Received: by 10.192.165.156 with SMTP id m28csp472553imm; Tue, 17 Apr 2018 13:27:20 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/lJ7QAGroyPuB7xB4E8M9ozJZ/VBawKf1hmoVv40Nledzi3rkvzINVeblnAkPzFtSI7nZJ X-Received: by 2002:a17:902:8:: with SMTP id 8-v6mr3304814pla.287.1523996840225; Tue, 17 Apr 2018 13:27:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523996840; cv=none; d=google.com; s=arc-20160816; b=vbxtgBtc7NDySRAjpS/d2y/6PmAfatH/FNs2Po3Gr56Y6i4ukwQiPfBaA79JDsTstD jESTp8MoHbb00wgr3E3Z9H/A1jYFMTuy9QxvfassvfIT5Td21qUArhMMg2m8v+dqfLP+ aWIm6FYjtHlTsV+TX45VqLEeZtfIsogNAXIZoaNUdbNHdxiV01ngZywLLfdGSQLgabID L37ywSsAB73UHtm1WMSvC9n4ITl0beY/7C6bmbLyIWJzkIQn3SZ3Qf+uYEwVTnXTgA3R hzvrR8LH8BAtMom3tgqmVs3wOnfVTEdhRoJ63b8eqV0nvm/UZuk/POFb3GelVjYfIUag qCrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=; b=bvc3V5Gr7DQNMnG89PhVpEf6LOSxAgYuSpge5AXlnXht6kAPmNlMtcwohxwb48K4f9 v90croH0dpj6iCCh2o7ppuH7qIn74gpy7Pxb46mo3VMWjE21aTsqDddeoF6ZjAOloF87 uXaEkLzJZIZdEl67jDF9lwvWzfDzlslr/V3eME89ypuH0nx21+4D5xVMOR6PLpwAph+V 1RNlW1jGdiHqc6G1n8CbNElbaDGJy02wLQSXhOgiur+a+r50PbY5L9Dy/MjIMq6w2JNM 7A9cuZWiSPh572/sc4I37EFdyajYq0Nt52RdV/rMb7R6R1GKuJj18br4hQ0gZZHUuTEF ITcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fKf+3+gw; dkim=fail header.i=@chromium.org header.s=google header.b=DZMopbU5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z2-v6si14637475plk.94.2018.04.17.13.27.05; Tue, 17 Apr 2018 13:27:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fKf+3+gw; dkim=fail header.i=@chromium.org header.s=google header.b=DZMopbU5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752712AbeDQUZx (ORCPT + 99 others); Tue, 17 Apr 2018 16:25:53 -0400 Received: from mail-vk0-f65.google.com ([209.85.213.65]:40983 "EHLO mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752633AbeDQUZv (ORCPT ); Tue, 17 Apr 2018 16:25:51 -0400 Received: by mail-vk0-f65.google.com with SMTP id i75so7886181vke.8 for ; Tue, 17 Apr 2018 13:25:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=; b=fKf+3+gwu3FdHJKfUDQH0WUXfkf9cO99GerAqpOuqy8vB+3YK8EvJBaMyD9aZToUVs ZQg83S7TXIbx29kfVmsZ6wKHLhbhPOWX7V2lE2OJZsdoPyOGjKR2YMlFqbomX6CAuRiS jnooaDAeN1V9tX3Km4x8ZMoQH220tmjtd0ItMvJ/+fvCttaq2G+zgcYimOZkJH2RNf3y UF7WV6wjL3yrPloEEOm2Vcb+Hb3zsDisk18JK357Huc52blqWXQU6Ml6dXrh1UNVc2Dq KWOX2hBac1RXFsWuCd4GtXLOH/FinDfUsBn7YC1GG8+IL3RZWEPFYrX32Pb1jqdMZgOY D5NA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=; b=DZMopbU5p+cstxHEeD3Nzlvtc/shlEyxsmP1VHlDFd2ntLlPnZzh/QdvSo9ToWPJza a3pDGIx/6UwUVT3FkCZNEIIBkzjUpKNXCUNqEq9oPfD0U5Kn9b0ZwCATEU0JUzXq40i6 e/apsBOByBzRKbxsIxlzLXS/QAeoW4R+lXKro= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=IwrEsrMv+E87ksGXdNe8X1BZMNVI6GJoRn6gWT7n734=; b=pDaG8ktdIdreN1myw/vgCapXKeGlrYLq9eCYdQxLYqmQuXTp/bxkho3G5wT2VtmzRJ j1TXMHg1cbxJdKQmgI0/aHFgHFIqqKhLsvoLRp53ld4GNCnu4gMM5N/GUtq5NJP7Tk5D SvNEW6sUa4xD71DqHgt43kMOHN5zP2sDTYvz3dJ62D8S2t+jRRYi+IU0r3nzUv8EoLKJ LWbJFfGi4mW8MnNcZVwmsocu02UsCwmry3dWcM1UTegDXrbGfZg/+vTQMONzl6weufj3 D1rDhxLIjoQaMfRDCKFdSQdIXlo0I5YbkXVFA7u32REFKrF1u/4q4YcH0VAldPjA9ieS s2ww== X-Gm-Message-State: ALQs6tC//GxbkKgKedgVXQDXi8W5NHEchRGPkGJqxYgXFzKTsYj/9LmI sKBNNNhwC2IMjq5Hvq7lpylHdq/gm3ryyaJGs7JCpA== X-Received: by 10.31.148.135 with SMTP id w129mr2585313vkd.7.1523996750799; Tue, 17 Apr 2018 13:25:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 17 Apr 2018 13:25:49 -0700 (PDT) In-Reply-To: References: <10360653.ov98egbaqx@natalenko.name> <2864697.7uzmEJovl2@natalenko.name> From: Kees Cook Date: Tue, 17 Apr 2018 13:25:49 -0700 X-Google-Sender-Auth: ithOsYFmwRPnQ0E_24BbOjywe_s Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko , Jens Axboe , Bart Van Assche , Paolo Valente Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML , Christoph Hellwig , Hannes Reinecke , Johannes Thumshirn , linux-block@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 17, 2018 at 1:20 PM, Kees Cook wrote: > On Tue, Apr 17, 2018 at 1:03 PM, Kees Cook wrote: >> The above bfq_dispatch_request+0x99/0xad0 is still >> __bfq_dispatch_request at block/bfq-iosched.c:3902, just with KASAN >> removed. 0x99 is 153 decimal: >> >> (gdb) disass bfq_dispatch_request >> Dump of assembler code for function bfq_dispatch_request: >> ... >> 0xffffffff8134b2ad <+141>: test %rax,%rax >> 0xffffffff8134b2b0 <+144>: je 0xffffffff8134b2bd >> >> 0xffffffff8134b2b2 <+146>: addl $0x1,0x100(%rax) >> 0xffffffff8134b2b9 <+153>: addl $0x1,0x3c(%rbx) >> 0xffffffff8134b2bd <+157>: orl $0x2,0x18(%r12) >> 0xffffffff8134b2c3 <+163>: test %ebp,%ebp >> 0xffffffff8134b2c5 <+165>: je 0xffffffff8134b2ce >> >> 0xffffffff8134b2c7 <+167>: mov 0x108(%r14),%rax >> 0xffffffff8134b2ce <+174>: mov %r15,%rdi >> 0xffffffff8134b2d1 <+177>: callq 0xffffffff81706f90 <_raw_spin_unlock_irq> >> >> Just as a sanity-check, at +157 %r12 should be rq, rq_flags is 0x18 >> offset from, $0x2 is RQF_STARTED, so that maps to "rq->rq_flags |= >> RQF_STARTED", the next C statement. I don't know what +146 is, though? >> An increment of something 256 bytes offset? There's a lot of inline >> fun and reordering happening here, so I'm ignoring that for the >> moment. > > No -- I'm reading this wrong. The RIP is the IP _after_ the trap, so > +146 is the offender. > > [ 29.284746] watchpoint @ ffff95d41a0fe580 triggered > [ 29.285349] sense before:ffff95d41f45f700 after:ffff95d41f45f701 (@ffff95d41a > 0fe580) > [ 29.286176] elevator before:ffff95d419419c00 after:ffff95d419419c00 > [ 29.286847] elevator_data before:ffff95d419418c00 after:ffff95d419418c00 > ... > [ 29.295069] RIP: 0010:bfq_dispatch_request+0x99/0xbb0 > [ 29.295622] RSP: 0018:ffffb26e01707a40 EFLAGS: 00000002 > [ 29.296181] RAX: ffff95d41a0fe480 RBX: ffff95d419418c00 RCX: ffff95d419418c08 > > RAX is ffff95d41a0fe480 and sense is stored at ffff95d41a0fe580, > exactly 0x100 away. > > WTF is this addl? What are the chances? :P Two ++ statements in a row separate by a collapsed goto. FML. :) ... bfqq->dispatched++; goto inc_in_driver_start_rq; ... inc_in_driver_start_rq: bfqd->rq_in_driver++; ... And there's the 0x100 (256): struct bfq_queue { ... int dispatched; /* 256 4 */ So bfqq is corrupted somewhere... I'll keep digging. I hope you're all enjoying my live debugging transcript. ;) -Kees -- Kees Cook Pixel Security