Re: [Bug 203559] New: usercopy_abort triggered by build_test_sglist

Re: [Bug 203559] New: usercopy_abort triggered by build_test_sglist

[Andrew Morton]

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Thu, 09 May 2019 09:37:08 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=203559
> 
>             Bug ID: 203559
>            Summary: usercopy_abort triggered by build_test_sglist
>            Product: Memory Management
>            Version: 2.5
>     Kernel Version: 5.1
>           Hardware: x86-64
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: low
>           Priority: P1
>          Component: Other
>           Assignee: akpm@linux-foundation.org
>           Reporter: mihai.dontu@gmail.com
>         Regression: No
> 
> Created attachment 282687
>   --> https://bugzilla.kernel.org/attachment.cgi?id=282687&action=edit
> kernel config
> 
> I have CONFIG_CRYPTO_FIPS and CONFIG_HARDENED_USERCOPY_PAGESPAN enabled from an
> experiment I forgot about, that started triggering a crash very early at boot
> with kernel 5.1:
> 
> usercopy: Kernel memory overwrite attempt detected to spans multiple pages
> (offset 0, size 372)!
> ------------[ cut here]------------
> kernel BUG at mm/usercopy.c:102!
> invalid opcode: 0000 [#1] PREEMPT SMP PTI
> CPU: 0 PID: 42 Comm: cryptomgr_test Trainted: G        T 5.1.0-gentoo #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-1.fc28
> 04/01/2014
> RIP: 0010:usercopy_abort+0x87/0x89
> Code: c3 ae 48 c7 c6 c9 9c ba ae 41 55 48 c7 c7 38 9e bb ae 48 0f 45 d1 48 c7
> c1 51
>       9d bb ae 50 48 0f 45 f1 4c 89 e1 e8 fb 50 e8 ff <0f> 0b 49 89 d8 31 c9 44
> 89
>       ea 31 f6 48 c7 c7 9a 9d bb ae e8 61 ff
> ...
> Call Trace:
>  __check_object_size.cold+0x16/0xa6
>  build_test_sglist+0x283/0x370
>  ? skcipher_walk_done+0x105/0x220
>  ? ecb_crypt+0xa5/0x110
>  build_cipher_test_sglist+0xa0/0x120
>  test_skcipher_vec_cfg+0x1c4/0x6e0
> ...
> 
> The information above is from a screenshot, thus some opcodes or offsets might
> be wrong.
> 
> The 5.0.13 kernel does not have this issue.
> 
> -- 
> You are receiving this mail because:
> You are the assignee for the bug.

Re: [Bug 203559] New: usercopy_abort triggered by build_test_sglist

[Eric Biggers]

[+Kees Cook <keescook@chromium.org>]

On Thu, May 09, 2019 at 03:46:08PM -0700, Andrew Morton wrote:
> 
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
> On Thu, 09 May 2019 09:37:08 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
> 
> > https://bugzilla.kernel.org/show_bug.cgi?id=203559
> > 
> >             Bug ID: 203559
> >            Summary: usercopy_abort triggered by build_test_sglist
> >            Product: Memory Management
> >            Version: 2.5
> >     Kernel Version: 5.1
> >           Hardware: x86-64
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: low
> >           Priority: P1
> >          Component: Other
> >           Assignee: akpm@linux-foundation.org
> >           Reporter: mihai.dontu@gmail.com
> >         Regression: No
> > 
> > Created attachment 282687
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=282687&action=edit
> > kernel config
> > 
> > I have CONFIG_CRYPTO_FIPS and CONFIG_HARDENED_USERCOPY_PAGESPAN enabled from an
> > experiment I forgot about, that started triggering a crash very early at boot
> > with kernel 5.1:
> > 
> > usercopy: Kernel memory overwrite attempt detected to spans multiple pages
> > (offset 0, size 372)!
> > ------------[ cut here]------------
> > kernel BUG at mm/usercopy.c:102!
> > invalid opcode: 0000 [#1] PREEMPT SMP PTI
> > CPU: 0 PID: 42 Comm: cryptomgr_test Trainted: G        T 5.1.0-gentoo #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-1.fc28
> > 04/01/2014
> > RIP: 0010:usercopy_abort+0x87/0x89
> > Code: c3 ae 48 c7 c6 c9 9c ba ae 41 55 48 c7 c7 38 9e bb ae 48 0f 45 d1 48 c7
> > c1 51
> >       9d bb ae 50 48 0f 45 f1 4c 89 e1 e8 fb 50 e8 ff <0f> 0b 49 89 d8 31 c9 44
> > 89
> >       ea 31 f6 48 c7 c7 9a 9d bb ae e8 61 ff
> > ...
> > Call Trace:
> >  __check_object_size.cold+0x16/0xa6
> >  build_test_sglist+0x283/0x370
> >  ? skcipher_walk_done+0x105/0x220
> >  ? ecb_crypt+0xa5/0x110
> >  build_cipher_test_sglist+0xa0/0x120
> >  test_skcipher_vec_cfg+0x1c4/0x6e0
> > ...
> > 
> > The information above is from a screenshot, thus some opcodes or offsets might
> > be wrong.
> > 
> > The 5.0.13 kernel does not have this issue.
> > 
> > -- 
> > You are receiving this mail because:
> > You are the assignee for the bug.

There was already a long discussion on this where it was concluded that the
pagespan check is broken.  See https://lkml.org/lkml/2019/3/19/279 and
https://lkml.org/lkml/2019/4/14/313

I think CONFIG_HARDENED_USERCOPY_PAGESPAN should be removed or marked 'depends
on BROKEN', until someone can find a way to make it work properly.

- Eric