From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 335F4C433F5 for ; Fri, 4 Feb 2022 12:37:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=wmO/4EW3lZG6J02Jn0IGeYBEQB3i+7RoEJOurlo8VYE=; b=QFYnJF1imAb3bE GQB1G6GJaBOW8R5cRIL7uapOzq7xQULFC90hJbeMXPn/aI856nH5f7VMDCgVCJKbDWmm8zZpE48kt AL+UogRYhtOjZjfawzn1SQy5L1MOr186gew+RzG0isFdgCXycrpgnbnud6t2AtuSn1mesKm0Z/DeT zsMBkMAO8LmVepZwDdC5/SF07EoIIV3fz9CtYy4H9dIwc6zo7/yHD5Zsd6K5xFdBxqzVTiF9m9AsG HkXmrW+j6tifHLVNuR0ZPkqCT8h2flh5GQWntZTCPLe6iVeSr7fc0Qa7LmcSSWP09bYYj+hLlukRI WEe7f1tb2z+FueXUnhXQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nFxpM-004J1a-Mv; Fri, 04 Feb 2022 12:36:36 +0000 Received: from ams.source.kernel.org ([145.40.68.75]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nFxpI-004J0m-Dj for linux-arm-kernel@lists.infradead.org; Fri, 04 Feb 2022 12:36:34 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5B10CB836A0; Fri, 4 Feb 2022 12:36:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9BF2AC004E1; Fri, 4 Feb 2022 12:36:26 +0000 (UTC) Date: Fri, 4 Feb 2022 12:36:22 +0000 From: Catalin Marinas To: h00486469 Cc: will@kernel.org, Punit Agrawal , peterz@infradead.org, linux-kernel@vger.kernel.org, hejingxian@huawei.com, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH] arm64: fix slab-out-of-bounds in emulation_proc_handler when accessing concurrently Message-ID: References: <20220128090324.2727688-1-hewenliang4@huawei.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220128090324.2727688-1-hewenliang4@huawei.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220204_043632_766628_53E6E582 X-CRM114-Status: GOOD ( 26.41 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org I corrected Punit's email address. Also please cc linux-arm-kernel@lists.infradead.org in the future (you can use scripts/get_maintainer.pl to give you a hint on who to cc). On Fri, Jan 28, 2022 at 05:03:24PM +0800, h00486469 wrote: > From: hewenliang > > SAN reports an issue of slab-out-of-bounds in emulation_proc_handler > when we try to read/write the interfaces in /proc/sys/abi concurrently. > So we need to add emulation_proc_lock to protect table->data and insn > from data corruption in emulation_proc_handler. > > The stack is follows: > Call trace: > dump_backtrace+0x0/0x310 > show_stack+0x28/0x38 > dump_stack+0xec/0x15c > print_address_description+0x68/0x2d0 > kasan_report+0x130/0x2f0 > __asan_load4+0x88/0xb0 > emulation_proc_handler+0x58/0x158 > proc_sys_call_handler+0x1dc/0x228 > proc_sys_read+0x44/0x58 > __vfs_read+0xe0/0x320 > vfs_read+0xbc/0x1c0 > __arm64_sys_read+0x50/0x60 > el0_svc_common+0xc8/0x2b8 > el0_svc_handler+0xf8/0x160 > el0_svc+0x10/0x218 > > Allocated by task 1: > kasan_kmalloc+0xe0/0x190 > kmem_cache_alloc_trace+0x18c/0x418 > register_insn_emulation+0x4c/0x2b0 > armv8_deprecated_init+0x40/0x108 > do_one_initcall+0xb4/0x508 > kernel_init_freeable+0x7d0/0x8e0 > kernel_init+0x20/0x1a8 > ret_from_fork+0x10/0x18 > > Mmeory state around the buggy address: > >ffff8026dacf0b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc > > Fixes: 587064b610c7 ("arm64: Add framework for legacy instruction emulation") > Signed-off-by: hewenliang > Signed-off-by: hejingxian > Signed-off-by: fulin > --- > arch/arm64/kernel/armv8_deprecated.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c > index 6875a16b09d2..d2ac483b0dd8 100644 > --- a/arch/arm64/kernel/armv8_deprecated.c > +++ b/arch/arm64/kernel/armv8_deprecated.c > @@ -59,6 +59,7 @@ struct insn_emulation { > static LIST_HEAD(insn_emulation); > static int nr_insn_emulated __initdata; > static DEFINE_RAW_SPINLOCK(insn_emulation_lock); > +static DEFINE_MUTEX(emulation_proc_lock); > > static void register_emulation_hooks(struct insn_emulation_ops *ops) > { > @@ -207,9 +208,12 @@ static int emulation_proc_handler(struct ctl_table *table, int write, > loff_t *ppos) > { > int ret = 0; > - struct insn_emulation *insn = (struct insn_emulation *) table->data; > - enum insn_emulation_mode prev_mode = insn->current_mode; > + struct insn_emulation *insn; > + enum insn_emulation_mode prev_mode; > > + mutex_lock(&emulation_proc_lock); > + insn = (struct insn_emulation *) table->data; > + prev_mode = insn->current_mode; > table->data = &insn->current_mode; > ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); It looks like we update table->data to something that's not the original insn pointer just to be able to call proc_dointvec_minmax(). On a concurrent call, we'd get the wrong pointer hence the ASAN warning. I'd rather keep the table->data as &insn->current_mode and use container_of() to retrieve the insn pointer. We probably still need a mutex to protect against the current_mode update and the registration of the emulation hooks but not for retrieving insn as table->data is no longer changing. > > @@ -224,6 +228,7 @@ static int emulation_proc_handler(struct ctl_table *table, int write, > } > ret: > table->data = insn; > + mutex_unlock(&emulation_proc_lock); > return ret; > } > > -- > 2.27.0 -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65B88C433F5 for ; Fri, 4 Feb 2022 12:36:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345152AbiBDMgj (ORCPT ); Fri, 4 Feb 2022 07:36:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49310 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243157AbiBDMgb (ORCPT ); Fri, 4 Feb 2022 07:36:31 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4BADC061714 for ; Fri, 4 Feb 2022 04:36:30 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5C226B836A1 for ; Fri, 4 Feb 2022 12:36:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9BF2AC004E1; Fri, 4 Feb 2022 12:36:26 +0000 (UTC) Date: Fri, 4 Feb 2022 12:36:22 +0000 From: Catalin Marinas To: h00486469 Cc: will@kernel.org, Punit Agrawal , peterz@infradead.org, linux-kernel@vger.kernel.org, hejingxian@huawei.com, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH] arm64: fix slab-out-of-bounds in emulation_proc_handler when accessing concurrently Message-ID: References: <20220128090324.2727688-1-hewenliang4@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220128090324.2727688-1-hewenliang4@huawei.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I corrected Punit's email address. Also please cc linux-arm-kernel@lists.infradead.org in the future (you can use scripts/get_maintainer.pl to give you a hint on who to cc). On Fri, Jan 28, 2022 at 05:03:24PM +0800, h00486469 wrote: > From: hewenliang > > SAN reports an issue of slab-out-of-bounds in emulation_proc_handler > when we try to read/write the interfaces in /proc/sys/abi concurrently. > So we need to add emulation_proc_lock to protect table->data and insn > from data corruption in emulation_proc_handler. > > The stack is follows: > Call trace: > dump_backtrace+0x0/0x310 > show_stack+0x28/0x38 > dump_stack+0xec/0x15c > print_address_description+0x68/0x2d0 > kasan_report+0x130/0x2f0 > __asan_load4+0x88/0xb0 > emulation_proc_handler+0x58/0x158 > proc_sys_call_handler+0x1dc/0x228 > proc_sys_read+0x44/0x58 > __vfs_read+0xe0/0x320 > vfs_read+0xbc/0x1c0 > __arm64_sys_read+0x50/0x60 > el0_svc_common+0xc8/0x2b8 > el0_svc_handler+0xf8/0x160 > el0_svc+0x10/0x218 > > Allocated by task 1: > kasan_kmalloc+0xe0/0x190 > kmem_cache_alloc_trace+0x18c/0x418 > register_insn_emulation+0x4c/0x2b0 > armv8_deprecated_init+0x40/0x108 > do_one_initcall+0xb4/0x508 > kernel_init_freeable+0x7d0/0x8e0 > kernel_init+0x20/0x1a8 > ret_from_fork+0x10/0x18 > > Mmeory state around the buggy address: > >ffff8026dacf0b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc > > Fixes: 587064b610c7 ("arm64: Add framework for legacy instruction emulation") > Signed-off-by: hewenliang > Signed-off-by: hejingxian > Signed-off-by: fulin > --- > arch/arm64/kernel/armv8_deprecated.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c > index 6875a16b09d2..d2ac483b0dd8 100644 > --- a/arch/arm64/kernel/armv8_deprecated.c > +++ b/arch/arm64/kernel/armv8_deprecated.c > @@ -59,6 +59,7 @@ struct insn_emulation { > static LIST_HEAD(insn_emulation); > static int nr_insn_emulated __initdata; > static DEFINE_RAW_SPINLOCK(insn_emulation_lock); > +static DEFINE_MUTEX(emulation_proc_lock); > > static void register_emulation_hooks(struct insn_emulation_ops *ops) > { > @@ -207,9 +208,12 @@ static int emulation_proc_handler(struct ctl_table *table, int write, > loff_t *ppos) > { > int ret = 0; > - struct insn_emulation *insn = (struct insn_emulation *) table->data; > - enum insn_emulation_mode prev_mode = insn->current_mode; > + struct insn_emulation *insn; > + enum insn_emulation_mode prev_mode; > > + mutex_lock(&emulation_proc_lock); > + insn = (struct insn_emulation *) table->data; > + prev_mode = insn->current_mode; > table->data = &insn->current_mode; > ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); It looks like we update table->data to something that's not the original insn pointer just to be able to call proc_dointvec_minmax(). On a concurrent call, we'd get the wrong pointer hence the ASAN warning. I'd rather keep the table->data as &insn->current_mode and use container_of() to retrieve the insn pointer. We probably still need a mutex to protect against the current_mode update and the registration of the emulation hooks but not for retrieving insn as table->data is no longer changing. > > @@ -224,6 +228,7 @@ static int emulation_proc_handler(struct ctl_table *table, int write, > } > ret: > table->data = insn; > + mutex_unlock(&emulation_proc_lock); > return ret; > } > > -- > 2.27.0 -- Catalin