From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
syzbot <syzbot+186522670e6722692d86@syzkaller.appspotmail.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
bpf <bpf@vger.kernel.org>
Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2)
Date: Fri, 5 Apr 2024 12:35:53 +0100 [thread overview]
Message-ID: <Zg/iGQCDKa9bllyI@shell.armlinux.org.uk> (raw)
In-Reply-To: <Zg_aTFoC2Pwakyl1@FVFF77S0Q05N>
On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > >
> > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <syzbot+186522670e6722692d86@syzkaller.appspotmail.com> wrote:
> > >
> > > > Hello,
> > >
> > > Thanks. Cc: bpf@vger.kernel.org
> >
> > I suspect the issue is not on bpf side.
> > Looks like the bug is somewhere in arm32 bits.
> > copy_from_kernel_nofault() is called from lots of places.
> > bpf is just one user that is easy for syzbot to fuzz.
> > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > that should have filtered out user addresses.
> > In this case ffffffe9 is probably a kernel address?
>
> It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
>
> 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
>
> > But the kernel is doing a write?
> > Which makes no sense, since copy_from_kernel_nofault is probe reading.
>
> It makes perfect sense; the read from 'src' happened, then the kernel tries to
> write the result to 'dst', and that aligns with the disassembly in the report
> below, which I beleive is:
>
> 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> c: e3530000 cmp r3, #0
> * 10: e5852000 str r2, [r5] <-- Write to 'dst'
>
> As above, it looks like 'dst' is ERR_PTR(-EINVAL).
>
> Are you certain that BPF is passing a sane value for 'dst'? Where does that
> come from in the first place?
It looks to me like it gets passed in from the BPF program, and the
"type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
means for validation purposes, I've no idea, I'm not a BPF hacker.
Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
an arbitary destination address, that would be a huge security hole.
So I think BPF folk need to urgently state what checks are done on
the destination value for _any_ function that BPF can call which
writes to memory.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
WARNING: multiple messages have this Message-ID (diff)
From: "Russell King (Oracle)" <linux@armlinux.org.uk>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
syzbot <syzbot+186522670e6722692d86@syzkaller.appspotmail.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
bpf <bpf@vger.kernel.org>
Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2)
Date: Fri, 5 Apr 2024 12:35:53 +0100 [thread overview]
Message-ID: <Zg/iGQCDKa9bllyI@shell.armlinux.org.uk> (raw)
In-Reply-To: <Zg_aTFoC2Pwakyl1@FVFF77S0Q05N>
On Fri, Apr 05, 2024 at 12:02:36PM +0100, Mark Rutland wrote:
> On Thu, Apr 04, 2024 at 03:57:04PM -0700, Alexei Starovoitov wrote:
> > On Wed, Apr 3, 2024 at 6:56 PM Andrew Morton <akpm@linux-foundationorg> wrote:
> > >
> > > On Mon, 01 Apr 2024 22:19:25 -0700 syzbot <syzbot+186522670e6722692d86@syzkaller.appspotmail.com> wrote:
> > >
> > > > Hello,
> > >
> > > Thanks. Cc: bpf@vger.kernel.org
> >
> > I suspect the issue is not on bpf side.
> > Looks like the bug is somewhere in arm32 bits.
> > copy_from_kernel_nofault() is called from lots of places.
> > bpf is just one user that is easy for syzbot to fuzz.
> > Interestingly arm defines copy_from_kernel_nofault_allowed()
> > that should have filtered out user addresses.
> > In this case ffffffe9 is probably a kernel address?
>
> It's at the end of the kernel range, and it's ERR_PTR(-EINVAL).
>
> 0xffffffe9 is -0x16, which is -22, which is -EINVAL.
>
> > But the kernel is doing a write?
> > Which makes no sense, since copy_from_kernel_nofault is probe reading.
>
> It makes perfect sense; the read from 'src' happened, then the kernel tries to
> write the result to 'dst', and that aligns with the disassembly in the report
> below, which I beleive is:
>
> 8: e4942000 ldr r2, [r4], #0 <-- Read of 'src', fault fixup is elsewhere
> c: e3530000 cmp r3, #0
> * 10: e5852000 str r2, [r5] <-- Write to 'dst'
>
> As above, it looks like 'dst' is ERR_PTR(-EINVAL).
>
> Are you certain that BPF is passing a sane value for 'dst'? Where does that
> come from in the first place?
It looks to me like it gets passed in from the BPF program, and the
"type" for the argument is set to ARG_PTR_TO_UNINIT_MEM. What that
means for validation purposes, I've no idea, I'm not a BPF hacker.
Obviously, if BPF is allowing copy_from_kernel_nofault() to be passed
an arbitary destination address, that would be a huge security hole.
So I think BPF folk need to urgently state what checks are done on
the destination value for _any_ function that BPF can call which
writes to memory.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2024-04-05 11:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-02 5:19 [syzbot] [mm?] BUG: unable to handle kernel paging request in copy_from_kernel_nofault (2) syzbot
2024-04-04 1:41 ` Andrew Morton
2024-04-04 22:57 ` Alexei Starovoitov
2024-04-04 22:57 ` Alexei Starovoitov
2024-04-05 11:02 ` Mark Rutland
2024-04-05 11:02 ` Mark Rutland
2024-04-05 11:35 ` Russell King (Oracle) [this message]
2024-04-05 11:35 ` Russell King (Oracle)
2024-04-05 16:12 ` Alexei Starovoitov
2024-04-05 16:12 ` Alexei Starovoitov
2024-04-05 17:50 ` Andrii Nakryiko
2024-04-05 17:50 ` Andrii Nakryiko
2024-04-05 18:19 ` Russell King (Oracle)
2024-04-05 18:19 ` Russell King (Oracle)
2024-04-09 7:45 ` Puranjay Mohan
2024-04-09 7:45 ` Puranjay Mohan
2024-04-09 8:15 ` Russell King (Oracle)
2024-04-09 8:15 ` Russell King (Oracle)
2024-04-09 10:03 ` Puranjay Mohan
2024-04-09 10:03 ` Puranjay Mohan
2024-04-09 10:26 ` syzbot
2024-04-09 10:26 ` syzbot
2024-04-09 11:07 ` Puranjay Mohan
2024-04-09 11:07 ` Puranjay Mohan
2024-04-09 11:23 ` syzbot
2024-04-09 11:23 ` syzbot
2024-04-09 14:18 ` Puranjay Mohan
2024-04-09 14:18 ` Puranjay Mohan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zg/iGQCDKa9bllyI@shell.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=syzbot+186522670e6722692d86@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.