Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3031261pxk; Mon, 21 Sep 2020 03:35:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJznP4JpSksRs7rRR6QoT1MknJ5Lgd0z6aDtrHLQ1izIebYuF74Rjy4q2H9Bl4x9TkbSG5qc X-Received: by 2002:a50:fd87:: with SMTP id o7mr50703170edt.180.1600684541082; Mon, 21 Sep 2020 03:35:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600684541; cv=none; d=google.com; s=arc-20160816; b=BhgDQFs1HZQcwRbDVBgxXFaeFWXv+cRRDuQt86YZ9M25g6fSk1DxzyiIQWubUAs8gp 872Ds7vvgx02F90VeFjfLzt/SxyIPbrk/rp2N3cb+hG39QQx2gfzftD8mvRuyZ8bKtNS bDKV0Jlu2ALjaddK/bsUGoOTocHgICTg9J/AGCPT2A23BwS5KV/rzvJyMmCZU5V7+yfU oOe5crO/IijLYYhCjnPPDfIcTkNGugP+EK9pbY9G5JBnPQ6oIz+E8bRr6ehgalsr6I65 aFucufc0a5FrEFhylTygpHHN2rwf8jJzm0Mk9EHODMP+EKXP9NL+vrWP29x+GknndlTj NZmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=4RW7uOWPqJuefWE3kjs+/T9ydyhvEuJ2NKU1XmVlLyY=; b=QDM64IsWU9i7JeFeAg+zkATmkJHTU01kGS+RL+nlneMJraYxRCN6W2l24LlRp/LIrd vRjjK/w5GDLdpdrx8QL1jJTUVxwAAydUX9KllY8QrniG0WhoFUFrm7y4DjRI16T6TEen hg33165GPKQrP7DCliT/oVlMLn8uMtTRb2oDJ2fyr8f/qCfR14usfxyTXER1aIQgVs6f paSixt31I1qQ5Yhj43oNmCU/3vmMUzl8I8y9HC8wKVoolQMqN62an58cClrx4jlJmuR9 UBQ1J2wNJk481ntPLDhDLsCf4dpE+yHec2+XMTzP5wzPa6GiTtkyobqzPteHxd1VTenz gKSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b23si7871390edx.34.2020.09.21.03.35.17; Mon, 21 Sep 2020 03:35:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726743AbgIUKd3 convert rfc822-to-8bit (ORCPT + 99 others); Mon, 21 Sep 2020 06:33:29 -0400 Received: from eu-smtp-delivery-151.mimecast.com ([207.82.80.151]:34997 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726699AbgIUKdZ (ORCPT ); Mon, 21 Sep 2020 06:33:25 -0400 Received: from AcuMS.aculab.com (156.67.243.126 [156.67.243.126]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-108-DbCTplcGNneZ3ytIFDanIg-1; Mon, 21 Sep 2020 11:33:20 +0100 X-MC-Unique: DbCTplcGNneZ3ytIFDanIg-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) by AcuMS.aculab.com (fd9f:af1c:a25b:0:43c:695e:880f:8750) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 21 Sep 2020 11:33:19 +0100 Received: from AcuMS.Aculab.com ([fe80::43c:695e:880f:8750]) by AcuMS.aculab.com ([fe80::43c:695e:880f:8750%12]) with mapi id 15.00.1347.000; Mon, 21 Sep 2020 11:33:19 +0100 From: David Laight To: 'Rasmus Villemoes' , Al Viro , Andy Lutomirski CC: syzbot , "Aleksa Sarai" , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , LKML , Ingo Molnar , "Peter Zijlstra" , "syzkaller-bugs@googlegroups.com" , Thomas Gleixner , "X86 ML" Subject: RE: WARNING in ex_handler_uaccess Thread-Topic: WARNING in ex_handler_uaccess Thread-Index: AQHWkAEVdhxJQ/Fq7U+wxL6/+NIsNaly5Eug Date: Mon, 21 Sep 2020 10:33:19 +0000 Message-ID: <8bef09fd4d644f48a7c83aa18b653f76@AcuMS.aculab.com> References: <000000000000762dee05af9ccd01@google.com> <20200918235528.GB3421308@ZenIV.linux.org.uk> <20200919001714.GC3421308@ZenIV.linux.org.uk> In-Reply-To: Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C51A453 smtp.mailfrom=david.laight@aculab.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Rasmus Villemoes > Sent: 21 September 2020 11:22 > On 19/09/2020 02.17, Al Viro wrote: > > On Fri, Sep 18, 2020 at 05:07:43PM -0700, Andy Lutomirski wrote: > >> On Fri, Sep 18, 2020 at 4:55 PM Al Viro wrote: > >>> > >>> On Fri, Sep 18, 2020 at 04:31:33PM -0700, Andy Lutomirski wrote: > >>> > >>>> check_zeroed_user() looks buggy. It does: > >>>> > >>>> if (!user_access_begin(from, size)) > >>>> return -EFAULT; > >>>> > >>>> unsafe_get_user(val, (unsigned long __user *) from, err_fault); > >>>> > >>>> This is wrong if size < sizeof(unsigned long) -- you read outside the > >>>> area you verified using user_access_begin(). > >>> > >>> Read the code immediately prior to that. from will be word-aligned, > >>> and size will be extended accordingly. If the area acceptable for > >>> user_access_begin() ends *NOT* on a word boundary, you have a problem > >>> and I would strongly recommend to seek professional help. > >>> > >>> All reads in that thing are word-aligned and word-sized. So I very > >>> much doubt that your analysis is correct. > >> > >> Maybe -ETOOTIRED, but I seriously question the math in here. Suppose > >> from == (unsigned long *)1 and size == 1. Then align is 1, and we do: > >> > >> from -= align; > >> size += align; > >> > >> So now from = 0 and size = 2. Now we do user_access_begin(0, 2) and > >> then immediately read 4 or 8 bytes. No good. > > > > Could you explain what kind of insane hardware manages to do #PF-related > > checks (including SMAP, whatever) with *sub*WORD* granularity? > > > > If it's OK with 16bit read from word-aligned address, but barfs on 64bit > > one... I want to know what the hell had its authors been smoking. > > > > So, not sure how the above got triggered, but I notice there might be an > edge case in check_zeroed_user(): > > from -= align; > size += align; > > if (!user_read_access_begin(from, size)) > return -EFAULT; > > unsafe_get_user(val, (unsigned long __user *) from, err_fault); > > > Suppose size is (size_t)-3 and align is 3. What's the convention for > access_ok(whatever, 0)? Is that equivalent to access_ok(whatever, 1), or > is it always true (or $ARCH-dependent)? Doesn't matter, it will be doing access_ok(xxx, 8) regardless of the user-supplied transfer length. > But, AFAICT, no current caller of check_zeroed_user can end up passing > in a size that can overflow to 0. E.g. for the case at hand, size cannot > be more than SIZE_MAX-24. Basically KASAN doesn't like you reading full words and masking off the unused bytes. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)