Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3220034imm; Mon, 10 Sep 2018 13:03:42 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZL+OxCaapoaA3mG7RrV3PtGnLt9CSZoX80Uj9b2sXPbE87E5YtmdHyOMcwU7rztlA2Hfwn X-Received: by 2002:a63:2d87:: with SMTP id t129-v6mr24673787pgt.128.1536609822237; Mon, 10 Sep 2018 13:03:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536609822; cv=none; d=google.com; s=arc-20160816; b=N6YeUDOzHTHATcmuGQzCr1vYeauf7lU7gt1pWVpAjaIR1g1dE29QxzFGQvcEcqG6gh yM9xZ4ID0VvLB04+6E2YXfdNI+Rieop5VPUcYxgcL7zBNWoaaCs3Gq1fMfIHSofP1e1k 4RzP+1xXBTyGN2BL8WOJjUf4/MYklf8M4dI6vqbqp6wDIeitQhfKuAnjMJyqv3e5JvQ3 basRNbf9kVfsSljQ6+uZfiq9VTIlUt6okRtfSn7X2f5v5j2G4BQq3GHOC49EykPaZjo4 hnyPEm8bhxKzwqzHLGus8iXa0Gzk3ox3aOB+NW+YuJhX57phUXfR9zo8ZCIjiqBsD8ug /ULw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature; bh=YWEC+OWxgRfz0Damp+71PQUt4MmIdP9ocdyPQZhXaBw=; b=zbcLiug6PIl/zOWJUo7YcCpHUHihGjqpJToBPkcJI6vciynjdaLTNtV4qPCyHWnp+q gK1+GNX3sjElmUkQCJ5GDPCc5LQf8byrGmzPHRV3jLueDXfc7GoAyUeMVuVADrMkXFJb 1RINCAWLpysn+EHUe+ex5GCqNsPgkqFOIzKFiIU0p88K5SK5JiZphONWiBtFHKLMvUHm a/4JBgFvGz2T46o9ylEnBg9jm7PCV8fWQtYChVmiqZTzYGTiYHuNaZq4s+htFAeEAc+7 j+wEIwRJJaaUufcP90UxlJv8OMW2eg8nnDLAu3+58TAVyRwtblTG/XMErdceWjvi3hVP OkvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FJ0QdoVG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f2-v6si18055701pgh.661.2018.09.10.13.03.23; Mon, 10 Sep 2018 13:03:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FJ0QdoVG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728869AbeIKA6W (ORCPT + 99 others); Mon, 10 Sep 2018 20:58:22 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:36207 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728150AbeIKA6W (ORCPT ); Mon, 10 Sep 2018 20:58:22 -0400 Received: by mail-it0-f66.google.com with SMTP id u13-v6so30389935iti.1 for ; Mon, 10 Sep 2018 13:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=YWEC+OWxgRfz0Damp+71PQUt4MmIdP9ocdyPQZhXaBw=; b=FJ0QdoVGnDlZHyUGtcL1qI8vXPQqFnr7GkBD0xGWhwkmoczor2eGW2yaNzNx8sXczC 6TKYLLVaCeIR57JPnNV+EQbasxBLUTccRYaRMpwNOVO7WsmttWC+WghY/VLpXyzqt/2D SZPhPBBi57t/DTq0zh7SJ7pgwptw/og+pYAIg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=YWEC+OWxgRfz0Damp+71PQUt4MmIdP9ocdyPQZhXaBw=; b=tggCwv5fnwXgyl1pty2MVBfNXBoHG/45ZriUl0eHVUSEu/qc6fgC+OPh55MI1PWf5x /jHZcApG9PzDYu5Aiex+RDM10IEH1QnnV6yPSk0MZ6fV+fCCJjG0gdCGQTkK/kJgl0+a NK5KRXIt4/+6cqN4c5YPhNr7jQgBpRf6UmIIlTV57E+2Z4zTMWhRiKlYpGDU2capVz8X pRPy1uOjWtlAVXyIVHUJve7krDzV1y4C6KeZq5iJF/kk9LOTSGF4c4VDG6cyAXMpBkd1 9kMnH3iupiEDWXtrwCftcXzfFtCj7hoqNLP3DBkPV9EaRaztsiFW8rb9mLXlZIu2kIei xTqA== X-Gm-Message-State: APzg51A6Ys9aKizLU2yifJSq+rAcX2uGY5m/p5XmAl/kXTNmL4+H7nQW 1EkvhhYizcMuSezeaSHBsALvoJngyLqkKOZufRxIcA== X-Received: by 2002:a24:52cd:: with SMTP id d196-v6mr18628426itb.58.1536609758694; Mon, 10 Sep 2018 13:02:38 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a6b:2848:0:0:0:0:0 with HTTP; Mon, 10 Sep 2018 13:02:38 -0700 (PDT) In-Reply-To: <20180910195342.GD16557@thunk.org> References: <20180910195342.GD16557@thunk.org> From: Ard Biesheuvel Date: Mon, 10 Sep 2018 22:02:38 +0200 Message-ID: Subject: Re: rng_dev_read: Kernel memory exposure attempt detected from SLUB object 'kmalloc-64' To: "Theodore Y. Ts'o" , Meelis Roos , Linux Kernel list , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org n On 10 September 2018 at 21:53, Theodore Y. Ts'o wrote: > On Mon, Sep 10, 2018 at 08:08:51PM +0300, Meelis Roos wrote: >> This is weekend's 4.19.0-rc2-00246-gd7b686ebf704 on a Thinkad T460s. >> There seems to be a usercopy warning from rng_dev read (full dmesg >> below). > > Looking at rng_dev_head(), which is in drivers/char/hw_random.c, it > looks like this was probably caused by a problem in the specific > hardware random number generator being used. Can you tell us which > one was in use? > The line right before the splat suggests that this is tpm_get_random() in drivers/char/tpm/tpm-interface.c [...] >> [146535.257274] tpm tpm0: A TPM error (379) occurred attempting get rand= om >> [146535.257304] usercopy: Kernel memory exposure attempt detected from S= LUB object 'kmalloc-64' (offset 0, size 379)! The TPM return code '379' is returned from rng_get_data(), and interpreted as a byte count rather than an error code. >> [146535.257331] ------------[ cut here ]------------ >> [146535.257338] kernel BUG at mm/usercopy.c:102! >> [146535.257361] invalid opcode: 0000 [#1] SMP PTI >> [146535.257375] CPU: 0 PID: 1729 Comm: rngd Not tainted 4.19.0-rc2-00246= -gd7b686ebf704 #36 >> [146535.257382] Hardware name: LENOVO 20F9003SMS/20F9003SMS, BIOS N1CET6= 5W (1.33 ) 02/16/2018 >> [146535.257402] RIP: 0010:usercopy_abort+0x6f/0x71 >> [146535.257412] Code: 0f 45 c6 48 c7 c2 b4 26 80 a4 48 c7 c6 b5 53 7f a4= 51 48 0f 45 f2 48 89 f9 41 52 48 89 c2 48 c7 c7 80 27 80 a4 e8 7e 3a ed ff= <0f> 0b 49 89 e8 31 c9 44 89 e2 31 f6 48 c7 c7 e8 26 80 a4 e8 79 ff >> [146535.257421] RSP: 0018:ffffbc4ec076bdb0 EFLAGS: 00010246 >> [146535.257433] RAX: 0000000000000065 RBX: ffff9c2d1464ad80 RCX: 0000000= 000000006 >> [146535.257441] RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff9c2= d16a15500 >> [146535.257449] RBP: 000000000000017b R08: ffffffffa3f11900 R09: 0000000= 000000065 >> [146535.257457] R10: ffffffffa50908d8 R11: ffffffffa507efae R12: 0000000= 000000001 >> [146535.257463] R13: ffff9c2d1464aefb R14: 000000000000017b R15: 0000000= 00000017b >> [146535.257474] FS: 00007f023c524700(0000) GS:ffff9c2d16a00000(0000) kn= lGS:0000000000000000 >> [146535.257484] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [146535.257492] CR2: 00001834aa0fc000 CR3: 0000000309104005 CR4: 0000000= 0003606f0 >> [146535.257499] Call Trace: >> [146535.257524] __check_heap_object+0xd5/0x100 >> [146535.257539] __check_object_size+0xf5/0x17c >> [146535.257554] rng_dev_read+0x6e/0x270 >> [146535.257576] __vfs_read+0x31/0x170 >> [146535.257604] vfs_read+0x85/0x130 >> [146535.257631] ksys_read+0x4a/0xb0 >> [146535.257658] do_syscall_64+0x4a/0xf0 >> [146535.257695] entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> [146535.257716] RIP: 0033:0x7f023c6f6394 >> [146535.257735] Code: 84 00 00 00 00 00 41 54 55 49 89 d4 53 48 89 f5 89= fb 48 83 ec 10 e8 8b fc ff ff 4c 89 e2 41 89 c0 48 89 ee 89 df 31 c0 0f 05= <48> 3d 00 f0 ff ff 77 38 44 89 c7 48 89 44 24 08 e8 c7 fc ff ff 48 >> [146535.257748] RSP: 002b:00007f023c523e10 EFLAGS: 00000246 ORIG_RAX: 00= 00000000000000 >> [146535.257767] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f0= 23c6f6394 >> [146535.257776] RDX: 00000000000009c4 RSI: 0000563938a24f00 RDI: 0000000= 000000003 >> [146535.257790] RBP: 0000563938a24f00 R08: 0000000000000000 R09: 00007ff= f1df64080 >> [146535.257803] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000= 0000009c4 >> [146535.257816] R13: 00007fff1dedba3f R14: 00007fff1dedba40 R15: 0000000= 000000000 >> [146535.257836] Modules linked in: ipheth tun ipt_MASQUERADE nf_conntrac= k_netlink iptable_nat nf_nat_ipv4 xt_addrtype iptable_filter bpfilter xt_co= nntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c br_netf= ilter bridge stp llc overlay fuse bnep cpufreq_userspace snd_hda_codec_hdmi= iwlmvm mac80211 uvcvideo snd_hda_codec_realtek videobuf2_vmalloc cdc_mbim = iwlwifi x86_pkg_temp_thermal videobuf2_memops snd_hda_codec_generic intel_p= owerclamp cdc_wdm videobuf2_v4l2 coretemp videobuf2_common joydev pcspkr cd= c_ncm btusb snd_hda_intel iTCO_wdt btrtl iTCO_vendor_support btbcm snd_hda_= codec videodev snd_hwdep media usbnet btintel snd_hda_core mii cdc_acm cfg8= 0211 bluetooth ecdh_generic mei_me mei intel_pch_thermal tpm_crb tpm_tis tp= m_tis_core thinkpad_acpi tpm pcc_cpufreq ip_tables dm_crypt dm_mod >> [146535.258082] dax hid_generic rtsx_pci_sdmmc mmc_core crct10dif_pclmu= l e1000e i2c_i801 rtsx_pci mfd_core >> [146535.258139] ---[ end trace 40fa61fde8e22944 ]--- >> [146535.258260] RIP: 0010:usercopy_abort+0x6f/0x71 >> [146535.258290] Code: 0f 45 c6 48 c7 c2 b4 26 80 a4 48 c7 c6 b5 53 7f a4= 51 48 0f 45 f2 48 89 f9 41 52 48 89 c2 48 c7 c7 80 27 80 a4 e8 7e 3a ed ff= <0f> 0b 49 89 e8 31 c9 44 89 e2 31 f6 48 c7 c7 e8 26 80 a4 e8 79 ff >> [146535.258315] RSP: 0018:ffffbc4ec076bdb0 EFLAGS: 00010246 >> [146535.258367] RAX: 0000000000000065 RBX: ffff9c2d1464ad80 RCX: 0000000= 000000006 >> [146535.258391] RDX: 0000000000000000 RSI: 0000000000000086 RDI: ffff9c2= d16a15500 >> [146535.258421] RBP: 000000000000017b R08: ffffffffa3f11900 R09: 0000000= 000000065 >> [146535.258450] R10: ffffffffa50908d8 R11: ffffffffa507efae R12: 0000000= 000000001 >> [146535.258485] R13: ffff9c2d1464aefb R14: 000000000000017b R15: 0000000= 00000017b >> [146535.258520] FS: 00007f023c524700(0000) GS:ffff9c2d16a00000(0000) kn= lGS:0000000000000000 >> [146535.258555] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [146535.258593] CR2: 00001834aa0fc000 CR3: 0000000309104005 CR4: 0000000= 0003606f0 >> >> -- >> Meelis Roos (mroos@linux.ee)