Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6918663imu; Wed, 14 Nov 2018 08:55:14 -0800 (PST) X-Google-Smtp-Source: AJdET5dAudPUl3AgCje8JMSrfGXnQjkPBS+BlzBxZrgXDwgoctMrRZOmJzmehFWcrNOY5rmwMTsa X-Received: by 2002:a63:ec4b:: with SMTP id r11mr2390063pgj.44.1542214514550; Wed, 14 Nov 2018 08:55:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542214514; cv=none; d=google.com; s=arc-20160816; b=0xlsKhZMc7kVJ3m2+giKqtSxGZG6lApeJ8Vz6GL15Y65/1cY0Iq1T1quFZDRfx6uqg K2lZHF2vD04U7KWJZOZYYpaGFY6vXapD51MtdTgKwPp2pDQ19mZM7GsvuYJI9rcDFzst o+YL4PVvYpIXQ/W516of4HDuuqKuRH9q0zNUb/cOaWR1XsaAeRIkjAeUJ0+MSmA5Hs07 C4s7SY4b3e1ekEmt43oAwPB6aYX7a2OUR7DEIIE3EvmJo7m2wUceIdo4vnSzdzhK/abg Wrcm8IJAPoZSXQ0YpbDUaaHm7lPSdjBNFa+85oB0ZyebRcgGNSQh9eoVrQGnmcPbGfJJ qugQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=; b=eqY5VUocgmsD96HQxUGec1rNk64C+kdFUl4vuTz0fYbkCbNg7gw/S/JeJ5fca1dcXb tSeONB1StzSWtNPkkceODopCs55n2MuB2yp/R43SsnhFjg3fCLZZ9rTabDf4UWDULzSa xkZNDFmk3uOrgCTco/LIHSbNtRgDQJ2aCVegK6lWbs3z9Hcfp5P/sQJ3sdtD/RyeFYLj Geb1K9QiL1vvud7FrotPgA/zE3v0FrombAC7o48qOPtwMbJUaWzvG/HKaqztdDWftda8 ZZ6qNa7lDXQyVl1nHaFNPsBAaoIjm2z0cD4lxin0bltsEkBZXX3hXpIgsx1khKWtHLUF +Ivw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oWpaLsON; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b25-v6si8086439pfo.240.2018.11.14.08.54.49; Wed, 14 Nov 2018 08:55:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=oWpaLsON; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732622AbeKOC5G (ORCPT + 99 others); Wed, 14 Nov 2018 21:57:06 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:52534 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728085AbeKOC5G (ORCPT ); Wed, 14 Nov 2018 21:57:06 -0500 Received: by mail-it1-f196.google.com with SMTP id t190-v6so24907018itb.2 for ; Wed, 14 Nov 2018 08:53:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=; b=oWpaLsONb2zIfyw0KX5aI2bED/FCJnkyoG2sSEBUYElFuTyP2KyfgbcdXRcU6aQVo4 nuQZq9sTNWGlk5AY3GyWBtayOBqwxs7aSLx6skw9ChkifmCeKJpClfshrAVsRExhgjfk bxKN2rAuj8ZYQByFu2gFFP5S5FjjlTa8Nb2uzA6Jpvxq7sy9OqxJWWPIjwW/z4TZAGUi WpIfNU3Z62k+wPPXHnalAp2htgB86hD6TvoR7tzyUjOW9tHXcAVeO/GqWpe4ru0Sc0i6 078yw/OsHliMW0Lm8DOqX8SgIGWVUOunnr5cFTNtmkm0QWrew90sfF8lVRIgp1lAf29/ sljQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=; b=hyySDBqFjX0xeWws7YOpPPCXR+jDX24I9V5omElNUzfK51IL0K/Bv6CHzc9cZzOjLA Hx/s1K6Zysv0BN2QoM+MuGon59TXsXpcofEDIX1UXgbYt3dOyNWzieU23cs7IV80L5/k 2H6uRcN0hc2kyqnc82pZDgC58PJEzMnAcWfzgBzVSVVLCgQgmu+uoWU8Rblz3l9iMy1s 0IWY7usCsxoamh36YkMmIWIiQXQrKRo0l9L8MPtH6ou/YTgy4xS001nzDjqMUOXWjmNm kyEEieL1P8O7c4tCoEFQ1eg1Sr4gx6lO9PO8wY1r/35/wcPNf0aeg9/ZyteeApY+aERM W9ag== X-Gm-Message-State: AA+aEWZaU+C6iFxVLEX6l/HBOLFdnfczs0Yu3kUXUKoLJdNwLfj/l0Uw K9nvotJCBI9CAML6wfMxyiIrIdpX6AqZRExYK1zM8Q== X-Received: by 2002:a24:b009:: with SMTP id d9-v6mr2481410itf.166.1542214386654; Wed, 14 Nov 2018 08:53:06 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a02:b003:0:0:0:0:0 with HTTP; Wed, 14 Nov 2018 08:52:46 -0800 (PST) In-Reply-To: References: <00000000000080f8fa057a67b75c@google.com> <0000000000002d2a5b057a94f7ff@google.com> From: Dmitry Vyukov Date: Wed, 14 Nov 2018 08:52:46 -0800 Message-ID: Subject: Re: BUG: GPF in non-whitelisted uaccess (non-canonical address?) To: David Herrmann , Dmitry Torokhov Cc: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com, Benjamin Tissoires , Jiri Kosina , "open list:HID CORE LAYER" , linux-kernel , syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 14, 2018 at 4:20 AM, David Herrmann wrote: > Hey > > On Wed, Nov 14, 2018 at 1:25 AM syzbot > wrote: >> syzbot has found a reproducer for the following crash on: >> >> HEAD commit: ccda4af0f4b9 Linux 4.20-rc2 >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=13b4e77b400000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5 >> dashboard link: https://syzkaller.appspot.com/bug?extid=72473edc9bf4eb1c6556 >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1646a225400000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=108a6533400000 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com >> > [...] >> BUG: GPF in non-whitelisted uaccess (non-canonical address?) > > This uses sendpage(2) to feed data from a file into a uhid chardev. > The default behavior of the kernel is to create a temporary pipe, then > splice from the file into the pipe, and then splice again from the > pipe into uhid. > > The kernel provides default implementations for splicing between files > and any other file. The default implementation of `.splice_write()` > uses kmap() to map the page from the pipe and then uses the > __kernel_write() (which uses .f_op->write()) to push the data into the > target file. The problem is, __kernel_write() sets the address-space > to KERNEL_DS `set_fs(get_ds())`, thus granting the UHID request access > to kernel memory. > > I see several ways to fix that, the most simple solution is to simply > prevent splice/sendpage on uhid (by setting f_op.splice_write to a > dummy). Alternatively, we can implement a proper splice helper that > takes the page directly, rather than through the __kernel_write() > default implementation. also +dtor for uhid