Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1857739ybl; Thu, 19 Dec 2019 04:15:15 -0800 (PST) X-Google-Smtp-Source: APXvYqyVruC6KVyDU8Dqbk9G1fkFZXt4snFbOFLvhWMnjRsUZyPt4nP5uk5YH6UPmfTS1Q4zM8Fs X-Received: by 2002:aca:458:: with SMTP id 85mr449752oie.56.1576757714938; Thu, 19 Dec 2019 04:15:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576757714; cv=none; d=google.com; s=arc-20160816; b=tYGg/4au/xawAqjH54mSz5fPfskrFD1NzfCCjO+ykjL3hG6ty07b0811NTKchHmHYJ g0D4PTlhk8PtUF38P+MFsr1oRjRMN51vMikLyQgemA+qAMe1iu4CNWbZMyJBX+Bmd28w j1MTbiV2/v9kk0NcJ5QNVrm4u841fWrnq+CXKE74jENhPYasUEsPaFfTDHjR21VBellG f5/75aLkbMO5IWIXMYo+SyJPDoyQxyiPw307rQXDmTy10Bq+Vz+/YwjvG/EdpT6E7oUa F/hMMrpLI5cCxZbg7U1SOARjDUvsHfXe35Xby4JJ5vKCg5VZQY3hKTPlHfhgs9wIWSkf pLqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=xF/0eg1mKjbOu46bWm6AvTJ4OsSRBLEmdwbGkyHb8Bk=; b=00GM9eiq71tmkr0ow0DxmZHjyAu+6sU89HXwfguO+qypx+5IBqCeSC8r6giUbLp7Ca qxd1F2cm55TvIwyfEFpQQg7YjQi3oUv4znAE3ytAY/2LBvGUJY171VpHvRojpkwH+uab u371EYYyc4mzkPFIXEMeBqC9bu1j4MhIYx+ZxhF4vgyxzTcEZwdJAYS5U4K8GOW+LVu6 gOilXJ1Y1QuT9MJfPPUEUiNZ154A1+rEIzHsojmsuuT7OAGdigNOudJT2G60tKWfz271 qXSCiFzcHzfbGydT3KkdM9bUc4rXe60FuzbWbE9ki6kzHCaRowA2zOzgLZ5BkyGvZyvl HGUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@axtens.net header.s=google header.b=Rk4PUTEA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c126si2972046oib.239.2019.12.19.04.15.03; Thu, 19 Dec 2019 04:15:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@axtens.net header.s=google header.b=Rk4PUTEA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726777AbfLSMNC (ORCPT + 99 others); Thu, 19 Dec 2019 07:13:02 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:34346 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726668AbfLSMNB (ORCPT ); Thu, 19 Dec 2019 07:13:01 -0500 Received: by mail-pg1-f194.google.com with SMTP id r11so3042587pgf.1 for ; Thu, 19 Dec 2019 04:13:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xF/0eg1mKjbOu46bWm6AvTJ4OsSRBLEmdwbGkyHb8Bk=; b=Rk4PUTEA2K/8XbN9jcFMgI0Hv+1gCRpWq1cbOD3jHiCa8uxFeJ2uPrMc2ArJlqD/B9 3ghwSn6ebHp2vDW9Qe3Gmd0B6UQqOcUy8iHHr5Lf95/poXGNx/vhXC6fl1xs0Y9bVZIr VV0zZYlScMMSL0Uw/H+ugg/KxtwmBmerF8c/4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xF/0eg1mKjbOu46bWm6AvTJ4OsSRBLEmdwbGkyHb8Bk=; b=LfVj1wYHihMPDf4Zyke2pVz5UfGwHMp9qzHo7zxLqXVmARopvz1eysauglEdDvmaqB JhgLMY4+UBRNSx29ao3eymZxaaiM/KwRImffF3zy8INIGVTmUK7Q45JsUey9gKpoCaK6 npZS41PewAttGur08pqlM+biUtHsS0WkicOhSMKvaqjZ1bAdJcwwHxdVK7KzO3dzJJLL pu/piGnYFNDmnETmB+arQxTyGrudMeWsiZpTsrnC9EiP/kPiHL+fx8Q66LrfXGaT9LdC UUe3vG2aGKwm/2odl/TAtkWgwhiFtpIEGvimFUDP4PV1nZGjCFsnQSO3M8T9Wno2uVBU COfQ== X-Gm-Message-State: APjAAAV8uuaI+F2YRyykm2rZxHBkr0viGqWgPFfhMl2fz58fFKOfyzAF 3rQNO3akd042M0Quk2aBc0ljLtm/H4Y= X-Received: by 2002:a62:7541:: with SMTP id q62mr9239419pfc.256.1576757580691; Thu, 19 Dec 2019 04:13:00 -0800 (PST) Received: from localhost (2001-44b8-1113-6700-b05d-cbfe-b2ee-de17.static.ipv6.internode.on.net. [2001:44b8:1113:6700:b05d:cbfe:b2ee:de17]) by smtp.gmail.com with ESMTPSA id z19sm7660119pfn.49.2019.12.19.04.12.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Dec 2019 04:12:59 -0800 (PST) From: Daniel Axtens To: linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk Cc: ajd@linux.ibm.com, mpe@ellerman.id.au, Daniel Axtens , syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com, syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com, syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com, syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Subject: [PATCH v2] relay: handle alloc_percpu returning NULL in relay_open Date: Thu, 19 Dec 2019 23:12:56 +1100 Message-Id: <20191219121256.26480-1-dja@axtens.net> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org alloc_percpu() may return NULL, which means chan->buf may be set to NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an invalid pointer: BUG: Unable to handle kernel data access at 0x7dae0000 Faulting instruction address: 0xc0000000003f3fec ... NIP [c0000000003f3fec] relay_open+0x29c/0x600 LR [c0000000003f3fc0] relay_open+0x270/0x600 Call Trace: [c000000054353a70] [c0000000003f3fb4] relay_open+0x264/0x600 (unreliable) [c000000054353b00] [c000000000451764] __blk_trace_setup+0x254/0x600 [c000000054353bb0] [c000000000451b78] blk_trace_setup+0x68/0xa0 [c000000054353c10] [c0000000010da77c] sg_ioctl+0x7bc/0x2e80 [c000000054353cd0] [c000000000758cbc] do_vfs_ioctl+0x13c/0x1300 [c000000054353d90] [c000000000759f14] ksys_ioctl+0x94/0x130 [c000000054353de0] [c000000000759ff8] sys_ioctl+0x48/0xb0 [c000000054353e20] [c00000000000bcd0] system_call+0x5c/0x68 Check if alloc_percpu returns NULL. This was found by syzkaller both on x86 and powerpc, and the reproducer it found on powerpc is capable of hitting the issue as an unprivileged user. Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Cc: Akash Goel Cc: Andrew Donnellan # syzkaller-ppc64 Reviewed-by: Michael Ellerman Reviewed-by: Andrew Donnellan Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Daniel Axtens -- v2: drop the NOWARN. There's a syz reproducer on the powerpc syzbot that eventually hits the bug, but it can take up to an hour or so before it keels over on a kernel with all the syzkaller debugging on, and even longer on a production kernel. I have been able to reproduce it once on a stock Ubuntu 5.0 ppc64le kernel. CVE-2019-19462 has been assigned. While only the process doing the syscall gets killed, it gets killed while holding the relay_channels_mutex, so it blocks all future relay activity. --- kernel/relay.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kernel/relay.c b/kernel/relay.c index ade14fb7ce2e..4b760ec16342 100644 --- a/kernel/relay.c +++ b/kernel/relay.c @@ -581,6 +581,11 @@ struct rchan *relay_open(const char *base_filename, return NULL; chan->buf = alloc_percpu(struct rchan_buf *); + if (!chan->buf) { + kfree(chan); + return NULL; + } + chan->version = RELAYFS_CHANNEL_VERSION; chan->n_subbufs = n_subbufs; chan->subbuf_size = subbuf_size; -- 2.20.1