 lseek(3, 983040, SEEK_SET) = 983040 read(3, "IFE$\245S\0\0\1\0\0\0\0\360y\0\0\360\220\260\30\237{=\23\10\17\0000\276\17\0"..., 65536) = 65536 lseek(3, 917504, SEEK_SET) = 917504 read(3, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"..., 65536) = 65536 lseek(3, 524288, SEEK_SET) = 524288 read(3, ) = ? +++ killed by SIGSEGV +++