Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1561300pxx; Fri, 30 Oct 2020 13:00:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOojmy7jDy1GnGnxrrjZUmSYNtpcZHKawMKtRGlX60ZvDuaQY/yoxa1Olv3E2I9uW4jT3q X-Received: by 2002:a05:6402:143a:: with SMTP id c26mr4407684edx.150.1604088032845; Fri, 30 Oct 2020 13:00:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604088032; cv=none; d=google.com; s=arc-20160816; b=igLHkJy/wKz37l1Iq2l87hoghV8GmTU+K+dEzilYDoEKMKjlbohn3Xhm/dKWAvT7Q8 ispRTtsZ7DcFXlA39zC8yxnvxQTNT9NOgUlgndMWKA/XWFP4Hzd3wVnE7uSOsuc3PBVp 9CEV5NpCPcDRvdN66oy9knC8m3btoh+tWL49U5fX7uRC69GBaU/6HjeP3gNx5bC9ltr3 +j3+T/IqrgPTFZH+5mZfFFJZXy+w/Zi4BXqJbKExQYEQ+UghriOo8vODhpLu0R0Jy/tS xzJVT2j5ZuXRDcmgWzWgnkgw5xlaOf3k1NymtOdZnYxr8IudM18iyAat+kY1ryvDUFeh W6Eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=xCXdIDDEOQ4sp35BxxEEwDK4u7wEsOXSjw7fR5lQ1JM=; b=ZU7k92+UJK7ynbIn0yyExgnMJydr8vvPwu8vT/0oP0FwaujR0LW3+TbziU8u+TzGiT yPy5m6GDgKBLakcEggq00An7MdcijiHYbJTeiolfW0g1N+IPHk+kQBNXk+2roAUUL7ap /iWz9vact4Eg2jOi9U2syaSzwBz/ZjB7oZMTu8Do20Y2IqPz8CUOImaf3MXbmd2AFSpr BJTY7rAue0esMjZwmoOvqp44+ds306Nm6F0yLOCaPe6bV+q4s9M/lgULzvJC2v7Pukr4 w8ShQt+QepXxaXROW7aVt6fieIoul1IqIVYrk+dwu1u82GjWn0kiSbVAsHQWNYoxgUqc J2yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vSrIWJfP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o6si4879241eju.647.2020.10.30.13.00.09; Fri, 30 Oct 2020 13:00:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vSrIWJfP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727206AbgJ3T42 (ORCPT + 99 others); Fri, 30 Oct 2020 15:56:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726163AbgJ3T41 (ORCPT ); Fri, 30 Oct 2020 15:56:27 -0400 Received: from mail-qv1-xf42.google.com (mail-qv1-xf42.google.com [IPv6:2607:f8b0:4864:20::f42]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CB46C0613D2 for ; Fri, 30 Oct 2020 12:56:27 -0700 (PDT) Received: by mail-qv1-xf42.google.com with SMTP id w5so3304624qvn.12 for ; Fri, 30 Oct 2020 12:56:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xCXdIDDEOQ4sp35BxxEEwDK4u7wEsOXSjw7fR5lQ1JM=; b=vSrIWJfPbZcyzboU1vKIyWhst9w6jkZcPg2Fd/Tyr/+5CsiSbu6ptsTz5Soh4jBnSD 3d1HnaDhJZn9EjJglKvv49w7CobE+jurkMtZr4ontDfkag7fi8SMbKRE9K9iDEHM8d/r b8PaN2BYUxO4vhprE3ysd+Nz+bafxOlSE52B/xKdBxRMgEE82BqyuUTkV/sN9j1nm33W 5pwRVCFeS/MgH+7kB9uvyyhPHbpiukb9ZrmJCP4YffU4dVFLpi0rS8nLvgsZQvkPSGxm A0+7Vg38JWaO54eyWDMDNHz8l0xAi5gk8+WQSphC/9CaBpqNYnuF2s2KwntRGphDdthR J1Ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xCXdIDDEOQ4sp35BxxEEwDK4u7wEsOXSjw7fR5lQ1JM=; b=j8bi8Htp6A/xX5HOWEijIlsvgGYARad7EdsZqNWM/mLCxCAnecv5tl7soi8MSxAncE EDDMRN/1Xg9098s0niI1YZshch5qC1NfdpgBkgys8fbtpQKAPM7U2sbGmnEduD/SnFJO hTDKC+rp8zCPAL0a4TFos77QHCR9YGJL+UrAB5B2VrEDHa1MlL49BT6rpt4vWWrx37nw CCnL791YL8zY63LUi/AsP7q/5Slx5xsEtmxSWQ/52fPGCiO87vsQ37Ij9qriucLiirXc dtgBu53WxpQwJnZevHwvOpShLfwrbsGbwQC9x27I5Hsi6Qhm3XXvVU0y8F3KCY9IB3ld pRxQ== X-Gm-Message-State: AOAM533nQf7SO3A/MPeKSOrjIc6yvdiJUhdYYCZLWiGed2juTjwYOVGq kZi/UU5YUPUoyXVl3Z0sOMqXVqq3tAL64JnPrMnJwA== X-Received: by 2002:a0c:8d8b:: with SMTP id t11mr11297208qvb.13.1604087786355; Fri, 30 Oct 2020 12:56:26 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008caae305ab9a5318@google.com> <000000000000a726a405ada4b6cf@google.com> In-Reply-To: From: Dmitry Vyukov Date: Fri, 30 Oct 2020 20:56:14 +0100 Message-ID: Subject: Re: general protection fault in security_inode_getattr To: Miklos Szeredi Cc: Ondrej Mosnacek , syzbot , Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , James Morris , John Fastabend , Martin KaFai Lau , KP Singh , Linux kernel mailing list , Linux Security Module list , network dev , "Serge E. Hallyn" , Song Liu , syzkaller-bugs , Yonghong Song , linux-fsdevel , overlayfs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 30, 2020 at 8:21 PM Miklos Szeredi wrote: > > > On Mon, Aug 24, 2020 at 11:00 PM Ondrej Mosnacek wrote: > > > > > > > > On Mon, Aug 24, 2020 at 9:37 PM syzbot > > > > wrote: > > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > Looping in fsdevel and OverlayFS maintainers, as this seems to be > > > > FS/OverlayFS related... > > > > > > Hmm, the oopsing code is always something like: > > > > > > All code > > > ======== > > > 0: 1b fe sbb %esi,%edi > > > 2: 49 8d 5e 08 lea 0x8(%r14),%rbx > > > 6: 48 89 d8 mov %rbx,%rax > > > 9: 48 c1 e8 03 shr $0x3,%rax > > > d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > > > 12: 74 08 je 0x1c > > > 14: 48 89 df mov %rbx,%rdi > > > 17: e8 bc b4 5b fe callq 0xfffffffffe5bb4d8 > > > 1c: 48 8b 1b mov (%rbx),%rbx > > > 1f: 48 83 c3 68 add $0x68,%rbx > > > 23: 48 89 d8 mov %rbx,%rax > > > 26: 48 c1 e8 03 shr $0x3,%rax > > > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction > > > 2f: 74 08 je 0x39 > > > 31: 48 89 df mov %rbx,%rdi > > > 34: e8 9f b4 5b fe callq 0xfffffffffe5bb4d8 > > > 39: 48 8b 1b mov (%rbx),%rbx > > > 3c: 48 83 c3 0c add $0xc,%rbx > > > > > > > > > And that looks (to me) like the unrolled loop in call_int_hook(). I > > > don't see how that could be related to overlayfs, though it's > > > definitely interesting why it only triggers from > > > overlay->vfs_getattr()->security_inode_getattr()... > > > > > > > 26: 48 c1 e8 03 shr $0x3,%rax > > > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction > > > > > > This access is part of KASAN check. But the original address kernel > > tries to access is NULL, so it's not an issue with KASAN. > > > > The line is this: > > > > int security_inode_getattr(const struct path *path) > > { > > if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) > > return 0; > > > > So it's either path is NULL, or something in d_backing_inode > > dereferences NULL path->dentry. > > > > The reproducer does involve overlayfs: > > > > mkdir(&(0x7f0000000240)='./file1\x00', 0x0) > > mkdir(&(0x7f0000000300)='./bus\x00', 0x0) > > r0 = creat(&(0x7f00000000c0)='./bus/file1\x00', 0x0) > > mkdir(&(0x7f0000000080)='./file0\x00', 0x0) > > mount$overlay(0x400002, &(0x7f0000000000)='./bus\x00', > > &(0x7f0000000100)='overlay\x00', 0x0, > > &(0x7f00000003c0)=ANY=[@ANYBLOB='upperdir=./file1,lowerdir=./bus,workdir=./file0,metacopy=on']) > > link(&(0x7f0000000200)='./bus/file1\x00', &(0x7f00000002c0)='./bus/file0\x00') > > write$RDMA_USER_CM_CMD_RESOLVE_ADDR(r0, 0x0, 0x0) > > acct(&(0x7f0000000040)='./bus/file0\x00') > > > > Though, it may be overlayfs-related, or it may be a generic bug that > > requires a tricky reproducer and the only reproducer syzbot come up > > with happened to involve overlayfs. > > But there are 4 reproducers on syzbot dashboard and all of them > > involve overlayfs and they are somewhat different. So my bet would be > > on overlayfs. > > Seems there's no C reproducer, though. Can this be reproduced > without KASAN obfuscating the oops? I guess so. If you are interest in what exact field is NULL, I think there is enough info in the asm already: > > > 2: 49 8d 5e 08 lea 0x8(%r14),%rbx > > > 6: 48 89 d8 mov %rbx,%rax > > > 9: 48 c1 e8 03 shr $0x3,%rax > > > d: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) > > > 12: 74 08 je 0x1c > > > 14: 48 89 df mov %rbx,%rdi > > > 17: e8 bc b4 5b fe callq 0xfffffffffe5bb4d8 > > > 1c: 48 8b 1b mov (%rbx),%rbx > > > 1f: 48 83 c3 68 add $0x68,%rbx > > > 23: 48 89 d8 mov %rbx,%rax > > > 26: 48 c1 e8 03 shr $0x3,%rax > > > 2a:* 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) <-- trapping instruction The access via the NULL pointer happens with offset 0x68: > > > 1f: 48 83 c3 68 add $0x68,%rbx So we just need to find what's here accesses with offset 0x68: > > if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) And that pointer itself was loaded from something at offset 0x8 previously: > > > 2: 49 8d 5e 08 lea 0x8(%r14),%rbx