Received: by 10.192.165.156 with SMTP id m28csp453425imm; Tue, 17 Apr 2018 13:05:08 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Se836udSFqafDl2gE/1pL8XikPI1NZ1qC+lx6MI/70Nj1CpoTgExjerjXuvfyDF+F8UDx X-Received: by 2002:a17:902:bc44:: with SMTP id t4-v6mr3318696plz.2.1523995508417; Tue, 17 Apr 2018 13:05:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523995508; cv=none; d=google.com; s=arc-20160816; b=BYcqpMmvK/l4nq5gWsrqpOt84R4vSd+UG/xRU5TRH2WlIR9UHEf4hIYsGwAjIyhxDZ tcily5SYZr8q2z/hCQIVGVYmpnQzFIXnB5Nqw4VqvlLf2yRi96Usl+sUKhuNWQ6/pj7w Fs4PlDwqNffdpHt2/m4d5PmQ1AoAG5DGkYtFg1TIA2yzR+p7DD9W1a5PzVen/1205PYZ 3KCsDOdP4ir0yS5lGxnLTcEGe3zb2GJLdZ0FUz0wbn4PKqKizj+zo4FiWQ3XzNlMGngd UD+rJJpSwONmplwwQcWP3ksSVwTsLaCnpXS7VdQJugKjqchnRex01udFoJetiqIW8Hwv m3HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=; b=apZC3FYFmL0z0GzxLiAct/jUraZnGg2nHPHRNIhXJPFP1aeEwGzv185VLrl1F9L8sc eDOpOCOKdKP79oLAl1BxCZGOo0ljC3WkrTCJC6VSkEd+yNh0rM4s+pa5hZxTci2+jhNM wLdCwCdeDaLaDhalaRA+rUtMBdTTug+zm85LwSoI8dvhoaDgXNu2P8qB2APxrqGkN4i8 VMuLTamHZ7nSDacN0jSLsuscraO231x2txqrtjzjRWGbEHGjAs48uRp00PTj+seIEm0y fNeF2SE1ZQ7eI8t03vvCMsWE7lWqt9XvDiQbM1kXBT0RgmltPT83JuEEVN9U5lqkZChA fYJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=RLVriIlz; dkim=fail header.i=@chromium.org header.s=google header.b=RC3P8SON; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id be3-v6si14166995plb.75.2018.04.17.13.04.54; Tue, 17 Apr 2018 13:05:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=RLVriIlz; dkim=fail header.i=@chromium.org header.s=google header.b=RC3P8SON; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752848AbeDQUD0 (ORCPT + 99 others); Tue, 17 Apr 2018 16:03:26 -0400 Received: from mail-ua0-f194.google.com ([209.85.217.194]:39136 "EHLO mail-ua0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752651AbeDQUDY (ORCPT ); Tue, 17 Apr 2018 16:03:24 -0400 Received: by mail-ua0-f194.google.com with SMTP id g10so13445670ual.6 for ; Tue, 17 Apr 2018 13:03:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=; b=RLVriIlzyfSULQd6FDYWds6lphw+Q/64Cq68IHh1DuYumxeqH4daGlSEZz+51gst47 oaWVzCmOlfPoInjaCuhBb2tvmRtKAsHxNfVBYpx4AgFgY03tOhj4qy7c864Y8p+rqMqm kf8/pzr58bpi0gdRq8EQ4KYan7B64rpvQHoh5yx8977+v1zkXpdQ6jpHJa4lUXMfHu87 Fb80g3UsJklxxAZdBytXtbIAhlHFuypGa8a/T/ItCudNa2mlp5Hze0jQSAgSm8Pf6Omx zHMulnR6MGEWenzY/W3N4m7l0tRUHElB4pNoKbJIsFfbUSGOH2MPHRaS4bkraJlkv54Z UdwQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=; b=RC3P8SONn22L96GXBSFn+m1/KZYuJqMDFbWDr+fDc3fS4Us4tBdxbFq+1jZ0xFSJ23 8nKsn6GfPtTdiMOOiq9dKMiJKAQiQ02qS0PANFtwGNSungts+l4yGuRpL8Dv4NQDHHV8 rT9oNNNm2MnyWLf+5S2Si7YXwxluaWT1gFILI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=QSkBca6OEDYZnxRpR/FDASZa8cteQxcg+6/PpmX7AxI=; b=LLvzCWl2ofjzn70VviNkUT3hlmlFiuD7o3A8x5n+Un5/V7vV0GaHKrmNaLVF+aTpP8 z8+Lkf1UfH+il7u5K3w1M8maZ3NgyhSombVGXwiTQbNEDgK+9jkOa+yaj+mU5esMb/w0 cO/39XB/eccc0pobRuosOJHQlkWaPJeKGNh5OykVePMpF0dRiznokiUOMA9bB6SIfeW/ 3jV3FaVxzJOnGpSqQDGkHpoWVQzofd1zTesBxtcLurjZ37Ub0POQCPBxMnj+cRBWOny6 vDGSUNrffCKTS4IgL2YSnaHgSkIHc6rmHpEiKJZnMJ6y6nKzylS9fZDN2Bvl/gcHsFIu MTow== X-Gm-Message-State: ALQs6tDfDfqMY+SnSr/ZHka+vtKMi33JoHPHJnUTZybSemAPqgxauuN/ ly7P40OJvGB50bPeKQ4I0ho0xSNHzMzV7P7xzloAGg== X-Received: by 10.159.49.238 with SMTP id w43mr2653553uad.176.1523995403333; Tue, 17 Apr 2018 13:03:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:03:22 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Kees Cook Date: Tue, 17 Apr 2018 13:03:22 -0700 X-Google-Sender-Auth: zzNgFiYzXTijY8lVcVWlOeEWq6w Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko , Jens Axboe , Bart Van Assche , Paolo Valente Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 16, 2018 at 8:12 PM, Kees Cook wrote: > With a hardware watchpoint, I've isolated the corruption to here: > > bfq_dispatch_request+0x2be/0x1610: > __bfq_dispatch_request at block/bfq-iosched.c:3902 > 3900 if (rq) { > 3901 inc_in_driver_start_rq: > 3902 bfqd->rq_in_driver++; > 3903 start_rq: > 3904 rq->rq_flags |= RQF_STARTED; > 3905 } This state continues to appear to be "impossible". [ 68.845979] watchpoint triggered [ 68.846462] sense before:ffff8b8f9f6aae00 after:ffff8b8f9f6aae01 [ 68.847196] elevator before:ffff8b8f9a2c2000 after:ffff8b8f9a2c2000 [ 68.847905] elevator_data before:ffff8b8f9a2c0400 after:ffff8b8f9a2c0400 ... [ 68.856925] RIP: 0010:bfq_dispatch_request+0x99/0xad0 [ 68.857553] RSP: 0018:ffff900280c63a58 EFLAGS: 00000082 [ 68.858253] RAX: ffff8b8f9aefbe80 RBX: ffff8b8f9a2c0400 RCX: ffff8b8f9a2c0408 [ 68.859201] RDX: ffff8b8f9a2c0408 RSI: ffff900280c63b34 RDI: 0000000000000001 [ 68.860147] RBP: 0000000000000000 R08: 0000000f00000204 R09: 0000000000000000 [ 68.861122] R10: ffff900280c63af0 R11: 0000000000000040 R12: ffff8b8f9aefbe00 [ 68.862089] R13: ffff8b8f9a221950 R14: 0000000000000000 R15: ffff8b8f9a2c0770 Here we can see that sense buffer has, as we've seen, been incremented. However, the "before" values for elevator and elevator_data still match their expected values. As such, this should be "impossible", since: static struct request *__bfq_dispatch_request(struct blk_mq_hw_ctx *hctx) { struct bfq_data *bfqd = hctx->queue->elevator->elevator_data; ... if (rq) { inc_in_driver_start_rq: bfqd->rq_in_driver++; start_rq: rq->rq_flags |= RQF_STARTED; } exit: return rq; } For rq_in_driver++ to touch sense, bfqd must be equal to scsi_request - 12 bytes (rq_in_driver is 60 byte offset from struct bfq_data, and sense is 48 bytes offset from struct scsi_request). The above bfq_dispatch_request+0x99/0xad0 is still __bfq_dispatch_request at block/bfq-iosched.c:3902, just with KASAN removed. 0x99 is 153 decimal: (gdb) disass bfq_dispatch_request Dump of assembler code for function bfq_dispatch_request: ... 0xffffffff8134b2ad <+141>: test %rax,%rax 0xffffffff8134b2b0 <+144>: je 0xffffffff8134b2bd 0xffffffff8134b2b2 <+146>: addl $0x1,0x100(%rax) 0xffffffff8134b2b9 <+153>: addl $0x1,0x3c(%rbx) 0xffffffff8134b2bd <+157>: orl $0x2,0x18(%r12) 0xffffffff8134b2c3 <+163>: test %ebp,%ebp 0xffffffff8134b2c5 <+165>: je 0xffffffff8134b2ce 0xffffffff8134b2c7 <+167>: mov 0x108(%r14),%rax 0xffffffff8134b2ce <+174>: mov %r15,%rdi 0xffffffff8134b2d1 <+177>: callq 0xffffffff81706f90 <_raw_spin_unlock_irq> Just as a sanity-check, at +157 %r12 should be rq, rq_flags is 0x18 offset from, $0x2 is RQF_STARTED, so that maps to "rq->rq_flags |= RQF_STARTED", the next C statement. I don't know what +146 is, though? An increment of something 256 bytes offset? There's a lot of inline fun and reordering happening here, so I'm ignoring that for the moment. So at +153 %rbx should be bfqd (i.e. elevator_data), but this is the tripped instruction. The watchpoint dump shows RBX as ffff8b8f9a2c0400 ... which matches elevator_data. So, what can this be? Some sort of cache issue? By the time the watchpoint handler captures the register information, it's already masked the problem? I'm stumped again. :( -Kees -- Kees Cook Pixel Security