Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1539896pxx; Fri, 30 Oct 2020 12:24:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxk1dQl+8WWq+Grhwf6j0AbsJJtaSaO4pcgnCZuUXtJ+XD/cD1ulp5LDVv0HR0ZdpErZ0VE X-Received: by 2002:a17:906:a20b:: with SMTP id r11mr4267147ejy.41.1604085867126; Fri, 30 Oct 2020 12:24:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604085867; cv=none; d=google.com; s=arc-20160816; b=0rTFh8MH1Q7vrdW1bJsD3RxWG3MD0oEs8R2jlJe3YqydPlnafEhmb7iu4Wr4s5pyGE uZ69p63S/zZdtONATeUblvQ05ZiHImcioIW7bKvdZJ2SCBjYilZlbebeZHUvsIiDu2wH rnkzPZ5c0I9pD5/BNch5L4OBMjtQlMMw8Ksew4OJtbX0c2tAHLnbZChRUMnexFhZIXAh YS70zjfSU6ZwpJQ6521TwXEilV3E7Nf5pfH3HW4kIhGYSMYSvOq7dAAy9f8l11wrMSNt Gj6KCNU9PjyVSejlmnyVLacQGj2NRXp6tlulra+dwTlbtKJw6Q4bVoh8V9GF4X9z2X9i PUrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8I5vCt7sQpLxqO9fFZglUpeymmnJZb+1HjzCHkxiFnI=; b=xPZP9cT+lBUKmStQ6Jep092p8+Is/TUawJwh4Hp/Lz1Ei1GXYbqCXiOlDWTovgGjKR NLQk0rOyQN31ofsSunXHBI2mbD+9OD0Av65Nkb+LbYTaw8H49s6skdw4C/aO2oHZh1VN VVdtyopZ0yIGlEuqTgu47uI0RJfXh8U9truz2yoJvEnLYn7zqciQx3YoF+onfNiXZQ6/ F9WdEKIvuA5lwBq4oeIsmNtkWd6MGGnuiTPfC6hJ0qxjZ+capS6P2msvqpfZWA7WISYz qJt8ceeqenaZJGkOfsyMHXALa3a4EUrk4DlSZMmVFXjcHONL2Hcz0USIyex2lljrgVIk qCGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=SuJtxiwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d26si5115060ejy.425.2020.10.30.12.24.02; Fri, 30 Oct 2020 12:24:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=SuJtxiwk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727628AbgJ3TW2 (ORCPT + 99 others); Fri, 30 Oct 2020 15:22:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727645AbgJ3TVy (ORCPT ); Fri, 30 Oct 2020 15:21:54 -0400 Received: from mail-vk1-xa42.google.com (mail-vk1-xa42.google.com [IPv6:2607:f8b0:4864:20::a42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28CF9C0613D6 for ; Fri, 30 Oct 2020 12:21:54 -0700 (PDT) Received: by mail-vk1-xa42.google.com with SMTP id n189so1695359vkb.3 for ; Fri, 30 Oct 2020 12:21:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8I5vCt7sQpLxqO9fFZglUpeymmnJZb+1HjzCHkxiFnI=; b=SuJtxiwkoB6tT6rUkiqexK55I2Znto0HzbzoxVsqOK/P6c9gFQuP6oaZkgRXt529ZU a+bJWmyqi0+flho90rhtlkwHEs/7it0kmTdVLD/LJTnan7DMQe7EUfH5HwKopELvdr6c zUX1a7CTPjVwz/VH/TBiLoorR+ZXggEpvShSQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8I5vCt7sQpLxqO9fFZglUpeymmnJZb+1HjzCHkxiFnI=; b=HG/EzsZhJPRqZQzfmotnl0yCMvO/73P1cNy+rGB+DAyXBKj9ZJdccddaxPcKxavF0Y zDx5art9fLhxWp+7di6XLIkHfoV+gZCk8T3SH/s61bG+oJIuA2vzf2m3709wldc4XFaw egbMcgmJy/jZia2uDWIYHfB1DK/3c4ZKPcaKzJtLXaYQLzGe1lnFvWMSCWZh7ieWsWBF w75tgNeitdJH8/VWtNC3Ml/r0NgIy4zZfaCYKwTkjGbtj0h9TykTRt3SFx6Ur/BRBcvi KcSPPI1TYthrVRwzBxO7PRM5T8NmNfWSF6VJRjFvzEjVLt2/NOd7TmFOKQaO+rTbKCga tNVg== X-Gm-Message-State: AOAM530vupiFQpUWN+rgp87qO/wQrr8LpDLr4Yb/7RYUDAoP27fyZX9T gugFDpRJvPuonhBPzLwEBUtlw6S647//GjkavHFrkg== X-Received: by 2002:a1f:23d0:: with SMTP id j199mr8477163vkj.11.1604085713313; Fri, 30 Oct 2020 12:21:53 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008caae305ab9a5318@google.com> <000000000000a726a405ada4b6cf@google.com> In-Reply-To: From: Miklos Szeredi Date: Fri, 30 Oct 2020 20:21:42 +0100 Message-ID: Subject: Re: general protection fault in security_inode_getattr To: Dmitry Vyukov Cc: Ondrej Mosnacek , syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , James Morris , John Fastabend , Martin KaFai Lau , KP Singh , Linux kernel mailing list , Linux Security Module list , network dev , "Serge E. Hallyn" , Song Liu , syzkaller-bugs , Yonghong Song , linux-fsdevel , overlayfs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 30, 2020 at 7:42 PM Dmitry Vyukov wrote: > > On Fri, Oct 30, 2020 at 2:02 PM Miklos Szeredi wrote: > > > > On Mon, Aug 24, 2020 at 11:00 PM Ondrej Mosnacek wrote: > > > > > > On Mon, Aug 24, 2020 at 9:37 PM syzbot > > > wrote: > > > > syzbot has found a reproducer for the following issue on: > > > > > > Looping in fsdevel and OverlayFS maintainers, as this seems to be > > > FS/OverlayFS related... > > > > Hmm, the oopsing code is always something like: > > > > All code > > ======== > > 0: 1b fe sbb %esi,%edi > > 2: 49 8d 5e 08 lea 0x8(%r14),%rbx > > 6: 48 89 d8 mov %rbx,%rax > > 9: 48 c1 e8 03 shr $0x3,%rax > > d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > > 12: 74 08 je 0x1c > > 14: 48 89 df mov %rbx,%rdi > > 17: e8 bc b4 5b fe callq 0xfffffffffe5bb4d8 > > 1c: 48 8b 1b mov (%rbx),%rbx > > 1f: 48 83 c3 68 add $0x68,%rbx > > 23: 48 89 d8 mov %rbx,%rax > > 26: 48 c1 e8 03 shr $0x3,%rax > > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction > > 2f: 74 08 je 0x39 > > 31: 48 89 df mov %rbx,%rdi > > 34: e8 9f b4 5b fe callq 0xfffffffffe5bb4d8 > > 39: 48 8b 1b mov (%rbx),%rbx > > 3c: 48 83 c3 0c add $0xc,%rbx > > > > > > And that looks (to me) like the unrolled loop in call_int_hook(). I > > don't see how that could be related to overlayfs, though it's > > definitely interesting why it only triggers from > > overlay->vfs_getattr()->security_inode_getattr()... > > > > 26: 48 c1 e8 03 shr $0x3,%rax > > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction > > > This access is part of KASAN check. But the original address kernel > tries to access is NULL, so it's not an issue with KASAN. > > The line is this: > > int security_inode_getattr(const struct path *path) > { > if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) > return 0; > > So it's either path is NULL, or something in d_backing_inode > dereferences NULL path->dentry. > > The reproducer does involve overlayfs: > > mkdir(&(0x7f0000000240)='./file1\x00', 0x0) > mkdir(&(0x7f0000000300)='./bus\x00', 0x0) > r0 = creat(&(0x7f00000000c0)='./bus/file1\x00', 0x0) > mkdir(&(0x7f0000000080)='./file0\x00', 0x0) > mount$overlay(0x400002, &(0x7f0000000000)='./bus\x00', > &(0x7f0000000100)='overlay\x00', 0x0, > &(0x7f00000003c0)=ANY=[@ANYBLOB='upperdir=./file1,lowerdir=./bus,workdir=./file0,metacopy=on']) > link(&(0x7f0000000200)='./bus/file1\x00', &(0x7f00000002c0)='./bus/file0\x00') > write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r0, 0x0, 0x0) > acct(&(0x7f0000000040)='./bus/file0\x00') > > Though, it may be overlayfs-related, or it may be a generic bug that > requires a tricky reproducer and the only reproducer syzbot come up > with happened to involve overlayfs. > But there are 4 reproducers on syzbot dashboard and all of them > involve overlayfs and they are somewhat different. So my bet would be > on overlayfs. Seems there's no C reproducer, though. Can this be reproduced without KASAN obfuscating the oops? Thanks, Miklos