Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1514168pxx; Fri, 30 Oct 2020 11:46:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwh73dVJ5Sqze7i4s7T/a3LAkkeyJKEPzXbQT0DqQWUSzZkphR4UKLeIcgyNLBOtZ6GRLIe X-Received: by 2002:a17:907:204c:: with SMTP id pg12mr3726626ejb.464.1604083592215; Fri, 30 Oct 2020 11:46:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604083592; cv=none; d=google.com; s=arc-20160816; b=e0mRwubj8QRxejCtn4kVELQseA+B3kfXEWR8GJJ8KwH1Ll5I+TuaNyMOIVBRIOZFjB NTzc1Gvl7+25E0fEZsMQ+1Fv6rFYx2aIaJAMjOG8I+kU4ifQWyT3OMfd+uPd2tO9S0ox LcKDPKSWua1FJBoKqO+8DVBo4LU1lZFNT5Z8umL4N6YSKWRCZAQ+LyR59FvGDiE2261m f1V9+LPB1yNZsTQDjQxpsNLH3c9n4A2H8t9+Doq/y3lXWbbKckJgPZXCPMvYERBqKIiM sp2GKKFi+171diofu7d1SJFbR/Eexkn9bulmcEx26xvJRvtTtmvbf5pQQU5EN7qyr4iI FJNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=AIX0iUNYmKTGpsjIpq65NL9/sGsFnH8oZZCQcI/WsJo=; b=rxHusBdb28fH0CXgmOQzn0D6UEqAZ6cTie1nCYMHDbR794WCA17sR3w4G3SuFLQsKo q31GZAsvGh7xUB4NLZWSplTrVB0a0bslY0NBL+4IJebZvY+R+RBZZxAzBokNZx6ffgmw ItqJABMAR+H20Sx5cSYXV3sBRAcsXSPzcIo2iUU4a+hAQYgzaB4U0Pvq0K1XHOkQYFDt AZxaX22NK8GVBGsAtt4MCMcf9s8SmOhJcIoO1HHEMRR8CD7JrJFcveYwFa8zfHmVf2Au qZj2krNw8ol/4gGObmKHNrc1grYFmSlTcDg4MwRhYfYUo5Epg8EGevT+4IkUvjROW2es PmLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bYlk+E9U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d8si4998772edn.471.2020.10.30.11.46.06; Fri, 30 Oct 2020 11:46:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bYlk+E9U; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727294AbgJ3Smc (ORCPT + 99 others); Fri, 30 Oct 2020 14:42:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727055AbgJ3Smb (ORCPT ); Fri, 30 Oct 2020 14:42:31 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC85CC0613D8 for ; Fri, 30 Oct 2020 11:42:30 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id 12so1887196qkl.8 for ; Fri, 30 Oct 2020 11:42:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AIX0iUNYmKTGpsjIpq65NL9/sGsFnH8oZZCQcI/WsJo=; b=bYlk+E9UZt4DRqoUdZ6MTPapJE+3m7W6ymaVF0A/Ytf9ysgpdiRa2L3mNtWF5+Vqjs RUnhj68xulwkUTq7j5c+HznqkyxNCukA4LIN6ia0n8qO/Kg3DtA91F3vJui8So439Q1B cggJSTEdzhgvZe1TGhZPgF6lf16mwOJWW8TEp5PTzSQGsuDd3fDgy6s+XiODTahP9RQY VB2sNyLygfTA4c91kLbgbihNfNrxuJ4YT+AJzF0Fse4fAzUT/P4vszrp25TBRhOXY4kc lTUsNHB/0fpFCNRNNH56EWKkzwpAZ5naDTicUEgS2YMjYDTr3lNkagtjB5K+TxakydPn pFfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AIX0iUNYmKTGpsjIpq65NL9/sGsFnH8oZZCQcI/WsJo=; b=HASDEpGkKlVhwf+O1RcI/RQtRxlWXd6VNg4+z66oh5NtfDnZIqVLZRfHmAacWTrLIX jwsNXv2yB0XuGWmw1wghi9W0rkTg02ob2G0HNyIrqieSzeCNnOjkXbegNlF96WsFVbbj s/1z8chk7/jHWypvyhHVJqbTGSZntupPYGU//r7HgUe6x7toaTRbWtxHfUG2R0Nr7fxJ QRieXj9rlZlc9qxZJKqv+qf6CpDn6eGEQg1bbSpJXda1850kdelOokShkRWpq7fXOhP+ nLzEDz9VX6acP/wHzmWs0owZlPDil2YfoIrGeNEWX/1dTQQ7gZ6eVVQG9kDB3uQL4LLT P+sA== X-Gm-Message-State: AOAM533ZI2l18fGPMlbv2IYTtRw6ypnLApmFdI3teQo2nbTonuVJvFed AgUc94n3iGFOmO7hWWKa6Pd2ELQv81b2taS9ryQfTg== X-Received: by 2002:a37:9747:: with SMTP id z68mr3469115qkd.424.1604083349448; Fri, 30 Oct 2020 11:42:29 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008caae305ab9a5318@google.com> <000000000000a726a405ada4b6cf@google.com> In-Reply-To: From: Dmitry Vyukov Date: Fri, 30 Oct 2020 19:42:18 +0100 Message-ID: Subject: Re: general protection fault in security_inode_getattr To: Miklos Szeredi Cc: Ondrej Mosnacek , syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , James Morris , John Fastabend , Martin KaFai Lau , KP Singh , Linux kernel mailing list , Linux Security Module list , network dev , "Serge E. Hallyn" , Song Liu , syzkaller-bugs , Yonghong Song , linux-fsdevel , overlayfs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 30, 2020 at 2:02 PM Miklos Szeredi wrote: > > On Mon, Aug 24, 2020 at 11:00 PM Ondrej Mosnacek wrote: > > > > On Mon, Aug 24, 2020 at 9:37 PM syzbot > > wrote: > > > syzbot has found a reproducer for the following issue on: > > > > Looping in fsdevel and OverlayFS maintainers, as this seems to be > > FS/OverlayFS related... > > Hmm, the oopsing code is always something like: > > All code > ======== > 0: 1b fe sbb %esi,%edi > 2: 49 8d 5e 08 lea 0x8(%r14),%rbx > 6: 48 89 d8 mov %rbx,%rax > 9: 48 c1 e8 03 shr $0x3,%rax > d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > 12: 74 08 je 0x1c > 14: 48 89 df mov %rbx,%rdi > 17: e8 bc b4 5b fe callq 0xfffffffffe5bb4d8 > 1c: 48 8b 1b mov (%rbx),%rbx > 1f: 48 83 c3 68 add $0x68,%rbx > 23: 48 89 d8 mov %rbx,%rax > 26: 48 c1 e8 03 shr $0x3,%rax > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction > 2f: 74 08 je 0x39 > 31: 48 89 df mov %rbx,%rdi > 34: e8 9f b4 5b fe callq 0xfffffffffe5bb4d8 > 39: 48 8b 1b mov (%rbx),%rbx > 3c: 48 83 c3 0c add $0xc,%rbx > > > And that looks (to me) like the unrolled loop in call_int_hook(). I > don't see how that could be related to overlayfs, though it's > definitely interesting why it only triggers from > overlay->vfs_getattr()->security_inode_getattr()... > 26: 48 c1 e8 03 shr $0x3,%rax > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction This access is part of KASAN check. But the original address kernel tries to access is NULL, so it's not an issue with KASAN. The line is this: int security_inode_getattr(const struct path *path) { if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) return 0; So it's either path is NULL, or something in d_backing_inode dereferences NULL path->dentry. The reproducer does involve overlayfs: mkdir(&(0x7f0000000240)='./file1\x00', 0x0) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) r0 = creat(&(0x7f00000000c0)='./bus/file1\x00', 0x0) mkdir(&(0x7f0000000080)='./file0\x00', 0x0) mount$overlay(0x400002, &(0x7f0000000000)='./bus\x00', &(0x7f0000000100)='overlay\x00', 0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB='upperdir=./file1,lowerdir=./bus,workdir=./file0,metacopy=on']) link(&(0x7f0000000200)='./bus/file1\x00', &(0x7f00000002c0)='./bus/file0\x00') write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r0, 0x0, 0x0) acct(&(0x7f0000000040)='./bus/file0\x00') Though, it may be overlayfs-related, or it may be a generic bug that requires a tricky reproducer and the only reproducer syzbot come up with happened to involve overlayfs. But there are 4 reproducers on syzbot dashboard and all of them involve overlayfs and they are somewhat different. So my bet would be on overlayfs.