Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp847949rwr; Wed, 19 Apr 2023 14:10:51 -0700 (PDT) X-Google-Smtp-Source: AKy350Z5PHmRA+qCOvm8y1jPnM7hWJUZoCtTknjQOZ3fwRM1otlrgiJ6k/4G8SWSIDyGBUVqyBWY X-Received: by 2002:a17:903:52:b0:1a6:e6b6:7d79 with SMTP id l18-20020a170903005200b001a6e6b67d79mr6005109pla.49.1681938651617; Wed, 19 Apr 2023 14:10:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681938651; cv=none; d=google.com; s=arc-20160816; b=HYyTJh5PEcAS5T1VMQopK8RHCHz7abhQnarVpsq0IHeaJG5ZCUMM6PDTzpCCTbIGwK ylNu5rUXv71sG9bmLUyNBMlMrg7kt2070LTMP7/eeIH2nz5VHIZS93ljCY1jQSLyFGFf dq3V9XpYykB1fMyCnIVxPDxpX7YTg4wxyGIevSOFVtHA9JK/SLpCYe1yrnaq1bq0V5gm IjX6hr+oJ98GSQ1by0lMIBtH6Ul0lid09tHR3696bM/YMy78DVML7002nnq6+tKXLcTe 4jxuc4vXHYvCrTY095zqKYXyvg1hVE2qNCyMV8LNhHr0/7ThaA8fUlAnoiIOR2PDXBJo ZDVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=Oyt6QNUaCcDWPUrakvaGCK9nOfHiZ8gYVdDjTcz/fto=; b=iMCmrO1/8G2zMOo2U0flB3Bl8DdNixjSvDazNyeI0GvzMoe/2yrbJGYoublpB93fWl ZYg3fp1mfcrGMmcuJNyUuJx/RLZ/G1jwGYv7Vh1j2FL9HNPYecflw3zMQwK/HgBU4e0z 7AqswiR+ltcyIUS6Pi0bv0hMCcY2Poi5CrT41yaZ6wfxCZuvW1OrFpFp8IJwdCZWE1Yd 3AOesPxkDLEQ+Fyw2kBGu0+l1VEXbb5OSOMCapGTYi+Rst9Mudhv9Jz7tdt8mYvJ4syQ ZnJa+kVloFsUm5NUZgMvuvi3kcbSFu6Wt7QnBNyW9Z+SgHTPY4D9ltTtO37WlXAkhN9W QNXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20221208.gappssmtp.com header.s=20221208 header.b=kgFc0QGu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id je5-20020a170903264500b001a1b5dc97f0si16755885plb.270.2023.04.19.14.10.37; Wed, 19 Apr 2023 14:10:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20221208.gappssmtp.com header.s=20221208 header.b=kgFc0QGu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229995AbjDSVHd (ORCPT + 99 others); Wed, 19 Apr 2023 17:07:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229540AbjDSVHc (ORCPT ); Wed, 19 Apr 2023 17:07:32 -0400 Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 440DA2107 for ; Wed, 19 Apr 2023 14:07:31 -0700 (PDT) Received: by mail-pf1-x42d.google.com with SMTP id d2e1a72fcca58-63b621b1dabso100960b3a.0 for ; Wed, 19 Apr 2023 14:07:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20221208.gappssmtp.com; s=20221208; t=1681938451; x=1684530451; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=Oyt6QNUaCcDWPUrakvaGCK9nOfHiZ8gYVdDjTcz/fto=; b=kgFc0QGurAiZIIzkZxeIPwiSnlVM/lKit3blxQeVCUj0g1kp7WaiULBOAoFYqkaGp1 qfWjlcusHgSgI0QpB2/gOdRFuqnxeBz4ErAh+jQwxF5AzlzmMHZfhehAuCQ3Q76NRhaL eyVR9R7xEK7BmCr6/TmLWlXv+TMlYD225cfuEWXZoE3z/b9aU4uB88kPFDn77VOm3Jpq 0MKZuhVLrXFUKZzyrJVS2Xdz4oBTXpFs0pen7H+CcII6huU07U0ZDNvS93xAXQJ7iG6I zfQcu9UK8+DT3zosYj8lHyf+r/jRK/+ygigA0Mb+uyvWH+DXt5+2E+4UJ1tcVTS4dQ0s 58iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681938451; x=1684530451; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Oyt6QNUaCcDWPUrakvaGCK9nOfHiZ8gYVdDjTcz/fto=; b=jXm7BO3jyBPgZhxtYZ+jHWeWMdhlrjDR//bShYhUIVZ9iBMVqVpOUniSCLx318jEc1 PryworZKYh7uMVq8jMAhA/kSFgd0vBUvpx2ubwQ+9s5dYDaTvRn9SmzVVzHQGgCC4j4j a0yDiXRkTMZiUtLoefNEIxBPHJ14JmxNIK/0JlgctUh8OeBNz6/wvUT5fABcQikG1JE0 3Y9V5OeAuaig0EqAb7klMRy2TZiPaRrxQ/LJgO87ulbDNXaaU8QFbAIKjQ344gLOoFEE FpY7837yW6YbMCZoEpwUnZ3jOvpc7DkWLJ8FkNJBFi95PHFqDmX9A64mJCYRiFsuq7i6 tHOQ== X-Gm-Message-State: AAQBX9c7aWWgBccFM2/cT9crxu2RyYDCjeGYYNCMeMujx28IMAxr8fDX 8OORzxx3HhwDqv89Ll4YpmhcDA== X-Received: by 2002:a05:6a00:4aca:b0:63d:3a18:49fd with SMTP id ds10-20020a056a004aca00b0063d3a1849fdmr6503623pfb.2.1681938450719; Wed, 19 Apr 2023 14:07:30 -0700 (PDT) Received: from [192.168.1.136] ([198.8.77.157]) by smtp.gmail.com with ESMTPSA id q15-20020a62ae0f000000b0063b8d21be5asm6393691pff.147.2023.04.19.14.07.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 19 Apr 2023 14:07:30 -0700 (PDT) Message-ID: <20391481-88bf-2ef4-cac5-7bd2d33c18d6@kernel.dk> Date: Wed, 19 Apr 2023 15:07:29 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [PATCH] relayfs: fix out-of-bounds access in relay_file_read Content-Language: en-US To: Andrew Morton , zhangzhengming Cc: surenb@google.com, wuchi.zero@gmail.com, Ilia.Gavrilov@infotecs.ru, xu.panda@zte.com.cn, colin.i.king@gmail.com, linux-kernel@vger.kernel.org, zhou.kete@h3c.com, Pengcheng Yang References: <20230419040203.37676-1-zhang.zhengming@h3c.com> <20230419140325.b85d54794baaa828a19c138f@linux-foundation.org> From: Jens Axboe In-Reply-To: <20230419140325.b85d54794baaa828a19c138f@linux-foundation.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/19/23 3:03?PM, Andrew Morton wrote: > On Wed, 19 Apr 2023 12:02:03 +0800 zhangzhengming wrote: > >> From: Zhang Zhengming >> >> There is a crash in relay_file_read, as the var from >> point to the end of last subbuf. >> The oops looks something like: >> pc : __arch_copy_to_user+0x180/0x310 >> lr : relay_file_read+0x20c/0x2c8 >> Call trace: >> __arch_copy_to_user+0x180/0x310 >> full_proxy_read+0x68/0x98 >> vfs_read+0xb0/0x1d0 >> ksys_read+0x6c/0xf0 >> __arm64_sys_read+0x20/0x28 >> el0_svc_common.constprop.3+0x84/0x108 >> do_el0_svc+0x74/0x90 >> el0_svc+0x1c/0x28 >> el0_sync_handler+0x88/0xb0 >> el0_sync+0x148/0x180 >> >> We get the condition by analyzing the vmcore: >> 1). The last produced byte and last consumed byte >> both at the end of the last subbuf >> 2). A softirq who will call function(e.g __blk_add_trace) >> to write relay buffer occurs when an program calling >> function relay_file_read_avail. >> relay_file_read >> relay_file_read_avail >> relay_file_read_consume(buf, 0, 0); >> //interrupted by softirq who will write subbuf >> .... >> return 1; >> //read_start point to the end of the last subbuf >> read_start = relay_file_read_start_pos >> //avail is equal to subsize >> avail = relay_file_read_subbuf_avail >> //from points to an invalid memory address >> from = buf->start + read_start >> //system is crashed >> copy_to_user(buffer, from, avail) > > Thanks. Hopefully Pengcheng Yang and Jens Axboe can comment. Patch looks good to me, but that doesn't necessarily say much. I never did much relayfs hacking, and the bits I did was probably almost 20 years ago at this point when I wrote blktrace... -- Jens Axboe