Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6918663imu;
        Wed, 14 Nov 2018 08:55:14 -0800 (PST)
X-Google-Smtp-Source: AJdET5dAudPUl3AgCje8JMSrfGXnQjkPBS+BlzBxZrgXDwgoctMrRZOmJzmehFWcrNOY5rmwMTsa
X-Received: by 2002:a63:ec4b:: with SMTP id r11mr2390063pgj.44.1542214514550;
        Wed, 14 Nov 2018 08:55:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542214514; cv=none;
        d=google.com; s=arc-20160816;
        b=0xlsKhZMc7kVJ3m2+giKqtSxGZG6lApeJ8Vz6GL15Y65/1cY0Iq1T1quFZDRfx6uqg
         K2lZHF2vD04U7KWJZOZYYpaGFY6vXapD51MtdTgKwPp2pDQ19mZM7GsvuYJI9rcDFzst
         o+YL4PVvYpIXQ/W516of4HDuuqKuRH9q0zNUb/cOaWR1XsaAeRIkjAeUJ0+MSmA5Hs07
         C4s7SY4b3e1ekEmt43oAwPB6aYX7a2OUR7DEIIE3EvmJo7m2wUceIdo4vnSzdzhK/abg
         Wrcm8IJAPoZSXQ0YpbDUaaHm7lPSdjBNFa+85oB0ZyebRcgGNSQh9eoVrQGnmcPbGfJJ
         qugQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature;
        bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=;
        b=eqY5VUocgmsD96HQxUGec1rNk64C+kdFUl4vuTz0fYbkCbNg7gw/S/JeJ5fca1dcXb
         tSeONB1StzSWtNPkkceODopCs55n2MuB2yp/R43SsnhFjg3fCLZZ9rTabDf4UWDULzSa
         xkZNDFmk3uOrgCTco/LIHSbNtRgDQJ2aCVegK6lWbs3z9Hcfp5P/sQJ3sdtD/RyeFYLj
         Geb1K9QiL1vvud7FrotPgA/zE3v0FrombAC7o48qOPtwMbJUaWzvG/HKaqztdDWftda8
         ZZ6qNa7lDXQyVl1nHaFNPsBAaoIjm2z0cD4lxin0bltsEkBZXX3hXpIgsx1khKWtHLUF
         +Ivw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=oWpaLsON;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b25-v6si8086439pfo.240.2018.11.14.08.54.49;
        Wed, 14 Nov 2018 08:55:14 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=oWpaLsON;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732622AbeKOC5G (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Wed, 14 Nov 2018 21:57:06 -0500
Received: from mail-it1-f196.google.com ([209.85.166.196]:52534 "EHLO
        mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728085AbeKOC5G (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Nov 2018 21:57:06 -0500
Received: by mail-it1-f196.google.com with SMTP id t190-v6so24907018itb.2
        for <linux-kernel@vger.kernel.org>; Wed, 14 Nov 2018 08:53:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=;
        b=oWpaLsONb2zIfyw0KX5aI2bED/FCJnkyoG2sSEBUYElFuTyP2KyfgbcdXRcU6aQVo4
         nuQZq9sTNWGlk5AY3GyWBtayOBqwxs7aSLx6skw9ChkifmCeKJpClfshrAVsRExhgjfk
         bxKN2rAuj8ZYQByFu2gFFP5S5FjjlTa8Nb2uzA6Jpvxq7sy9OqxJWWPIjwW/z4TZAGUi
         WpIfNU3Z62k+wPPXHnalAp2htgB86hD6TvoR7tzyUjOW9tHXcAVeO/GqWpe4ru0Sc0i6
         078yw/OsHliMW0Lm8DOqX8SgIGWVUOunnr5cFTNtmkm0QWrew90sfF8lVRIgp1lAf29/
         sljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=8oUlVQXUFUM9bB+4ICaT17c+/ifiDl+U97gagHW1d6s=;
        b=hyySDBqFjX0xeWws7YOpPPCXR+jDX24I9V5omElNUzfK51IL0K/Bv6CHzc9cZzOjLA
         Hx/s1K6Zysv0BN2QoM+MuGon59TXsXpcofEDIX1UXgbYt3dOyNWzieU23cs7IV80L5/k
         2H6uRcN0hc2kyqnc82pZDgC58PJEzMnAcWfzgBzVSVVLCgQgmu+uoWU8Rblz3l9iMy1s
         0IWY7usCsxoamh36YkMmIWIiQXQrKRo0l9L8MPtH6ou/YTgy4xS001nzDjqMUOXWjmNm
         kyEEieL1P8O7c4tCoEFQ1eg1Sr4gx6lO9PO8wY1r/35/wcPNf0aeg9/ZyteeApY+aERM
         W9ag==
X-Gm-Message-State: AA+aEWZaU+C6iFxVLEX6l/HBOLFdnfczs0Yu3kUXUKoLJdNwLfj/l0Uw
        K9nvotJCBI9CAML6wfMxyiIrIdpX6AqZRExYK1zM8Q==
X-Received: by 2002:a24:b009:: with SMTP id d9-v6mr2481410itf.166.1542214386654;
 Wed, 14 Nov 2018 08:53:06 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a02:b003:0:0:0:0:0 with HTTP; Wed, 14 Nov 2018 08:52:46
 -0800 (PST)
In-Reply-To: <CANq1E4T6+bacZ9iGREtWiyM8eUkAQoxhgFM6rPrzNRkzAcnfJg@mail.gmail.com>
References: <00000000000080f8fa057a67b75c@google.com> <0000000000002d2a5b057a94f7ff@google.com>
 <CANq1E4T6+bacZ9iGREtWiyM8eUkAQoxhgFM6rPrzNRkzAcnfJg@mail.gmail.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Wed, 14 Nov 2018 08:52:46 -0800
Message-ID: <CACT4Y+b8801QqLe4axBct-cZ2a-jr2S2=MSRhg7rV20bPvUHxQ@mail.gmail.com>
Subject: Re: BUG: GPF in non-whitelisted uaccess (non-canonical address?)
To:     David Herrmann <dh.herrmann@gmail.com>,
        Dmitry Torokhov <dtor@google.com>
Cc:     syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com,
        Benjamin Tissoires <benjamin.tissoires@redhat.com>,
        Jiri Kosina <jikos@kernel.org>,
        "open list:HID CORE LAYER" <linux-input@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 14, 2018 at 4:20 AM, David Herrmann <dh.herrmann@gmail.com> wrote:
> Hey
>
> On Wed, Nov 14, 2018 at 1:25 AM syzbot
> <syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com> wrote:
>> syzbot has found a reproducer for the following crash on:
>>
>> HEAD commit:    ccda4af0f4b9 Linux 4.20-rc2
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=13b4e77b400000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
>> dashboard link: https://syzkaller.appspot.com/bug?extid=72473edc9bf4eb1c6556
>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1646a225400000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=108a6533400000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+72473edc9bf4eb1c6556@syzkaller.appspotmail.com
>>
> [...]
>> BUG: GPF in non-whitelisted uaccess (non-canonical address?)
>
> This uses sendpage(2) to feed data from a file into a uhid chardev.
> The default behavior of the kernel is to create a temporary pipe, then
> splice from the file into the pipe, and then splice again from the
> pipe into uhid.
>
> The kernel provides default implementations for splicing between files
> and any other file. The default implementation of `.splice_write()`
> uses kmap() to map the page from the pipe and then uses the
> __kernel_write() (which uses .f_op->write()) to push the data into the
> target file. The problem is, __kernel_write() sets the address-space
> to KERNEL_DS `set_fs(get_ds())`, thus granting the UHID request access
> to kernel memory.
>
> I see several ways to fix that, the most simple solution is to simply
> prevent splice/sendpage on uhid (by setting f_op.splice_write to a
> dummy). Alternatively, we can implement a proper splice helper that
> takes the page directly, rather than through the __kernel_write()
> default implementation.

also +dtor for uhid