kvm ptrace 32bit DoS bug - bisected

kvm ptrace 32bit DoS bug - bisected

[Antoine Martin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I reported this bug a while ago but no-one picked up on it.
Just launch any UML 32-bit kernel on a 64-bit KVM guest:

test $ ./kernel32-2.6.16.62
Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Trace/breakpoint trap
test@localhost ~ $ Kernel panic - not syncing: Attempted to kill init!
Kernel panic - not syncing: Attempted to kill init!


You can find some pre-built binaries here:
http://uml.devloop.org.uk/kernels.html

Since then, I've bisected it down to:
d4d67150165df8bf1cc05e532f6efca96f907cab is first bad commit
Author: Roland McGrath <roland@redhat.com>
Date:   Wed Jul 9 02:38:07 2008 -0700
Subject: x86 ptrace: unify syscall tracing

It looks exploitable at first sight (ptrace generally is), but this is
beyond me (I am not a kernel hacker)

QEMU without KVM is not affected.

I've added some printf in a test UML kernel to see more precisely where
it dies in arch/um/os-Linux/startup.c: in check_sysemu():
		non_fatal("Before singlestep\n");
                if (ptrace(PTRACE_SYSEMU_SINGLESTEP, pid, 0, 0) < 0)
                        goto fail;
                non_fatal("Before waitpid\n");
(also added a non_fatal() in fail)

It prints these two statements 30 times from the while(1) loop and stops on:
Before singlestep

Whatever the fix is, this should be queued for stable too.

Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqiaoUACgkQGK2zHPGK1rt1cwCfWgGeuTrD+rpfa9SsUc7/h3eL
+DEAn1LgzrhOjbyEss2zRez+0dk0smZv
=MUXh
-----END PGP SIGNATURE-----

Re: kvm ptrace 32bit DoS bug - bisected

[Marcelo Tosatti]

On Sat, Sep 05, 2009 at 08:41:26PM +0700, Antoine Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> I reported this bug a while ago but no-one picked up on it.
> Just launch any UML 32-bit kernel on a 64-bit KVM guest:
> 
> test $ ./kernel32-2.6.16.62
> Checking that ptrace can change system call numbers...OK
> Checking syscall emulation patch for ptrace...OK
> Trace/breakpoint trap
> test@localhost ~ $ Kernel panic - not syncing: Attempted to kill init!
> Kernel panic - not syncing: Attempted to kill init!
> 
> 
> You can find some pre-built binaries here:
> http://uml.devloop.org.uk/kernels.html
> 
> Since then, I've bisected it down to:
> d4d67150165df8bf1cc05e532f6efca96f907cab is first bad commit
> Author: Roland McGrath <roland@redhat.com>
> Date:   Wed Jul 9 02:38:07 2008 -0700
> Subject: x86 ptrace: unify syscall tracing
> 
> It looks exploitable at first sight (ptrace generally is), but this is
> beyond me (I am not a kernel hacker)
> 
> QEMU without KVM is not affected.
> 
> I've added some printf in a test UML kernel to see more precisely where
> it dies in arch/um/os-Linux/startup.c: in check_sysemu():
> 		non_fatal("Before singlestep\n");
>                 if (ptrace(PTRACE_SYSEMU_SINGLESTEP, pid, 0, 0) < 0)
>                         goto fail;
>                 non_fatal("Before waitpid\n");
> (also added a non_fatal() in fail)
> 
> It prints these two statements 30 times from the while(1) loop and stops on:
> Before singlestep
> 
> Whatever the fix is, this should be queued for stable too.

Is this an AMD host? 

Works for me on Intel:

[root@guest ~]# ./kernel32-2.6.29.6 
Locating the bottom of the address space ... 0x0
Locating the top of the address space ... 0xffffd000
Core dump limits :
	soft - 0
	hard - NONE
Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Checking advanced syscall emulation patch for ptrace...OK
Checking for tmpfs mount on /dev/shm...OK
Checking PROT_EXEC mmap in /dev/shm/...OK
Checking for the skas3 patch in the host:
  - /proc/mm...not found: No such file or directory
  - PTRACE_FAULTINFO...not found
  - PTRACE_LDT...not found
UML running in SKAS0 mode
[    0.000000] Linux version 2.6.29.6 (root@virtual.nagafix.co.uk) (gcc
version 4.3.2 (Gentoo 4.3.2-r3 p1.6, pie-10.1.5) ) #1 Wed Jul 29
08:29:46 BST 2009
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.
Total pages: 8128
[    0.000000] Kernel command line: root=98:0

Re: kvm ptrace 32bit DoS bug - bisected

[Antoine Martin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Marcelo,

Marcelo Tosatti wrote:
> On Sat, Sep 05, 2009 at 08:41:26PM +0700, Antoine Martin wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi,
>>
>> I reported this bug a while ago but no-one picked up on it.
>> Just launch any UML 32-bit kernel on a 64-bit KVM guest:
>>
>> test $ ./kernel32-2.6.16.62
>> Checking that ptrace can change system call numbers...OK
>> Checking syscall emulation patch for ptrace...OK
>> Trace/breakpoint trap
>> test@localhost ~ $ Kernel panic - not syncing: Attempted to kill init!
>> Kernel panic - not syncing: Attempted to kill init!
>>
>>
>> You can find some pre-built binaries here:
>> http://uml.devloop.org.uk/kernels.html
>>
>> Since then, I've bisected it down to:
>> d4d67150165df8bf1cc05e532f6efca96f907cab is first bad commit
>> Author: Roland McGrath <roland@redhat.com>
>> Date:   Wed Jul 9 02:38:07 2008 -0700
>> Subject: x86 ptrace: unify syscall tracing
>>
>> It looks exploitable at first sight (ptrace generally is), but this is
>> beyond me (I am not a kernel hacker)
>>
>> QEMU without KVM is not affected.
>>
>> I've added some printf in a test UML kernel to see more precisely where
>> it dies in arch/um/os-Linux/startup.c: in check_sysemu():
>> 		non_fatal("Before singlestep\n");
>>                 if (ptrace(PTRACE_SYSEMU_SINGLESTEP, pid, 0, 0) < 0)
>>                         goto fail;
>>                 non_fatal("Before waitpid\n");
>> (also added a non_fatal() in fail)
>>
>> It prints these two statements 30 times from the while(1) loop and stops on:
>> Before singlestep
>>
>> Whatever the fix is, this should be queued for stable too.
> 
> Is this an AMD host? 
Nope, Intel Core2, more host info :

# cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz
stepping	: 6
cpu MHz		: 900.000
cache size	: 4096 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm
constant_tsc arch_perfmon pebs bts rep_good pni dtes64 monitor ds_cpl
vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm tpr_shadow
bogomips	: 4787.60
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 15
model name	: Intel(R) Core(TM)2 CPU          6600  @ 2.40GHz
stepping	: 6
cpu MHz		: 900.000
cache size	: 4096 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 10
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm
constant_tsc arch_perfmon pebs bts rep_good pni dtes64 monitor ds_cpl
vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm tpr_shadow
bogomips	: 4788.10
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

# uname -r
2.6.29.4

# qemu-system-x86_64 --version
QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88), Copyright (c)
2003-2008 Fabrice Bellard


Antoine

> 
> Works for me on Intel:
> 
> [root@guest ~]# ./kernel32-2.6.29.6 
> Locating the bottom of the address space ... 0x0
> Locating the top of the address space ... 0xffffd000
> Core dump limits :
> 	soft - 0
> 	hard - NONE
> Checking that ptrace can change system call numbers...OK
> Checking syscall emulation patch for ptrace...OK
> Checking advanced syscall emulation patch for ptrace...OK
> Checking for tmpfs mount on /dev/shm...OK
> Checking PROT_EXEC mmap in /dev/shm/...OK
> Checking for the skas3 patch in the host:
>   - /proc/mm...not found: No such file or directory
>   - PTRACE_FAULTINFO...not found
>   - PTRACE_LDT...not found
> UML running in SKAS0 mode
> [    0.000000] Linux version 2.6.29.6 (root@virtual.nagafix.co.uk) (gcc
> version 4.3.2 (Gentoo 4.3.2-r3 p1.6, pie-10.1.5) ) #1 Wed Jul 29
> 08:29:46 BST 2009
> [    0.000000] Built 1 zonelists in Zone order, mobility grouping on.
> Total pages: 8128
> [    0.000000] Kernel command line: root=98:0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqjZqkACgkQGK2zHPGK1ruR+QCfTHPHM63cukJlX2PW7q6r0gFR
V4gAn1Al+9hhxTkH5e7PVJcN5gRvRdaJ
=AqI6
-----END PGP SIGNATURE-----

Re: kvm ptrace 32bit DoS bug - bisected

[Antoine Martin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[snip]
>> Is this an AMD host? 
> Nope, Intel Core2, more host info :
I have put all the relevant binaries and their config files here:
http://uml.devloop.org.uk/kvmbug/
Host kernel, qemu binary, kvm guest kernel and the UML binary I have
used for bisecting.

Hope this helps.
Antoine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREKAAYFAkqjaagACgkQGK2zHPGK1rsxfwCfeo6XJT6eKvacJ+VBoMVpUHe8
11QAnjdIhx7nJ9t94mrb4UdqQYEaKjRg
=7Aoo
-----END PGP SIGNATURE-----

Re: kvm ptrace 32bit DoS bug - bisected

[Marcelo Tosatti]

On Sun, Sep 06, 2009 at 02:50:00PM +0700, Antoine Martin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> [snip]
> >> Is this an AMD host? 
> > Nope, Intel Core2, more host info :
> I have put all the relevant binaries and their config files here:
> http://uml.devloop.org.uk/kvmbug/
> Host kernel, qemu binary, kvm guest kernel and the UML binary I have
> used for bisecting.

Antoine,

Works for me with master branch. Its likely this commit fixed it:

commit 76d4622776d007de3f90f311591babc5f6ba6f39
Author: Avi Kivity <avi@redhat.com>
Date:   Tue Sep 1 12:03:25 2009 +0300

    KVM: VMX: Check cpl before emulating debug register access
    
    Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
    code to emulate the instruction even though it was issued from guest
    userspace, possibly leading to an unexpected trap later.

It will be included in 2.6.30 / 2.6.27 stable (.29 is not maintained
anymore).

Re: kvm ptrace 32bit DoS bug - bisected

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 1181 bytes --]

Marcelo Tosatti wrote:
> On Sun, Sep 06, 2009 at 02:50:00PM +0700, Antoine Martin wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> [snip]
>>>> Is this an AMD host? 
>>> Nope, Intel Core2, more host info :
>> I have put all the relevant binaries and their config files here:
>> http://uml.devloop.org.uk/kvmbug/
>> Host kernel, qemu binary, kvm guest kernel and the UML binary I have
>> used for bisecting.
> 
> Antoine,
> 
> Works for me with master branch. Its likely this commit fixed it:
> 
> commit 76d4622776d007de3f90f311591babc5f6ba6f39
> Author: Avi Kivity <avi@redhat.com>
> Date:   Tue Sep 1 12:03:25 2009 +0300
> 
>     KVM: VMX: Check cpl before emulating debug register access
>     
>     Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
>     code to emulate the instruction even though it was issued from guest
>     userspace, possibly leading to an unexpected trap later.
> 
> It will be included in 2.6.30 / 2.6.27 stable (.29 is not maintained
> anymore).

Easy to check: Does the UML image still contain mov-to-db instructions?
If not, this commit cannot make the difference.

Jan


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 257 bytes --]

Re: kvm ptrace 32bit DoS bug - bisected

[Antoine Martin]

Jan Kiszka wrote:
> Marcelo Tosatti wrote:
>> On Sun, Sep 06, 2009 at 02:50:00PM +0700, Antoine Martin wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> [snip]
>>>>> Is this an AMD host? 
>>>> Nope, Intel Core2, more host info :
>>> I have put all the relevant binaries and their config files here:
>>> http://uml.devloop.org.uk/kvmbug/
>>> Host kernel, qemu binary, kvm guest kernel and the UML binary I have
>>> used for bisecting.
>> Antoine,
>>
>> Works for me with master branch. Its likely this commit fixed it:
>>
>> commit 76d4622776d007de3f90f311591babc5f6ba6f39
>> Author: Avi Kivity <avi@redhat.com>
>> Date:   Tue Sep 1 12:03:25 2009 +0300
>>
>>     KVM: VMX: Check cpl before emulating debug register access
>>     
>>     Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
>>     code to emulate the instruction even though it was issued from guest
>>     userspace, possibly leading to an unexpected trap later.
>>
>> It will be included in 2.6.30 / 2.6.27 stable (.29 is not maintained
>> anymore).
> 
> Easy to check: Does the UML image still contain mov-to-db instructions?
> If not, this commit cannot make the difference.
I'd be happy to grep it if you give me the mov-to-db opcode.

Anyway, I am happy to report that upgrading the host to 2.6.31 prevents
the guests from crashing.

Antoine

Re: kvm ptrace 32bit DoS bug - bisected

[Avi Kivity]

On 10/17/2009 10:24 PM, Antoine Martin wrote:
>
>> Easy to check: Does the UML image still contain mov-to-db instructions?
>> If not, this commit cannot make the difference.
>>      
> I'd be happy to grep it if you give me the mov-to-db opcode.
>
>    

0f 21 and 0f 23.

-- 
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.