Re: Fw: WARNING: bad usercopy in fanotify_read

[Jan Kara <jack@suse.cz>]

[-- Attachment #1: Type: text/plain, Size: 5310 bytes --]

Thanks for forwarding Andrew!

On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> fyi
> 
> Begin forwarded message:
> 
> Date: Mon, 11 Mar 2019 13:42:06 -0700
> From: syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>
> To: akpm@linux-foundation.org, cai@lca.pw, crecklin@redhat.com, keescook@chromium.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
> Subject: WARNING: bad usercopy in fanotify_read
> 
> 
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> userspace arch: amd64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> Bad or missing usercopy whitelist? Kernel memory exposure attempt detected  
> from SLAB object 'fanotify_event' (offset 40, size 8)!
> WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110  
> mm/usercopy.c:78

Yeah, right. We need to create fanotify_event cache so that copying of
fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
with a possible slab pointer so that won't be protected from leaking but
life is not perfect. Amir, something like attached patch?

								Honza


> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 7649 Comm: syz-executor381 Not tainted 5.0.0+ #17
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x172/0x1f0 lib/dump_stack.c:113
>   panic+0x2cb/0x65c kernel/panic.c:214
>   __warn.cold+0x20/0x45 kernel/panic.c:571
>   report_bug+0x263/0x2b0 lib/bug.c:186
>   fixup_bug arch/x86/kernel/traps.c:179 [inline]
>   fixup_bug arch/x86/kernel/traps.c:174 [inline]
>   do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
>   do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
>   invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
> RIP: 0010:usercopy_warn+0xeb/0x110 mm/usercopy.c:78
> Code: c8 e8 d9 88 c0 ff 4c 8b 45 c0 4d 89 e9 4c 89 e1 48 8b 55 c8 41 57 48  
> 89 de 48 c7 c7 e0 dc 74 87 ff 75 d0 41 56 e8 03 4b 93 ff <0f> 0b 48 83 c4  
> 18 e9 46 ff ff ff 49 c7 c5 e0 da 74 87 4d 89 ee 4d
> RSP: 0018:ffff8880a417fb18 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: ffffffff8774dca0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffffffff815ad7b6 RDI: ffffed101482ff55
> RBP: ffff8880a417fb70 R08: ffff888088d78580 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8859408d
> R13: ffffffff8775d500 R14: ffffffff8774db20 R15: 0000000000000008
>   __check_heap_object+0x88/0xb3 mm/slab.c:4453
>   check_heap_object mm/usercopy.c:238 [inline]
>   __check_object_size mm/usercopy.c:284 [inline]
>   __check_object_size+0x342/0x42f mm/usercopy.c:254
>   check_object_size include/linux/thread_info.h:119 [inline]
>   check_copy_size include/linux/thread_info.h:150 [inline]
>   copy_to_user include/linux/uaccess.h:151 [inline]
>   copy_fid_to_user fs/notify/fanotify/fanotify_user.c:236 [inline]
>   copy_event_to_user fs/notify/fanotify/fanotify_user.c:294 [inline]
>   fanotify_read+0xde0/0x1430 fs/notify/fanotify/fanotify_user.c:362
>   __vfs_read+0x8d/0x110 fs/read_write.c:416
>   vfs_read+0x194/0x3e0 fs/read_write.c:452
>   ksys_read+0xea/0x1f0 fs/read_write.c:578
>   __do_sys_read fs/read_write.c:588 [inline]
>   __se_sys_read fs/read_write.c:586 [inline]
>   __x64_sys_read+0x73/0xb0 fs/read_write.c:586
>   do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x4456b9
> Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7  
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
> ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007fb296f31db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 00000000004456b9
> RDX: 000000000000006b RSI: 0000000020000000 RDI: 0000000000000004
> RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
> R13: 00007ffd8eb3d16f R14: 00007fb296f329c0 R15: 20c49ba5e353f7cf
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

[-- Attachment #2: 0001-fanotify-Allow-copying-of-file-handle-to-userspace.patch --]
[-- Type: text/x-patch, Size: 1419 bytes --]

From beb8c3a76f2740757fb1765f793bb394ad71c183 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Tue, 12 Mar 2019 12:42:37 +0100
Subject: [PATCH] fanotify: Allow copying of file handle to userspace

When file handle is embedded inside fanotify_event and usercopy checks
are enabled, we get a warning like:

Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
from SLAB object 'fanotify_event' (offset 40, size 8)!
WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
mm/usercopy.c:78

Annotate handling in fanotify_event properly to mark copying it to
userspace is fine.

Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/notify/fanotify/fanotify_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 56992b32c6bb..84dbe1f1832c 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1092,7 +1092,8 @@ static int __init fanotify_user_setup(void)
 
 	fanotify_mark_cache = KMEM_CACHE(fsnotify_mark,
 					 SLAB_PANIC|SLAB_ACCOUNT);
-	fanotify_event_cachep = KMEM_CACHE(fanotify_event, SLAB_PANIC);
+	fanotify_event_cachep = KMEM_CACHE_USERCOPY(fanotify_event, SLAB_PANIC,
+			fid.fh);
 	if (IS_ENABLED(CONFIG_FANOTIFY_ACCESS_PERMISSIONS)) {
 		fanotify_perm_event_cachep =
 			KMEM_CACHE(fanotify_perm_event, SLAB_PANIC);
-- 
2.16.4