* [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission
@ 2024-09-13 7:09 Chen Ridong
2024-09-14 10:43 ` Chen Ridong
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: Chen Ridong @ 2024-09-13 7:09 UTC (permalink / raw)
To: dhowells, jarkko, paul, jmorris, serge
Cc: keyrings, linux-security-module, linux-kernel, chenridong
We meet the same issue with the LINK, which reads memory out of bounds:
BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
security/keys/permission.c:54
Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0x107/0x167 lib/dump_stack.c:123
print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
__kuid_val include/linux/uidgid.h:36 [inline]
uid_eq include/linux/uidgid.h:63 [inline]
key_task_permission+0x394/0x410 security/keys/permission.c:54
search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922
search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459
search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544
lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762
keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434
__do_sys_keyctl security/keys/keyctl.c:1978 [inline]
__se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880
do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
However, we can't reproduce this issue.
After our analysis, it can make this issue by following steps.
1.As syzkaller reported, the memory is allocated for struct
assoc_array_shortcut in the assoc_array_insert_into_terminal_node
functions.
2.In the search_nested_keyrings, when we go through the slots in a node,
(bellow tag ascend_to_node), and the slot ptr is meta and
node->back_pointer != NULL, we will proceed to descend_to_node.
However, there is an exception. If node is the root, and one of the
slots points to a shortcut, it will be treated as a keyring.
3.Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
ASSOC_ARRAY_PTR_SUBTYPE_MASK,
4.As mentioned above, If a slot of the root is a shortcut, it may be
mistakenly be transferred to a key*, leading to an read out-of-bounds
read.
To fix this issue, one should jump to descend_to_node if the pointer is a
shortcut.
Link: https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9
Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
---
security/keys/keyring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 4448758f643a..7958486ac834 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -772,7 +772,9 @@ static bool search_nested_keyrings(struct key *keyring,
for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
ptr = READ_ONCE(node->slots[slot]);
- if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
+ if ((assoc_array_ptr_is_meta(ptr) && node->back_pointer) ||
+ (assoc_array_ptr_is_meta(ptr) &&
+ assoc_array_ptr_is_shortcut(ptr)))
goto descend_to_node;
if (!keyring_ptr_is_keyring(ptr))
--
2.34.1
^ permalink raw reply related [flat|nested] 18+ messages in thread* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-13 7:09 [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission Chen Ridong @ 2024-09-14 10:43 ` Chen Ridong 2024-09-14 11:33 ` Jarkko Sakkinen 2024-10-07 23:15 ` Jarkko Sakkinen 2 siblings, 0 replies; 18+ messages in thread From: Chen Ridong @ 2024-09-14 10:43 UTC (permalink / raw) To: dhowells, jarkko, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On 2024/9/13 15:09, Chen Ridong wrote: > We meet the same issue with the LINK, which reads memory out of bounds: > BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > security/keys/permission.c:54 > Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > Call Trace: > __dump_stack lib/dump_stack.c:82 [inline] > dump_stack+0x107/0x167 lib/dump_stack.c:123 > print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > kasan_report+0x3a/0x50 mm/kasan/report.c:585 > __kuid_val include/linux/uidgid.h:36 [inline] > uid_eq include/linux/uidgid.h:63 [inline] > key_task_permission+0x394/0x410 security/keys/permission.c:54 > search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > However, we can't reproduce this issue. > After our analysis, it can make this issue by following steps. > 1.As syzkaller reported, the memory is allocated for struct > assoc_array_shortcut in the assoc_array_insert_into_terminal_node > functions. > 2.In the search_nested_keyrings, when we go through the slots in a node, > (bellow tag ascend_to_node), and the slot ptr is meta and > node->back_pointer != NULL, we will proceed to descend_to_node. > However, there is an exception. If node is the root, and one of the > slots points to a shortcut, it will be treated as a keyring. > 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring function. > However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as > ASSOC_ARRAY_PTR_SUBTYPE_MASK, > 4.As mentioned above, If a slot of the root is a shortcut, it may be > mistakenly be transferred to a key*, leading to an read out-of-bounds > read. > > To fix this issue, one should jump to descend_to_node if the pointer is a > shortcut. > > Link: https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9 > Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") > Signed-off-by: Chen Ridong <chenridong@huawei.com> > --- > security/keys/keyring.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/security/keys/keyring.c b/security/keys/keyring.c > index 4448758f643a..7958486ac834 100644 > --- a/security/keys/keyring.c > +++ b/security/keys/keyring.c > @@ -772,7 +772,9 @@ static bool search_nested_keyrings(struct key *keyring, > for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { > ptr = READ_ONCE(node->slots[slot]); > > - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) > + if ((assoc_array_ptr_is_meta(ptr) && node->back_pointer) || > + (assoc_array_ptr_is_meta(ptr) && > + assoc_array_ptr_is_shortcut(ptr))) > goto descend_to_node; > > if (!keyring_ptr_is_keyring(ptr)) Should assoc_array_ptr_is_shortcut add ASSOC_ARRAY_PTR_TYPE_MASK judgement? Just like: static inline bool assoc_array_ptr_is_shortcut(const struct assoc_array_ptr *x) { return (unsigned long)x & ASSOC_ARRAY_PTR_TYPE_MASK && (unsigned long)x & ASSOC_ARRAY_PTR_SUBTYPE_MASK; } ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-13 7:09 [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission Chen Ridong 2024-09-14 10:43 ` Chen Ridong @ 2024-09-14 11:33 ` Jarkko Sakkinen 2024-09-15 0:55 ` Chen Ridong 2024-10-07 23:15 ` Jarkko Sakkinen 2 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-14 11:33 UTC (permalink / raw) To: Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, chenridong On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > We meet the same issue with the LINK, which reads memory out of bounds: Nit: don't use "we" anywhere". Tbh, I really don't understand the sentence above. I don't what "the same issue with the LINK" really is. > BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > security/keys/permission.c:54 > Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > Call Trace: > __dump_stack lib/dump_stack.c:82 [inline] > dump_stack+0x107/0x167 lib/dump_stack.c:123 > print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > kasan_report+0x3a/0x50 mm/kasan/report.c:585 > __kuid_val include/linux/uidgid.h:36 [inline] > uid_eq include/linux/uidgid.h:63 [inline] > key_task_permission+0x394/0x410 security/keys/permission.c:54 > search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > However, we can't reproduce this issue. "The issue cannot be easily reproduced but by analyzing the code it can be broken into following steps:" > After our analysis, it can make this issue by following steps. > 1.As syzkaller reported, the memory is allocated for struct > assoc_array_shortcut in the assoc_array_insert_into_terminal_node > functions. > 2.In the search_nested_keyrings, when we go through the slots in a node, > (bellow tag ascend_to_node), and the slot ptr is meta and > node->back_pointer != NULL, we will proceed to descend_to_node. > However, there is an exception. If node is the root, and one of the > slots points to a shortcut, it will be treated as a keyring. > 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring function. > However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as > ASSOC_ARRAY_PTR_SUBTYPE_MASK, > 4.As mentioned above, If a slot of the root is a shortcut, it may be > mistakenly be transferred to a key*, leading to an read out-of-bounds > read. > > To fix this issue, one should jump to descend_to_node if the pointer is a > shortcut. > > Link: https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9 > Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") > Signed-off-by: Chen Ridong <chenridong@huawei.com> > --- > security/keys/keyring.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/security/keys/keyring.c b/security/keys/keyring.c > index 4448758f643a..7958486ac834 100644 > --- a/security/keys/keyring.c > +++ b/security/keys/keyring.c > @@ -772,7 +772,9 @@ static bool search_nested_keyrings(struct key *keyring, > for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { > ptr = READ_ONCE(node->slots[slot]); > > - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) > + if ((assoc_array_ptr_is_meta(ptr) && node->back_pointer) || > + (assoc_array_ptr_is_meta(ptr) && > + assoc_array_ptr_is_shortcut(ptr))) > goto descend_to_node; > > if (!keyring_ptr_is_keyring(ptr)) BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-14 11:33 ` Jarkko Sakkinen @ 2024-09-15 0:55 ` Chen Ridong 2024-09-15 13:59 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: Chen Ridong @ 2024-09-15 0:55 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On 2024/9/14 19:33, Jarkko Sakkinen wrote: > On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: >> We meet the same issue with the LINK, which reads memory out of bounds: > > Nit: don't use "we" anywhere". > > Tbh, I really don't understand the sentence above. I don't what > "the same issue with the LINK" really is. > Hello, Jarkko. I apologize for any confusion caused. I've encountered a bug reported by syzkaller. I also found the same bug reported at this LINK: https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. >> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 >> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] >> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >> security/keys/permission.c:54 >> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >> >> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 >> Call Trace: >> __dump_stack lib/dump_stack.c:82 [inline] >> dump_stack+0x107/0x167 lib/dump_stack.c:123 >> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 >> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >> __kuid_val include/linux/uidgid.h:36 [inline] >> uid_eq include/linux/uidgid.h:63 [inline] >> key_task_permission+0x394/0x410 security/keys/permission.c:54 >> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 >> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 >> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >> >> However, we can't reproduce this issue. > > "The issue cannot be easily reproduced but by analyzing the code > it can be broken into following steps:" Thank you for your correction. Does this patch address the issue correctly? Is this patch acceptable? Best regard, Ridong > >> After our analysis, it can make this issue by following steps. >> 1.As syzkaller reported, the memory is allocated for struct >> assoc_array_shortcut in the assoc_array_insert_into_terminal_node >> functions. >> 2.In the search_nested_keyrings, when we go through the slots in a node, >> (bellow tag ascend_to_node), and the slot ptr is meta and >> node->back_pointer != NULL, we will proceed to descend_to_node. >> However, there is an exception. If node is the root, and one of the >> slots points to a shortcut, it will be treated as a keyring. >> 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring function. >> However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as >> ASSOC_ARRAY_PTR_SUBTYPE_MASK, >> 4.As mentioned above, If a slot of the root is a shortcut, it may be >> mistakenly be transferred to a key*, leading to an read out-of-bounds >> read. >> >> To fix this issue, one should jump to descend_to_node if the pointer is a >> shortcut. >> >> Link: https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9 >> Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring") >> Signed-off-by: Chen Ridong <chenridong@huawei.com> >> --- >> security/keys/keyring.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/security/keys/keyring.c b/security/keys/keyring.c >> index 4448758f643a..7958486ac834 100644 >> --- a/security/keys/keyring.c >> +++ b/security/keys/keyring.c >> @@ -772,7 +772,9 @@ static bool search_nested_keyrings(struct key *keyring, >> for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) { >> ptr = READ_ONCE(node->slots[slot]); >> >> - if (assoc_array_ptr_is_meta(ptr) && node->back_pointer) >> + if ((assoc_array_ptr_is_meta(ptr) && node->back_pointer) || >> + (assoc_array_ptr_is_meta(ptr) && >> + assoc_array_ptr_is_shortcut(ptr))) >> goto descend_to_node; >> >> if (!keyring_ptr_is_keyring(ptr)) > > > BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-15 0:55 ` Chen Ridong @ 2024-09-15 13:59 ` Jarkko Sakkinen 2024-09-18 7:30 ` Chen Ridong 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-15 13:59 UTC (permalink / raw) To: Chen Ridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > > > On 2024/9/14 19:33, Jarkko Sakkinen wrote: > > On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > >> We meet the same issue with the LINK, which reads memory out of bounds: > > > > Nit: don't use "we" anywhere". > > > > Tbh, I really don't understand the sentence above. I don't what > > "the same issue with the LINK" really is. > > > > Hello, Jarkko. > I apologize for any confusion caused. > > I've encountered a bug reported by syzkaller. I also found the same bug > reported at this LINK: > https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > > >> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > >> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > >> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > >> security/keys/permission.c:54 > >> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > >> > >> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > >> Call Trace: > >> __dump_stack lib/dump_stack.c:82 [inline] > >> dump_stack+0x107/0x167 lib/dump_stack.c:123 > >> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > >> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > >> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > >> __kuid_val include/linux/uidgid.h:36 [inline] > >> uid_eq include/linux/uidgid.h:63 [inline] > >> key_task_permission+0x394/0x410 security/keys/permission.c:54 > >> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > >> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > >> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > >> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > >> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > >> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > >> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > >> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > >> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > >> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > >> > >> However, we can't reproduce this issue. > > > > "The issue cannot be easily reproduced but by analyzing the code > > it can be broken into following steps:" > > Thank you for your correction. > Does this patch address the issue correctly? Is this patch acceptable? I only comment new patch versions so not giving any promises but I can say that it is I think definitely in the correct direction :-) BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-15 13:59 ` Jarkko Sakkinen @ 2024-09-18 7:30 ` Chen Ridong 2024-09-18 20:57 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: Chen Ridong @ 2024-09-18 7:30 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On 2024/9/15 21:59, Jarkko Sakkinen wrote: > On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: >> >> >> On 2024/9/14 19:33, Jarkko Sakkinen wrote: >>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: >>>> We meet the same issue with the LINK, which reads memory out of bounds: >>> >>> Nit: don't use "we" anywhere". >>> >>> Tbh, I really don't understand the sentence above. I don't what >>> "the same issue with the LINK" really is. >>> >> >> Hello, Jarkko. >> I apologize for any confusion caused. >> >> I've encountered a bug reported by syzkaller. I also found the same bug >> reported at this LINK: >> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. >> >>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 >>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] >>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >>>> security/keys/permission.c:54 >>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >>>> >>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 >>>> Call Trace: >>>> __dump_stack lib/dump_stack.c:82 [inline] >>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 >>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 >>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >>>> __kuid_val include/linux/uidgid.h:36 [inline] >>>> uid_eq include/linux/uidgid.h:63 [inline] >>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 >>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 >>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 >>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >>>> >>>> However, we can't reproduce this issue. >>> >>> "The issue cannot be easily reproduced but by analyzing the code >>> it can be broken into following steps:" >> >> Thank you for your correction. >> Does this patch address the issue correctly? Is this patch acceptable? > > I only comment new patch versions so not giving any promises but I can > say that it is I think definitely in the correct direction :-) > > BR, Jarkko Hello, Jarkko. I have reproduced this issue. It can be reproduced by following these steps: 1. Add the helper patch. @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct keyring_index_key *index_key) else if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0) hash = (hash + (hash << level_shift)) & ~fan_mask; index_key->hash = hash; + if ((index_key->hash & 0xff) == 0xe6) { + pr_err("hash_key_type_and_desc: type %s %s 0x%x\n", index_key->type->name, index_key->description, index_key->hash); + } } 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a key's hash is xxe6, it will be printed. for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done You have complile test_key whith following code. #include <sys/types.h> #include <keyutils.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { key_serial_t key; if (argc != 4) { fprintf(stderr, "Usage: %s type description payload\n", argv[0]); exit(EXIT_FAILURE); } key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), KEY_SPEC_SESSION_KEYRING); if (key == -1) { perror("add_key"); exit(EXIT_FAILURE); } printf("Key ID is %jx\n", (uintmax_t) key); exit(EXIT_SUCCESS); } 3. Have more than 32 inputs now. their hashes are xxe6. eg. hash_key_type_and_desc: type user user438 0xe3033fe6 hash_key_type_and_desc: type user user526 0xeb7eade6 ... hash_key_type_and_desc: type user user9955 0x44bc99e6 4. Reboot and add the keys obtained from step 3. When adding keys to the ROOT that their hashes are all xxe6, and up to 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so the keys are dissimilar. The ROOT will then split NODE A without using a shortcut. When NODE A is filled with keys that have hashes of xxe6, the keys are similar. NODE A will split with a shortcut. As my analysis, if a slot of the root is a shortcut(slot 6), it may be mistakenly be transferred to a key*, leading to an read out-of-bounds read. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 5. cat /proc/keys. and the issue is reproduced. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-18 7:30 ` Chen Ridong @ 2024-09-18 20:57 ` Jarkko Sakkinen 2024-09-26 3:48 ` Chen Ridong 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-18 20:57 UTC (permalink / raw) To: Chen Ridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: > > > On 2024/9/15 21:59, Jarkko Sakkinen wrote: > > On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > >> > >> > >> On 2024/9/14 19:33, Jarkko Sakkinen wrote: > >>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > >>>> We meet the same issue with the LINK, which reads memory out of bounds: > >>> > >>> Nit: don't use "we" anywhere". > >>> > >>> Tbh, I really don't understand the sentence above. I don't what > >>> "the same issue with the LINK" really is. > >>> > >> > >> Hello, Jarkko. > >> I apologize for any confusion caused. > >> > >> I've encountered a bug reported by syzkaller. I also found the same bug > >> reported at this LINK: > >> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > >> > >>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > >>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > >>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > >>>> security/keys/permission.c:54 > >>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > >>>> > >>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > >>>> Call Trace: > >>>> __dump_stack lib/dump_stack.c:82 [inline] > >>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 > >>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > >>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > >>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > >>>> __kuid_val include/linux/uidgid.h:36 [inline] > >>>> uid_eq include/linux/uidgid.h:63 [inline] > >>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 > >>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > >>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > >>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > >>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > >>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > >>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > >>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > >>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > >>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > >>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > >>>> > >>>> However, we can't reproduce this issue. > >>> > >>> "The issue cannot be easily reproduced but by analyzing the code > >>> it can be broken into following steps:" > >> > >> Thank you for your correction. > >> Does this patch address the issue correctly? Is this patch acceptable? > > > > I only comment new patch versions so not giving any promises but I can > > say that it is I think definitely in the correct direction :-) > > > > BR, Jarkko > > Hello, Jarkko. I have reproduced this issue. It can be reproduced by > following these steps: > > 1. Add the helper patch. > > @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct > keyring_index_key *index_key) > else if (index_key->type == &key_type_keyring && (hash & > fan_mask) != 0) > hash = (hash + (hash << level_shift)) & ~fan_mask; > index_key->hash = hash; > + if ((index_key->hash & 0xff) == 0xe6) { > + pr_err("hash_key_type_and_desc: type %s %s > 0x%x\n", index_key->type->name, index_key->description, index_key->hash); > + } > } > > 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a > key's hash is xxe6, it will be printed. > > for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done > > You have complile test_key whith following code. > > #include <sys/types.h> > #include <keyutils.h> > #include <stdint.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > > int > main(int argc, char *argv[]) > { > key_serial_t key; > > if (argc != 4) { > fprintf(stderr, "Usage: %s type description payload\n", > argv[0]); > exit(EXIT_FAILURE); > } > > key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), > KEY_SPEC_SESSION_KEYRING); > if (key == -1) { > perror("add_key"); > exit(EXIT_FAILURE); > } > > printf("Key ID is %jx\n", (uintmax_t) key); > > exit(EXIT_SUCCESS); > } > > > 3. Have more than 32 inputs now. their hashes are xxe6. > eg. > hash_key_type_and_desc: type user user438 0xe3033fe6 > hash_key_type_and_desc: type user user526 0xeb7eade6 > ... > hash_key_type_and_desc: type user user9955 0x44bc99e6 > > 4. Reboot and add the keys obtained from step 3. > When adding keys to the ROOT that their hashes are all xxe6, and up to > 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so > the keys are dissimilar. The ROOT will then split NODE A without using a > shortcut. When NODE A is filled with keys that have hashes of xxe6, the > keys are similar. NODE A will split with a shortcut. > > As my analysis, if a slot of the root is a shortcut(slot 6), it may be > mistakenly be transferred to a key*, leading to an read out-of-bounds read. > > NODE A > +------>+---+ > ROOT | | 0 | xxe6 > +---+ | +---+ > xxxx | 0 | shortcut : : xxe6 > +---+ | +---+ > xxe6 : : | | | xxe6 > +---+ | +---+ > | 6 |---+ : : xxe6 > +---+ +---+ > xxe6 : : | f | xxe6 > +---+ +---+ > xxe6 | f | > +---+ > > 5. cat /proc/keys. and the issue is reproduced. Hi, I'll try to run through your procedure next week and give my comments. Thanks for doing this. BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-18 20:57 ` Jarkko Sakkinen @ 2024-09-26 3:48 ` Chen Ridong 2024-09-26 8:53 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: Chen Ridong @ 2024-09-26 3:48 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On 2024/9/19 4:57, Jarkko Sakkinen wrote: > On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: >> >> >> On 2024/9/15 21:59, Jarkko Sakkinen wrote: >>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: >>>> >>>> >>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: >>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: >>>>>> We meet the same issue with the LINK, which reads memory out of bounds: >>>>> >>>>> Nit: don't use "we" anywhere". >>>>> >>>>> Tbh, I really don't understand the sentence above. I don't what >>>>> "the same issue with the LINK" really is. >>>>> >>>> >>>> Hello, Jarkko. >>>> I apologize for any confusion caused. >>>> >>>> I've encountered a bug reported by syzkaller. I also found the same bug >>>> reported at this LINK: >>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. >>>> >>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 >>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] >>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >>>>>> security/keys/permission.c:54 >>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >>>>>> >>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 >>>>>> Call Trace: >>>>>> __dump_stack lib/dump_stack.c:82 [inline] >>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 >>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 >>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >>>>>> __kuid_val include/linux/uidgid.h:36 [inline] >>>>>> uid_eq include/linux/uidgid.h:63 [inline] >>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 >>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 >>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 >>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >>>>>> >>>>>> However, we can't reproduce this issue. >>>>> >>>>> "The issue cannot be easily reproduced but by analyzing the code >>>>> it can be broken into following steps:" >>>> >>>> Thank you for your correction. >>>> Does this patch address the issue correctly? Is this patch acceptable? >>> >>> I only comment new patch versions so not giving any promises but I can >>> say that it is I think definitely in the correct direction :-) >>> >>> BR, Jarkko >> >> Hello, Jarkko. I have reproduced this issue. It can be reproduced by >> following these steps: >> >> 1. Add the helper patch. >> >> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct >> keyring_index_key *index_key) >> else if (index_key->type == &key_type_keyring && (hash & >> fan_mask) != 0) >> hash = (hash + (hash << level_shift)) & ~fan_mask; >> index_key->hash = hash; >> + if ((index_key->hash & 0xff) == 0xe6) { >> + pr_err("hash_key_type_and_desc: type %s %s >> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); >> + } >> } >> >> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a >> key's hash is xxe6, it will be printed. >> >> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done >> >> You have complile test_key whith following code. >> >> #include <sys/types.h> >> #include <keyutils.h> >> #include <stdint.h> >> #include <stdio.h> >> #include <stdlib.h> >> #include <string.h> >> >> int >> main(int argc, char *argv[]) >> { >> key_serial_t key; >> >> if (argc != 4) { >> fprintf(stderr, "Usage: %s type description payload\n", >> argv[0]); >> exit(EXIT_FAILURE); >> } >> >> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), >> KEY_SPEC_SESSION_KEYRING); >> if (key == -1) { >> perror("add_key"); >> exit(EXIT_FAILURE); >> } >> >> printf("Key ID is %jx\n", (uintmax_t) key); >> >> exit(EXIT_SUCCESS); >> } >> >> >> 3. Have more than 32 inputs now. their hashes are xxe6. >> eg. >> hash_key_type_and_desc: type user user438 0xe3033fe6 >> hash_key_type_and_desc: type user user526 0xeb7eade6 >> ... >> hash_key_type_and_desc: type user user9955 0x44bc99e6 >> >> 4. Reboot and add the keys obtained from step 3. >> When adding keys to the ROOT that their hashes are all xxe6, and up to >> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so >> the keys are dissimilar. The ROOT will then split NODE A without using a >> shortcut. When NODE A is filled with keys that have hashes of xxe6, the >> keys are similar. NODE A will split with a shortcut. >> >> As my analysis, if a slot of the root is a shortcut(slot 6), it may be >> mistakenly be transferred to a key*, leading to an read out-of-bounds read. >> >> NODE A >> +------>+---+ >> ROOT | | 0 | xxe6 >> +---+ | +---+ >> xxxx | 0 | shortcut : : xxe6 >> +---+ | +---+ >> xxe6 : : | | | xxe6 >> +---+ | +---+ >> | 6 |---+ : : xxe6 >> +---+ +---+ >> xxe6 : : | f | xxe6 >> +---+ +---+ >> xxe6 | f | >> +---+ >> >> 5. cat /proc/keys. and the issue is reproduced. > > Hi, I'll try to run through your procedure next week and give my comments. > Thanks for doing this. > > BR, Jarkko Hi, Jarkko, have you run these procedure? I have tested this patch with LTP and a pressure test(stress-ng --key), and this patch have fixed this issue. Additionally, no new bugs have been found so far. I am looking forward to your reply. Best regards, Ridong ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 3:48 ` Chen Ridong @ 2024-09-26 8:53 ` Jarkko Sakkinen 2024-09-26 8:55 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-26 8:53 UTC (permalink / raw) To: Chen Ridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: > > On 2024/9/19 4:57, Jarkko Sakkinen wrote: > > On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: > >> > >> > >> On 2024/9/15 21:59, Jarkko Sakkinen wrote: > >>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > >>>> > >>>> > >>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: > >>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > >>>>>> We meet the same issue with the LINK, which reads memory out of bounds: > >>>>> > >>>>> Nit: don't use "we" anywhere". > >>>>> > >>>>> Tbh, I really don't understand the sentence above. I don't what > >>>>> "the same issue with the LINK" really is. > >>>>> > >>>> > >>>> Hello, Jarkko. > >>>> I apologize for any confusion caused. > >>>> > >>>> I've encountered a bug reported by syzkaller. I also found the same bug > >>>> reported at this LINK: > >>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > >>>> > >>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > >>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > >>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > >>>>>> security/keys/permission.c:54 > >>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > >>>>>> > >>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > >>>>>> Call Trace: > >>>>>> __dump_stack lib/dump_stack.c:82 [inline] > >>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 > >>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > >>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > >>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > >>>>>> __kuid_val include/linux/uidgid.h:36 [inline] > >>>>>> uid_eq include/linux/uidgid.h:63 [inline] > >>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 > >>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > >>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > >>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > >>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > >>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > >>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > >>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > >>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > >>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > >>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > >>>>>> > >>>>>> However, we can't reproduce this issue. > >>>>> > >>>>> "The issue cannot be easily reproduced but by analyzing the code > >>>>> it can be broken into following steps:" > >>>> > >>>> Thank you for your correction. > >>>> Does this patch address the issue correctly? Is this patch acceptable? > >>> > >>> I only comment new patch versions so not giving any promises but I can > >>> say that it is I think definitely in the correct direction :-) > >>> > >>> BR, Jarkko > >> > >> Hello, Jarkko. I have reproduced this issue. It can be reproduced by > >> following these steps: > >> > >> 1. Add the helper patch. > >> > >> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct > >> keyring_index_key *index_key) > >> else if (index_key->type == &key_type_keyring && (hash & > >> fan_mask) != 0) > >> hash = (hash + (hash << level_shift)) & ~fan_mask; > >> index_key->hash = hash; > >> + if ((index_key->hash & 0xff) == 0xe6) { > >> + pr_err("hash_key_type_and_desc: type %s %s > >> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); > >> + } > >> } > >> > >> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a > >> key's hash is xxe6, it will be printed. > >> > >> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done > >> > >> You have complile test_key whith following code. > >> > >> #include <sys/types.h> > >> #include <keyutils.h> > >> #include <stdint.h> > >> #include <stdio.h> > >> #include <stdlib.h> > >> #include <string.h> > >> > >> int > >> main(int argc, char *argv[]) > >> { > >> key_serial_t key; > >> > >> if (argc != 4) { > >> fprintf(stderr, "Usage: %s type description payload\n", > >> argv[0]); > >> exit(EXIT_FAILURE); > >> } > >> > >> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), > >> KEY_SPEC_SESSION_KEYRING); > >> if (key == -1) { > >> perror("add_key"); > >> exit(EXIT_FAILURE); > >> } > >> > >> printf("Key ID is %jx\n", (uintmax_t) key); > >> > >> exit(EXIT_SUCCESS); > >> } > >> > >> > >> 3. Have more than 32 inputs now. their hashes are xxe6. > >> eg. > >> hash_key_type_and_desc: type user user438 0xe3033fe6 > >> hash_key_type_and_desc: type user user526 0xeb7eade6 > >> ... > >> hash_key_type_and_desc: type user user9955 0x44bc99e6 > >> > >> 4. Reboot and add the keys obtained from step 3. > >> When adding keys to the ROOT that their hashes are all xxe6, and up to > >> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so > >> the keys are dissimilar. The ROOT will then split NODE A without using a > >> shortcut. When NODE A is filled with keys that have hashes of xxe6, the > >> keys are similar. NODE A will split with a shortcut. > >> > >> As my analysis, if a slot of the root is a shortcut(slot 6), it may be > >> mistakenly be transferred to a key*, leading to an read out-of-bounds read. > >> > >> NODE A > >> +------>+---+ > >> ROOT | | 0 | xxe6 > >> +---+ | +---+ > >> xxxx | 0 | shortcut : : xxe6 > >> +---+ | +---+ > >> xxe6 : : | | | xxe6 > >> +---+ | +---+ > >> | 6 |---+ : : xxe6 > >> +---+ +---+ > >> xxe6 : : | f | xxe6 > >> +---+ +---+ > >> xxe6 | f | > >> +---+ > >> > >> 5. cat /proc/keys. and the issue is reproduced. > > > > Hi, I'll try to run through your procedure next week and give my comments. > > Thanks for doing this. > > > > BR, Jarkko > > Hi, Jarkko, have you run these procedure? > I have tested this patch with LTP and a pressure test(stress-ng --key), > and this patch have fixed this issue. Additionally, no new bugs have > been found so far. > > I am looking forward to your reply. > > Best regards, > Ridong Nope because we are apparently stuck with release critical bug: https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t Might take several weeks before I look into this. BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 8:53 ` Jarkko Sakkinen @ 2024-09-26 8:55 ` Jarkko Sakkinen 2024-09-26 9:54 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-26 8:55 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On Thu Sep 26, 2024 at 11:53 AM EEST, Jarkko Sakkinen wrote: > On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: > > > > On 2024/9/19 4:57, Jarkko Sakkinen wrote: > > > On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: > > >> > > >> > > >> On 2024/9/15 21:59, Jarkko Sakkinen wrote: > > >>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > > >>>> > > >>>> > > >>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: > > >>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > > >>>>>> We meet the same issue with the LINK, which reads memory out of bounds: > > >>>>> > > >>>>> Nit: don't use "we" anywhere". > > >>>>> > > >>>>> Tbh, I really don't understand the sentence above. I don't what > > >>>>> "the same issue with the LINK" really is. > > >>>>> > > >>>> > > >>>> Hello, Jarkko. > > >>>> I apologize for any confusion caused. > > >>>> > > >>>> I've encountered a bug reported by syzkaller. I also found the same bug > > >>>> reported at this LINK: > > >>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > > >>>> > > >>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > > >>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > > >>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > > >>>>>> security/keys/permission.c:54 > > >>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > >>>>>> > > >>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > > >>>>>> Call Trace: > > >>>>>> __dump_stack lib/dump_stack.c:82 [inline] > > >>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 > > >>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > > >>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > > >>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > > >>>>>> __kuid_val include/linux/uidgid.h:36 [inline] > > >>>>>> uid_eq include/linux/uidgid.h:63 [inline] > > >>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 > > >>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > > >>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > > >>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > > >>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > > >>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > > >>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > > >>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > > >>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > > >>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > > >>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > >>>>>> > > >>>>>> However, we can't reproduce this issue. > > >>>>> > > >>>>> "The issue cannot be easily reproduced but by analyzing the code > > >>>>> it can be broken into following steps:" > > >>>> > > >>>> Thank you for your correction. > > >>>> Does this patch address the issue correctly? Is this patch acceptable? > > >>> > > >>> I only comment new patch versions so not giving any promises but I can > > >>> say that it is I think definitely in the correct direction :-) > > >>> > > >>> BR, Jarkko > > >> > > >> Hello, Jarkko. I have reproduced this issue. It can be reproduced by > > >> following these steps: > > >> > > >> 1. Add the helper patch. > > >> > > >> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct > > >> keyring_index_key *index_key) > > >> else if (index_key->type == &key_type_keyring && (hash & > > >> fan_mask) != 0) > > >> hash = (hash + (hash << level_shift)) & ~fan_mask; > > >> index_key->hash = hash; > > >> + if ((index_key->hash & 0xff) == 0xe6) { > > >> + pr_err("hash_key_type_and_desc: type %s %s > > >> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); > > >> + } > > >> } > > >> > > >> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a > > >> key's hash is xxe6, it will be printed. > > >> > > >> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done > > >> > > >> You have complile test_key whith following code. > > >> > > >> #include <sys/types.h> > > >> #include <keyutils.h> > > >> #include <stdint.h> > > >> #include <stdio.h> > > >> #include <stdlib.h> > > >> #include <string.h> > > >> > > >> int > > >> main(int argc, char *argv[]) > > >> { > > >> key_serial_t key; > > >> > > >> if (argc != 4) { > > >> fprintf(stderr, "Usage: %s type description payload\n", > > >> argv[0]); > > >> exit(EXIT_FAILURE); > > >> } > > >> > > >> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), > > >> KEY_SPEC_SESSION_KEYRING); > > >> if (key == -1) { > > >> perror("add_key"); > > >> exit(EXIT_FAILURE); > > >> } > > >> > > >> printf("Key ID is %jx\n", (uintmax_t) key); > > >> > > >> exit(EXIT_SUCCESS); > > >> } > > >> > > >> > > >> 3. Have more than 32 inputs now. their hashes are xxe6. > > >> eg. > > >> hash_key_type_and_desc: type user user438 0xe3033fe6 > > >> hash_key_type_and_desc: type user user526 0xeb7eade6 > > >> ... > > >> hash_key_type_and_desc: type user user9955 0x44bc99e6 > > >> > > >> 4. Reboot and add the keys obtained from step 3. > > >> When adding keys to the ROOT that their hashes are all xxe6, and up to > > >> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so > > >> the keys are dissimilar. The ROOT will then split NODE A without using a > > >> shortcut. When NODE A is filled with keys that have hashes of xxe6, the > > >> keys are similar. NODE A will split with a shortcut. > > >> > > >> As my analysis, if a slot of the root is a shortcut(slot 6), it may be > > >> mistakenly be transferred to a key*, leading to an read out-of-bounds read. > > >> > > >> NODE A > > >> +------>+---+ > > >> ROOT | | 0 | xxe6 > > >> +---+ | +---+ > > >> xxxx | 0 | shortcut : : xxe6 > > >> +---+ | +---+ > > >> xxe6 : : | | | xxe6 > > >> +---+ | +---+ > > >> | 6 |---+ : : xxe6 > > >> +---+ +---+ > > >> xxe6 : : | f | xxe6 > > >> +---+ +---+ > > >> xxe6 | f | > > >> +---+ > > >> > > >> 5. cat /proc/keys. and the issue is reproduced. > > > > > > Hi, I'll try to run through your procedure next week and give my comments. > > > Thanks for doing this. > > > > > > BR, Jarkko > > > > Hi, Jarkko, have you run these procedure? > > I have tested this patch with LTP and a pressure test(stress-ng --key), > > and this patch have fixed this issue. Additionally, no new bugs have > > been found so far. > > > > I am looking forward to your reply. > > > > Best regards, > > Ridong > > Nope because we are apparently stuck with release critical bug: > > https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t > > Might take several weeks before I look into this. I was expecting to send a PR early this week since the patch set addresses the issue so thus wrong estimation. BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 8:55 ` Jarkko Sakkinen @ 2024-09-26 9:54 ` Jarkko Sakkinen 2024-09-26 11:20 ` chenridong 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-26 9:54 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On Thu Sep 26, 2024 at 11:55 AM EEST, Jarkko Sakkinen wrote: > On Thu Sep 26, 2024 at 11:53 AM EEST, Jarkko Sakkinen wrote: > > On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: > > > > > > On 2024/9/19 4:57, Jarkko Sakkinen wrote: > > > > On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: > > > >> > > > >> > > > >> On 2024/9/15 21:59, Jarkko Sakkinen wrote: > > > >>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > > > >>>> > > > >>>> > > > >>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: > > > >>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > > > >>>>>> We meet the same issue with the LINK, which reads memory out of bounds: > > > >>>>> > > > >>>>> Nit: don't use "we" anywhere". > > > >>>>> > > > >>>>> Tbh, I really don't understand the sentence above. I don't what > > > >>>>> "the same issue with the LINK" really is. > > > >>>>> > > > >>>> > > > >>>> Hello, Jarkko. > > > >>>> I apologize for any confusion caused. > > > >>>> > > > >>>> I've encountered a bug reported by syzkaller. I also found the same bug > > > >>>> reported at this LINK: > > > >>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > > > >>>> > > > >>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > > > >>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > > > >>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > > > >>>>>> security/keys/permission.c:54 > > > >>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > > >>>>>> > > > >>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > > > >>>>>> Call Trace: > > > >>>>>> __dump_stack lib/dump_stack.c:82 [inline] > > > >>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 > > > >>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > > > >>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > > > >>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > > > >>>>>> __kuid_val include/linux/uidgid.h:36 [inline] > > > >>>>>> uid_eq include/linux/uidgid.h:63 [inline] > > > >>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 > > > >>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > > > >>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > > > >>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > > > >>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > > > >>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > > > >>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > > > >>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > > > >>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > > > >>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > > > >>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > > >>>>>> > > > >>>>>> However, we can't reproduce this issue. > > > >>>>> > > > >>>>> "The issue cannot be easily reproduced but by analyzing the code > > > >>>>> it can be broken into following steps:" > > > >>>> > > > >>>> Thank you for your correction. > > > >>>> Does this patch address the issue correctly? Is this patch acceptable? > > > >>> > > > >>> I only comment new patch versions so not giving any promises but I can > > > >>> say that it is I think definitely in the correct direction :-) > > > >>> > > > >>> BR, Jarkko > > > >> > > > >> Hello, Jarkko. I have reproduced this issue. It can be reproduced by > > > >> following these steps: > > > >> > > > >> 1. Add the helper patch. > > > >> > > > >> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct > > > >> keyring_index_key *index_key) > > > >> else if (index_key->type == &key_type_keyring && (hash & > > > >> fan_mask) != 0) > > > >> hash = (hash + (hash << level_shift)) & ~fan_mask; > > > >> index_key->hash = hash; > > > >> + if ((index_key->hash & 0xff) == 0xe6) { > > > >> + pr_err("hash_key_type_and_desc: type %s %s > > > >> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); > > > >> + } > > > >> } > > > >> > > > >> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a > > > >> key's hash is xxe6, it will be printed. > > > >> > > > >> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done > > > >> > > > >> You have complile test_key whith following code. > > > >> > > > >> #include <sys/types.h> > > > >> #include <keyutils.h> > > > >> #include <stdint.h> > > > >> #include <stdio.h> > > > >> #include <stdlib.h> > > > >> #include <string.h> > > > >> > > > >> int > > > >> main(int argc, char *argv[]) > > > >> { > > > >> key_serial_t key; > > > >> > > > >> if (argc != 4) { > > > >> fprintf(stderr, "Usage: %s type description payload\n", > > > >> argv[0]); > > > >> exit(EXIT_FAILURE); > > > >> } > > > >> > > > >> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), > > > >> KEY_SPEC_SESSION_KEYRING); > > > >> if (key == -1) { > > > >> perror("add_key"); > > > >> exit(EXIT_FAILURE); > > > >> } > > > >> > > > >> printf("Key ID is %jx\n", (uintmax_t) key); > > > >> > > > >> exit(EXIT_SUCCESS); > > > >> } > > > >> > > > >> > > > >> 3. Have more than 32 inputs now. their hashes are xxe6. > > > >> eg. > > > >> hash_key_type_and_desc: type user user438 0xe3033fe6 > > > >> hash_key_type_and_desc: type user user526 0xeb7eade6 > > > >> ... > > > >> hash_key_type_and_desc: type user user9955 0x44bc99e6 > > > >> > > > >> 4. Reboot and add the keys obtained from step 3. > > > >> When adding keys to the ROOT that their hashes are all xxe6, and up to > > > >> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so > > > >> the keys are dissimilar. The ROOT will then split NODE A without using a > > > >> shortcut. When NODE A is filled with keys that have hashes of xxe6, the > > > >> keys are similar. NODE A will split with a shortcut. > > > >> > > > >> As my analysis, if a slot of the root is a shortcut(slot 6), it may be > > > >> mistakenly be transferred to a key*, leading to an read out-of-bounds read. > > > >> > > > >> NODE A > > > >> +------>+---+ > > > >> ROOT | | 0 | xxe6 > > > >> +---+ | +---+ > > > >> xxxx | 0 | shortcut : : xxe6 > > > >> +---+ | +---+ > > > >> xxe6 : : | | | xxe6 > > > >> +---+ | +---+ > > > >> | 6 |---+ : : xxe6 > > > >> +---+ +---+ > > > >> xxe6 : : | f | xxe6 > > > >> +---+ +---+ > > > >> xxe6 | f | > > > >> +---+ > > > >> > > > >> 5. cat /proc/keys. and the issue is reproduced. > > > > > > > > Hi, I'll try to run through your procedure next week and give my comments. > > > > Thanks for doing this. > > > > > > > > BR, Jarkko > > > > > > Hi, Jarkko, have you run these procedure? > > > I have tested this patch with LTP and a pressure test(stress-ng --key), > > > and this patch have fixed this issue. Additionally, no new bugs have > > > been found so far. > > > > > > I am looking forward to your reply. > > > > > > Best regards, > > > Ridong > > > > Nope because we are apparently stuck with release critical bug: > > > > https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t > > > > Might take several weeks before I look into this. > > I was expecting to send a PR early this week since the patch set > addresses the issue so thus wrong estimation. I asked David if he could look into this. BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 9:54 ` Jarkko Sakkinen @ 2024-09-26 11:20 ` chenridong 2024-09-26 17:08 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: chenridong @ 2024-09-26 11:20 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On 2024/9/26 17:54, Jarkko Sakkinen wrote: > On Thu Sep 26, 2024 at 11:55 AM EEST, Jarkko Sakkinen wrote: >> On Thu Sep 26, 2024 at 11:53 AM EEST, Jarkko Sakkinen wrote: >>> On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: >>>> >>>> On 2024/9/19 4:57, Jarkko Sakkinen wrote: >>>>> On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: >>>>>> >>>>>> >>>>>> On 2024/9/15 21:59, Jarkko Sakkinen wrote: >>>>>>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: >>>>>>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: >>>>>>>>>> We meet the same issue with the LINK, which reads memory out of bounds: >>>>>>>>> >>>>>>>>> Nit: don't use "we" anywhere". >>>>>>>>> >>>>>>>>> Tbh, I really don't understand the sentence above. I don't what >>>>>>>>> "the same issue with the LINK" really is. >>>>>>>>> >>>>>>>> >>>>>>>> Hello, Jarkko. >>>>>>>> I apologize for any confusion caused. >>>>>>>> >>>>>>>> I've encountered a bug reported by syzkaller. I also found the same bug >>>>>>>> reported at this LINK: >>>>>>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. >>>>>>>> >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >>>>>>>>>> security/keys/permission.c:54 >>>>>>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >>>>>>>>>> >>>>>>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 >>>>>>>>>> Call Trace: >>>>>>>>>> __dump_stack lib/dump_stack.c:82 [inline] >>>>>>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 >>>>>>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 >>>>>>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >>>>>>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >>>>>>>>>> __kuid_val include/linux/uidgid.h:36 [inline] >>>>>>>>>> uid_eq include/linux/uidgid.h:63 [inline] >>>>>>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 >>>>>>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >>>>>>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >>>>>>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 >>>>>>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 >>>>>>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >>>>>>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >>>>>>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >>>>>>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >>>>>>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >>>>>>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >>>>>>>>>> >>>>>>>>>> However, we can't reproduce this issue. >>>>>>>>> >>>>>>>>> "The issue cannot be easily reproduced but by analyzing the code >>>>>>>>> it can be broken into following steps:" >>>>>>>> >>>>>>>> Thank you for your correction. >>>>>>>> Does this patch address the issue correctly? Is this patch acceptable? >>>>>>> >>>>>>> I only comment new patch versions so not giving any promises but I can >>>>>>> say that it is I think definitely in the correct direction :-) >>>>>>> >>>>>>> BR, Jarkko >>>>>> >>>>>> Hello, Jarkko. I have reproduced this issue. It can be reproduced by >>>>>> following these steps: >>>>>> >>>>>> 1. Add the helper patch. >>>>>> >>>>>> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct >>>>>> keyring_index_key *index_key) >>>>>> else if (index_key->type == &key_type_keyring && (hash & >>>>>> fan_mask) != 0) >>>>>> hash = (hash + (hash << level_shift)) & ~fan_mask; >>>>>> index_key->hash = hash; >>>>>> + if ((index_key->hash & 0xff) == 0xe6) { >>>>>> + pr_err("hash_key_type_and_desc: type %s %s >>>>>> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); >>>>>> + } >>>>>> } >>>>>> >>>>>> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a >>>>>> key's hash is xxe6, it will be printed. >>>>>> >>>>>> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done >>>>>> >>>>>> You have complile test_key whith following code. >>>>>> >>>>>> #include <sys/types.h> >>>>>> #include <keyutils.h> >>>>>> #include <stdint.h> >>>>>> #include <stdio.h> >>>>>> #include <stdlib.h> >>>>>> #include <string.h> >>>>>> >>>>>> int >>>>>> main(int argc, char *argv[]) >>>>>> { >>>>>> key_serial_t key; >>>>>> >>>>>> if (argc != 4) { >>>>>> fprintf(stderr, "Usage: %s type description payload\n", >>>>>> argv[0]); >>>>>> exit(EXIT_FAILURE); >>>>>> } >>>>>> >>>>>> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), >>>>>> KEY_SPEC_SESSION_KEYRING); >>>>>> if (key == -1) { >>>>>> perror("add_key"); >>>>>> exit(EXIT_FAILURE); >>>>>> } >>>>>> >>>>>> printf("Key ID is %jx\n", (uintmax_t) key); >>>>>> >>>>>> exit(EXIT_SUCCESS); >>>>>> } >>>>>> >>>>>> >>>>>> 3. Have more than 32 inputs now. their hashes are xxe6. >>>>>> eg. >>>>>> hash_key_type_and_desc: type user user438 0xe3033fe6 >>>>>> hash_key_type_and_desc: type user user526 0xeb7eade6 >>>>>> ... >>>>>> hash_key_type_and_desc: type user user9955 0x44bc99e6 >>>>>> >>>>>> 4. Reboot and add the keys obtained from step 3. >>>>>> When adding keys to the ROOT that their hashes are all xxe6, and up to >>>>>> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so >>>>>> the keys are dissimilar. The ROOT will then split NODE A without using a >>>>>> shortcut. When NODE A is filled with keys that have hashes of xxe6, the >>>>>> keys are similar. NODE A will split with a shortcut. >>>>>> >>>>>> As my analysis, if a slot of the root is a shortcut(slot 6), it may be >>>>>> mistakenly be transferred to a key*, leading to an read out-of-bounds read. >>>>>> >>>>>> NODE A >>>>>> +------>+---+ >>>>>> ROOT | | 0 | xxe6 >>>>>> +---+ | +---+ >>>>>> xxxx | 0 | shortcut : : xxe6 >>>>>> +---+ | +---+ >>>>>> xxe6 : : | | | xxe6 >>>>>> +---+ | +---+ >>>>>> | 6 |---+ : : xxe6 >>>>>> +---+ +---+ >>>>>> xxe6 : : | f | xxe6 >>>>>> +---+ +---+ >>>>>> xxe6 | f | >>>>>> +---+ >>>>>> >>>>>> 5. cat /proc/keys. and the issue is reproduced. >>>>> >>>>> Hi, I'll try to run through your procedure next week and give my comments. >>>>> Thanks for doing this. >>>>> >>>>> BR, Jarkko >>>> >>>> Hi, Jarkko, have you run these procedure? >>>> I have tested this patch with LTP and a pressure test(stress-ng --key), >>>> and this patch have fixed this issue. Additionally, no new bugs have >>>> been found so far. >>>> >>>> I am looking forward to your reply. >>>> >>>> Best regards, >>>> Ridong >>> >>> Nope because we are apparently stuck with release critical bug: >>> >>> https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t >>> >>> Might take several weeks before I look into this. >> >> I was expecting to send a PR early this week since the patch set >> addresses the issue so thus wrong estimation. > > I asked David if he could look into this. > > BR, Jarkko Thank you very much. Best regards, Ridong ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 11:20 ` chenridong @ 2024-09-26 17:08 ` Jarkko Sakkinen 2024-09-27 8:20 ` chenridong 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-09-26 17:08 UTC (permalink / raw) To: chenridong, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On Thu Sep 26, 2024 at 2:20 PM EEST, chenridong wrote: > > > On 2024/9/26 17:54, Jarkko Sakkinen wrote: > > On Thu Sep 26, 2024 at 11:55 AM EEST, Jarkko Sakkinen wrote: > >> On Thu Sep 26, 2024 at 11:53 AM EEST, Jarkko Sakkinen wrote: > >>> On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: > >>>> > >>>> On 2024/9/19 4:57, Jarkko Sakkinen wrote: > >>>>> On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: > >>>>>> > >>>>>> > >>>>>> On 2024/9/15 21:59, Jarkko Sakkinen wrote: > >>>>>>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: > >>>>>>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: > >>>>>>>>>> We meet the same issue with the LINK, which reads memory out of bounds: > >>>>>>>>> > >>>>>>>>> Nit: don't use "we" anywhere". > >>>>>>>>> > >>>>>>>>> Tbh, I really don't understand the sentence above. I don't what > >>>>>>>>> "the same issue with the LINK" really is. > >>>>>>>>> > >>>>>>>> > >>>>>>>> Hello, Jarkko. > >>>>>>>> I apologize for any confusion caused. > >>>>>>>> > >>>>>>>> I've encountered a bug reported by syzkaller. I also found the same bug > >>>>>>>> reported at this LINK: > >>>>>>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. > >>>>>>>> > >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 > >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] > >>>>>>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > >>>>>>>>>> security/keys/permission.c:54 > >>>>>>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > >>>>>>>>>> > >>>>>>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 > >>>>>>>>>> Call Trace: > >>>>>>>>>> __dump_stack lib/dump_stack.c:82 [inline] > >>>>>>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 > >>>>>>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 > >>>>>>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > >>>>>>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 > >>>>>>>>>> __kuid_val include/linux/uidgid.h:36 [inline] > >>>>>>>>>> uid_eq include/linux/uidgid.h:63 [inline] > >>>>>>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 > >>>>>>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > >>>>>>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > >>>>>>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 > >>>>>>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 > >>>>>>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > >>>>>>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > >>>>>>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > >>>>>>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > >>>>>>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > >>>>>>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > >>>>>>>>>> > >>>>>>>>>> However, we can't reproduce this issue. > >>>>>>>>> > >>>>>>>>> "The issue cannot be easily reproduced but by analyzing the code > >>>>>>>>> it can be broken into following steps:" > >>>>>>>> > >>>>>>>> Thank you for your correction. > >>>>>>>> Does this patch address the issue correctly? Is this patch acceptable? > >>>>>>> > >>>>>>> I only comment new patch versions so not giving any promises but I can > >>>>>>> say that it is I think definitely in the correct direction :-) > >>>>>>> > >>>>>>> BR, Jarkko > >>>>>> > >>>>>> Hello, Jarkko. I have reproduced this issue. It can be reproduced by > >>>>>> following these steps: > >>>>>> > >>>>>> 1. Add the helper patch. > >>>>>> > >>>>>> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct > >>>>>> keyring_index_key *index_key) > >>>>>> else if (index_key->type == &key_type_keyring && (hash & > >>>>>> fan_mask) != 0) > >>>>>> hash = (hash + (hash << level_shift)) & ~fan_mask; > >>>>>> index_key->hash = hash; > >>>>>> + if ((index_key->hash & 0xff) == 0xe6) { > >>>>>> + pr_err("hash_key_type_and_desc: type %s %s > >>>>>> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); > >>>>>> + } > >>>>>> } > >>>>>> > >>>>>> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a > >>>>>> key's hash is xxe6, it will be printed. > >>>>>> > >>>>>> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done > >>>>>> > >>>>>> You have complile test_key whith following code. > >>>>>> > >>>>>> #include <sys/types.h> > >>>>>> #include <keyutils.h> > >>>>>> #include <stdint.h> > >>>>>> #include <stdio.h> > >>>>>> #include <stdlib.h> > >>>>>> #include <string.h> > >>>>>> > >>>>>> int > >>>>>> main(int argc, char *argv[]) > >>>>>> { > >>>>>> key_serial_t key; > >>>>>> > >>>>>> if (argc != 4) { > >>>>>> fprintf(stderr, "Usage: %s type description payload\n", > >>>>>> argv[0]); > >>>>>> exit(EXIT_FAILURE); > >>>>>> } > >>>>>> > >>>>>> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), > >>>>>> KEY_SPEC_SESSION_KEYRING); > >>>>>> if (key == -1) { > >>>>>> perror("add_key"); > >>>>>> exit(EXIT_FAILURE); > >>>>>> } > >>>>>> > >>>>>> printf("Key ID is %jx\n", (uintmax_t) key); > >>>>>> > >>>>>> exit(EXIT_SUCCESS); > >>>>>> } > >>>>>> > >>>>>> > >>>>>> 3. Have more than 32 inputs now. their hashes are xxe6. > >>>>>> eg. > >>>>>> hash_key_type_and_desc: type user user438 0xe3033fe6 > >>>>>> hash_key_type_and_desc: type user user526 0xeb7eade6 > >>>>>> ... > >>>>>> hash_key_type_and_desc: type user user9955 0x44bc99e6 > >>>>>> > >>>>>> 4. Reboot and add the keys obtained from step 3. > >>>>>> When adding keys to the ROOT that their hashes are all xxe6, and up to > >>>>>> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so > >>>>>> the keys are dissimilar. The ROOT will then split NODE A without using a > >>>>>> shortcut. When NODE A is filled with keys that have hashes of xxe6, the > >>>>>> keys are similar. NODE A will split with a shortcut. > >>>>>> > >>>>>> As my analysis, if a slot of the root is a shortcut(slot 6), it may be > >>>>>> mistakenly be transferred to a key*, leading to an read out-of-bounds read. > >>>>>> > >>>>>> NODE A > >>>>>> +------>+---+ > >>>>>> ROOT | | 0 | xxe6 > >>>>>> +---+ | +---+ > >>>>>> xxxx | 0 | shortcut : : xxe6 > >>>>>> +---+ | +---+ > >>>>>> xxe6 : : | | | xxe6 > >>>>>> +---+ | +---+ > >>>>>> | 6 |---+ : : xxe6 > >>>>>> +---+ +---+ > >>>>>> xxe6 : : | f | xxe6 > >>>>>> +---+ +---+ > >>>>>> xxe6 | f | > >>>>>> +---+ > >>>>>> > >>>>>> 5. cat /proc/keys. and the issue is reproduced. > >>>>> > >>>>> Hi, I'll try to run through your procedure next week and give my comments. > >>>>> Thanks for doing this. > >>>>> > >>>>> BR, Jarkko > >>>> > >>>> Hi, Jarkko, have you run these procedure? > >>>> I have tested this patch with LTP and a pressure test(stress-ng --key), > >>>> and this patch have fixed this issue. Additionally, no new bugs have > >>>> been found so far. > >>>> > >>>> I am looking forward to your reply. > >>>> > >>>> Best regards, > >>>> Ridong > >>> > >>> Nope because we are apparently stuck with release critical bug: > >>> > >>> https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t > >>> > >>> Might take several weeks before I look into this. > >> > >> I was expecting to send a PR early this week since the patch set > >> addresses the issue so thus wrong estimation. > > > > I asked David if he could look into this. > > > > BR, Jarkko > > Thank you very much. Further, I'm switching jobs. Tomorrow is my last day in the current job and next week starting a new job so given all these circumastances I rather look into this properly hopefully latest after my rc2 PR is out, rather than rushing. In a normal status quo situation this would not be such a huge issue. Similarly, for the performance bug I want to review James' comments etc with time and bake v6 that hopefully satisfies all the stateholders. So thank you for understanding, and I appreciate the work you've done on this. I.e. not ignoring this :-) BR, Jarkko BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-26 17:08 ` Jarkko Sakkinen @ 2024-09-27 8:20 ` chenridong 0 siblings, 0 replies; 18+ messages in thread From: chenridong @ 2024-09-27 8:20 UTC (permalink / raw) To: Jarkko Sakkinen, Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, James.Bottomley, roberto.sassu On 2024/9/27 1:08, Jarkko Sakkinen wrote: > On Thu Sep 26, 2024 at 2:20 PM EEST, chenridong wrote: >> >> >> On 2024/9/26 17:54, Jarkko Sakkinen wrote: >>> On Thu Sep 26, 2024 at 11:55 AM EEST, Jarkko Sakkinen wrote: >>>> On Thu Sep 26, 2024 at 11:53 AM EEST, Jarkko Sakkinen wrote: >>>>> On Thu Sep 26, 2024 at 6:48 AM EEST, Chen Ridong wrote: >>>>>> >>>>>> On 2024/9/19 4:57, Jarkko Sakkinen wrote: >>>>>>> On Wed Sep 18, 2024 at 10:30 AM EEST, Chen Ridong wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 2024/9/15 21:59, Jarkko Sakkinen wrote: >>>>>>>>> On Sun Sep 15, 2024 at 3:55 AM EEST, Chen Ridong wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 2024/9/14 19:33, Jarkko Sakkinen wrote: >>>>>>>>>>> On Fri Sep 13, 2024 at 10:09 AM EEST, Chen Ridong wrote: >>>>>>>>>>>> We meet the same issue with the LINK, which reads memory out of bounds: >>>>>>>>>>> >>>>>>>>>>> Nit: don't use "we" anywhere". >>>>>>>>>>> >>>>>>>>>>> Tbh, I really don't understand the sentence above. I don't what >>>>>>>>>>> "the same issue with the LINK" really is. >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, Jarkko. >>>>>>>>>> I apologize for any confusion caused. >>>>>>>>>> >>>>>>>>>> I've encountered a bug reported by syzkaller. I also found the same bug >>>>>>>>>> reported at this LINK: >>>>>>>>>> https://syzkaller.appspot.com/bug?id=68a5e206c2a8e08d317eb83f05610c0484ad10b9. >>>>>>>>>> >>>>>>>>>>>> BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 >>>>>>>>>>>> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] >>>>>>>>>>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >>>>>>>>>>>> security/keys/permission.c:54 >>>>>>>>>>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >>>>>>>>>>>> >>>>>>>>>>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 >>>>>>>>>>>> Call Trace: >>>>>>>>>>>> __dump_stack lib/dump_stack.c:82 [inline] >>>>>>>>>>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 >>>>>>>>>>>> print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 >>>>>>>>>>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >>>>>>>>>>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >>>>>>>>>>>> __kuid_val include/linux/uidgid.h:36 [inline] >>>>>>>>>>>> uid_eq include/linux/uidgid.h:63 [inline] >>>>>>>>>>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 >>>>>>>>>>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >>>>>>>>>>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >>>>>>>>>>>> search_cred_keyrings_rcu+0x111/0x2e0 security/keys/process_keys.c:459 >>>>>>>>>>>> search_process_keyrings_rcu+0x1d/0x310 security/keys/process_keys.c:544 >>>>>>>>>>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >>>>>>>>>>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >>>>>>>>>>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >>>>>>>>>>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >>>>>>>>>>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >>>>>>>>>>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >>>>>>>>>>>> >>>>>>>>>>>> However, we can't reproduce this issue. >>>>>>>>>>> >>>>>>>>>>> "The issue cannot be easily reproduced but by analyzing the code >>>>>>>>>>> it can be broken into following steps:" >>>>>>>>>> >>>>>>>>>> Thank you for your correction. >>>>>>>>>> Does this patch address the issue correctly? Is this patch acceptable? >>>>>>>>> >>>>>>>>> I only comment new patch versions so not giving any promises but I can >>>>>>>>> say that it is I think definitely in the correct direction :-) >>>>>>>>> >>>>>>>>> BR, Jarkko >>>>>>>> >>>>>>>> Hello, Jarkko. I have reproduced this issue. It can be reproduced by >>>>>>>> following these steps: >>>>>>>> >>>>>>>> 1. Add the helper patch. >>>>>>>> >>>>>>>> @@ -205,6 +205,9 @@ static void hash_key_type_and_desc(struct >>>>>>>> keyring_index_key *index_key) >>>>>>>> else if (index_key->type == &key_type_keyring && (hash & >>>>>>>> fan_mask) != 0) >>>>>>>> hash = (hash + (hash << level_shift)) & ~fan_mask; >>>>>>>> index_key->hash = hash; >>>>>>>> + if ((index_key->hash & 0xff) == 0xe6) { >>>>>>>> + pr_err("hash_key_type_and_desc: type %s %s >>>>>>>> 0x%x\n", index_key->type->name, index_key->description, index_key->hash); >>>>>>>> + } >>>>>>>> } >>>>>>>> >>>>>>>> 2. Pick up the inputs whose hash is xxe6 using the following cmd. If a >>>>>>>> key's hash is xxe6, it will be printed. >>>>>>>> >>>>>>>> for ((i=0; i<=10000; i++)); do ./test_key user user$i "Some payload"; done >>>>>>>> >>>>>>>> You have complile test_key whith following code. >>>>>>>> >>>>>>>> #include <sys/types.h> >>>>>>>> #include <keyutils.h> >>>>>>>> #include <stdint.h> >>>>>>>> #include <stdio.h> >>>>>>>> #include <stdlib.h> >>>>>>>> #include <string.h> >>>>>>>> >>>>>>>> int >>>>>>>> main(int argc, char *argv[]) >>>>>>>> { >>>>>>>> key_serial_t key; >>>>>>>> >>>>>>>> if (argc != 4) { >>>>>>>> fprintf(stderr, "Usage: %s type description payload\n", >>>>>>>> argv[0]); >>>>>>>> exit(EXIT_FAILURE); >>>>>>>> } >>>>>>>> >>>>>>>> key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]), >>>>>>>> KEY_SPEC_SESSION_KEYRING); >>>>>>>> if (key == -1) { >>>>>>>> perror("add_key"); >>>>>>>> exit(EXIT_FAILURE); >>>>>>>> } >>>>>>>> >>>>>>>> printf("Key ID is %jx\n", (uintmax_t) key); >>>>>>>> >>>>>>>> exit(EXIT_SUCCESS); >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> 3. Have more than 32 inputs now. their hashes are xxe6. >>>>>>>> eg. >>>>>>>> hash_key_type_and_desc: type user user438 0xe3033fe6 >>>>>>>> hash_key_type_and_desc: type user user526 0xeb7eade6 >>>>>>>> ... >>>>>>>> hash_key_type_and_desc: type user user9955 0x44bc99e6 >>>>>>>> >>>>>>>> 4. Reboot and add the keys obtained from step 3. >>>>>>>> When adding keys to the ROOT that their hashes are all xxe6, and up to >>>>>>>> 16, the ROOT has keys with hashes that are not xxe6 (e.g., slot 0), so >>>>>>>> the keys are dissimilar. The ROOT will then split NODE A without using a >>>>>>>> shortcut. When NODE A is filled with keys that have hashes of xxe6, the >>>>>>>> keys are similar. NODE A will split with a shortcut. >>>>>>>> >>>>>>>> As my analysis, if a slot of the root is a shortcut(slot 6), it may be >>>>>>>> mistakenly be transferred to a key*, leading to an read out-of-bounds read. >>>>>>>> >>>>>>>> NODE A >>>>>>>> +------>+---+ >>>>>>>> ROOT | | 0 | xxe6 >>>>>>>> +---+ | +---+ >>>>>>>> xxxx | 0 | shortcut : : xxe6 >>>>>>>> +---+ | +---+ >>>>>>>> xxe6 : : | | | xxe6 >>>>>>>> +---+ | +---+ >>>>>>>> | 6 |---+ : : xxe6 >>>>>>>> +---+ +---+ >>>>>>>> xxe6 : : | f | xxe6 >>>>>>>> +---+ +---+ >>>>>>>> xxe6 | f | >>>>>>>> +---+ >>>>>>>> >>>>>>>> 5. cat /proc/keys. and the issue is reproduced. >>>>>>> >>>>>>> Hi, I'll try to run through your procedure next week and give my comments. >>>>>>> Thanks for doing this. >>>>>>> >>>>>>> BR, Jarkko >>>>>> >>>>>> Hi, Jarkko, have you run these procedure? >>>>>> I have tested this patch with LTP and a pressure test(stress-ng --key), >>>>>> and this patch have fixed this issue. Additionally, no new bugs have >>>>>> been found so far. >>>>>> >>>>>> I am looking forward to your reply. >>>>>> >>>>>> Best regards, >>>>>> Ridong >>>>> >>>>> Nope because we are apparently stuck with release critical bug: >>>>> >>>>> https://lore.kernel.org/linux-integrity/D4EPMF7G3E05.1VHS9CVG3DZDE@kernel.org/T/#t >>>>> >>>>> Might take several weeks before I look into this. >>>> >>>> I was expecting to send a PR early this week since the patch set >>>> addresses the issue so thus wrong estimation. >>> >>> I asked David if he could look into this. >>> >>> BR, Jarkko >> >> Thank you very much. > > Further, I'm switching jobs. Tomorrow is my last day in the current > job and next week starting a new job so given all these circumastances > I rather look into this properly hopefully latest after my rc2 PR is > out, rather than rushing. > > In a normal status quo situation this would not be such a huge issue. > > Similarly, for the performance bug I want to review James' comments > etc with time and bake v6 that hopefully satisfies all the > stateholders. > > So thank you for understanding, and I appreciate the work you've done > on this. I.e. not ignoring this :-) > > BR, Jarkko > > BR, Jarkko I am happy to fix this issue. I am also looking forward to your reply. If this patch is acceptable, I will send a patch to update the commit message you have mentioned. Best regards, Ridong ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-09-13 7:09 [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission Chen Ridong 2024-09-14 10:43 ` Chen Ridong 2024-09-14 11:33 ` Jarkko Sakkinen @ 2024-10-07 23:15 ` Jarkko Sakkinen 2024-10-08 1:40 ` chenridong 2 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-10-07 23:15 UTC (permalink / raw) To: Chen Ridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, chenridong Hi, Revisit... On Fri, 2024-09-13 at 07:09 +0000, Chen Ridong wrote: > We meet the same issue with the LINK, which reads memory out of > bounds: Never ever use pronoun "we" in a commit message in any possible sentence. Instead always use passive imperative. What you probably want to say is: "KASAN reports an out of bounds read:" Right? > BUG: KASAN: slab-out-of-bounds in __kuid_val > include/linux/uidgid.h:36 > BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 > [inline] > BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > security/keys/permission.c:54 > Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930- > gafbffd6c3ede #15 > Call Trace: > __dump_stack lib/dump_stack.c:82 [inline] > dump_stack+0x107/0x167 lib/dump_stack.c:123 > print_address_description.constprop.0+0x19/0x170 > mm/kasan/report.c:400 > __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > kasan_report+0x3a/0x50 mm/kasan/report.c:585 > __kuid_val include/linux/uidgid.h:36 [inline] > uid_eq include/linux/uidgid.h:63 [inline] > key_task_permission+0x394/0x410 security/keys/permission.c:54 > search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 Snip all below away: > keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > search_cred_keyrings_rcu+0x111/0x2e0 > security/keys/process_keys.c:459 > search_process_keyrings_rcu+0x1d/0x310 > security/keys/process_keys.c:544 > lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x67/0xd1 Remember to cut only the relevant part of the stack trace to make this commit message more compact and readable. > > However, we can't reproduce this issue. > After our analysis, it can make this issue by following steps. > 1.As syzkaller reported, the memory is allocated for struct "1. " > assoc_array_shortcut in the assoc_array_insert_into_terminal_node > functions. > 2.In the search_nested_keyrings, when we go through the slots in a > node, > (bellow tag ascend_to_node), and the slot ptr is meta and > node->back_pointer != NULL, we will proceed to descend_to_node. > However, there is an exception. If node is the root, and one of the > slots points to a shortcut, it will be treated as a keyring. > 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring > function. > However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as > ASSOC_ARRAY_PTR_SUBTYPE_MASK, > 4.As mentioned above, If a slot of the root is a shortcut, it may be > mistakenly be transferred to a key*, leading to an read out-of- > bounds > read. Delete the whole list and write a description of the problem and why your change resolves it. As per code change, let's layout it something more readable first: /* Traverse branches into depth: */ if (assoc_array_ptr_is_meta(ptr)) { if (node->back_pointer || assoc_array_ptr_is_shortcut(ptr)) goto descend_to_node; } So one thing that should be explained just to make the description rigid is why 'ptr' is passed to assoc_array_ptr_is_shortcut() and not 'node'. I'm actually 100% sure about that part, which kind of supports my view here, right? :-) The first part of the if-statement obviously filters out everything that is not root (when it comes to 'node'). Explain the second part. At that point it is know that node is a root node, so continue from there. BR, Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-10-07 23:15 ` Jarkko Sakkinen @ 2024-10-08 1:40 ` chenridong 2024-10-08 2:41 ` Jarkko Sakkinen 0 siblings, 1 reply; 18+ messages in thread From: chenridong @ 2024-10-08 1:40 UTC (permalink / raw) To: Jarkko Sakkinen, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, chenridong On 2024/10/8 7:15, Jarkko Sakkinen wrote: > Hi, > > Revisit... > > On Fri, 2024-09-13 at 07:09 +0000, Chen Ridong wrote: >> We meet the same issue with the LINK, which reads memory out of >> bounds: > > Never ever use pronoun "we" in a commit message in any possible > sentence. Instead always use passive imperative. > > What you probably want to say is: > > "KASAN reports an out of bounds read:" > > Right? > Yes. >> BUG: KASAN: slab-out-of-bounds in __kuid_val >> include/linux/uidgid.h:36 >> BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 >> [inline] >> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >> security/keys/permission.c:54 >> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >> >> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930- >> gafbffd6c3ede #15 >> Call Trace: >> __dump_stack lib/dump_stack.c:82 [inline] >> dump_stack+0x107/0x167 lib/dump_stack.c:123 >> print_address_description.constprop.0+0x19/0x170 >> mm/kasan/report.c:400 >> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >> __kuid_val include/linux/uidgid.h:36 [inline] >> uid_eq include/linux/uidgid.h:63 [inline] >> key_task_permission+0x394/0x410 security/keys/permission.c:54 >> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > > Snip all below away: > >> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >> search_cred_keyrings_rcu+0x111/0x2e0 >> security/keys/process_keys.c:459 >> search_process_keyrings_rcu+0x1d/0x310 >> security/keys/process_keys.c:544 >> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >> entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > Remember to cut only the relevant part of the stack trace to make this > commit message more compact and readable. > Thank you, I will do that. >> >> However, we can't reproduce this issue. >> After our analysis, it can make this issue by following steps. >> 1.As syzkaller reported, the memory is allocated for struct > > "1." > >> assoc_array_shortcut in the assoc_array_insert_into_terminal_node >> functions. >> 2.In the search_nested_keyrings, when we go through the slots in a >> node, >> (bellow tag ascend_to_node), and the slot ptr is meta and >> node->back_pointer != NULL, we will proceed to descend_to_node. >> However, there is an exception. If node is the root, and one of the >> slots points to a shortcut, it will be treated as a keyring. >> 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring >> function. >> However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as >> ASSOC_ARRAY_PTR_SUBTYPE_MASK, >> 4.As mentioned above, If a slot of the root is a shortcut, it may be >> mistakenly be transferred to a key*, leading to an read out-of- >> bounds >> read. > > Delete the whole list and write a description of the problem and why > your change resolves it. > > As per code change, let's layout it something more readable first: > > /* Traverse branches into depth: */ > if (assoc_array_ptr_is_meta(ptr)) { > if (node->back_pointer || assoc_array_ptr_is_shortcut(ptr)) > goto descend_to_node; > } > > So one thing that should be explained just to make the description > rigid is why 'ptr' is passed to assoc_array_ptr_is_shortcut() and > not 'node'. I'm actually 100% sure about that part, which kind > of supports my view here, right? :-) > > The first part of the if-statement obviously filters out everything > that is not root (when it comes to 'node'). Explain the second part. > At that point it is know that node is a root node, so continue from > there. > > BR, Jarkko > Thank you for your patience. I will update soon. Best regards, Ridong ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-10-08 1:40 ` chenridong @ 2024-10-08 2:41 ` Jarkko Sakkinen 2024-10-11 2:11 ` Chen Ridong 0 siblings, 1 reply; 18+ messages in thread From: Jarkko Sakkinen @ 2024-10-08 2:41 UTC (permalink / raw) To: chenridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel, chenridong On Tue, 2024-10-08 at 09:40 +0800, chenridong wrote: > > > On 2024/10/8 7:15, Jarkko Sakkinen wrote: > > Hi, > > > > Revisit... > > > > On Fri, 2024-09-13 at 07:09 +0000, Chen Ridong wrote: > > > We meet the same issue with the LINK, which reads memory out of > > > bounds: > > > > Never ever use pronoun "we" in a commit message in any possible > > sentence. Instead always use passive imperative. > > > > What you probably want to say is: > > > > "KASAN reports an out of bounds read:" > > > > Right? > > > > Yes. > > > > BUG: KASAN: slab-out-of-bounds in __kuid_val > > > include/linux/uidgid.h:36 > > > BUG: KASAN: slab-out-of-bounds in uid_eq > > > include/linux/uidgid.h:63 > > > [inline] > > > BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 > > > security/keys/permission.c:54 > > > Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 > > > > > > CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930- > > > gafbffd6c3ede #15 > > > Call Trace: > > > __dump_stack lib/dump_stack.c:82 [inline] > > > dump_stack+0x107/0x167 lib/dump_stack.c:123 > > > print_address_description.constprop.0+0x19/0x170 > > > mm/kasan/report.c:400 > > > __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 > > > kasan_report+0x3a/0x50 mm/kasan/report.c:585 > > > __kuid_val include/linux/uidgid.h:36 [inline] > > > uid_eq include/linux/uidgid.h:63 [inline] > > > key_task_permission+0x394/0x410 security/keys/permission.c:54 > > > search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 > > > > Snip all below away: > > > > > keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 > > > search_cred_keyrings_rcu+0x111/0x2e0 > > > security/keys/process_keys.c:459 > > > search_process_keyrings_rcu+0x1d/0x310 > > > security/keys/process_keys.c:544 > > > lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 > > > keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 > > > __do_sys_keyctl security/keys/keyctl.c:1978 [inline] > > > __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 > > > do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 > > > entry_SYSCALL_64_after_hwframe+0x67/0xd1 > > > > Remember to cut only the relevant part of the stack trace to make > > this > > commit message more compact and readable. > > > Thank you, I will do that. > > > > > > > However, we can't reproduce this issue. > > > After our analysis, it can make this issue by following steps. > > > 1.As syzkaller reported, the memory is allocated for struct > > > > "1." > > > > > assoc_array_shortcut in the > > > assoc_array_insert_into_terminal_node > > > functions. > > > 2.In the search_nested_keyrings, when we go through the slots in > > > a > > > node, > > > (bellow tag ascend_to_node), and the slot ptr is meta and > > > node->back_pointer != NULL, we will proceed to > > > descend_to_node. > > > However, there is an exception. If node is the root, and one > > > of the > > > slots points to a shortcut, it will be treated as a keyring. > > > 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring > > > function. > > > However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as > > > ASSOC_ARRAY_PTR_SUBTYPE_MASK, > > > 4.As mentioned above, If a slot of the root is a shortcut, it may > > > be > > > mistakenly be transferred to a key*, leading to an read out- > > > of- > > > bounds > > > read. > > > > Delete the whole list and write a description of the problem and > > why > > your change resolves it. > > > > As per code change, let's layout it something more readable first: > > > > /* Traverse branches into depth: */ > > if (assoc_array_ptr_is_meta(ptr)) { > > if (node->back_pointer || > > assoc_array_ptr_is_shortcut(ptr)) > > goto descend_to_node; > > } > > > > So one thing that should be explained just to make the description > > rigid is why 'ptr' is passed to assoc_array_ptr_is_shortcut() and > > not 'node'. I'm actually 100% sure about that part, which kind > > of supports my view here, right? :-) > > > > The first part of the if-statement obviously filters out everything > > that is not root (when it comes to 'node'). Explain the second > > part. > > At that point it is know that node is a root node, so continue from > > there. > > > > BR, Jarkko > > > > Thank you for your patience. > I will update soon. Yeah of course, and I did low quality job earlier no issues admitting that, so let's do this correct this time. I just try to describe what I'm seeing as accurately as I can :-) Here it is just important to get the explanation and the code change in-sync so that it is easy to verify and compare them, given that it is quite sensitive functionality and somewhat obfuscated peace of code showing age. Also I think a good is to make sure that every fix will leave it at least a bit cleaner state. From this basis I proposed a bit different layout for the code. > > Best regards, > Ridong BR,Jarkko ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission 2024-10-08 2:41 ` Jarkko Sakkinen @ 2024-10-11 2:11 ` Chen Ridong 0 siblings, 0 replies; 18+ messages in thread From: Chen Ridong @ 2024-10-11 2:11 UTC (permalink / raw) To: Jarkko Sakkinen, chenridong, dhowells, paul, jmorris, serge Cc: keyrings, linux-security-module, linux-kernel On 2024/10/8 10:41, Jarkko Sakkinen wrote: > On Tue, 2024-10-08 at 09:40 +0800, chenridong wrote: >> >> >> On 2024/10/8 7:15, Jarkko Sakkinen wrote: >>> Hi, >>> >>> Revisit... >>> >>> On Fri, 2024-09-13 at 07:09 +0000, Chen Ridong wrote: >>>> We meet the same issue with the LINK, which reads memory out of >>>> bounds: >>> >>> Never ever use pronoun "we" in a commit message in any possible >>> sentence. Instead always use passive imperative. >>> >>> What you probably want to say is: >>> >>> "KASAN reports an out of bounds read:" >>> >>> Right? >>> >> >> Yes. >> >>>> BUG: KASAN: slab-out-of-bounds in __kuid_val >>>> include/linux/uidgid.h:36 >>>> BUG: KASAN: slab-out-of-bounds in uid_eq >>>> include/linux/uidgid.h:63 >>>> [inline] >>>> BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 >>>> security/keys/permission.c:54 >>>> Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 >>>> >>>> CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930- >>>> gafbffd6c3ede #15 >>>> Call Trace: >>>> __dump_stack lib/dump_stack.c:82 [inline] >>>> dump_stack+0x107/0x167 lib/dump_stack.c:123 >>>> print_address_description.constprop.0+0x19/0x170 >>>> mm/kasan/report.c:400 >>>> __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 >>>> kasan_report+0x3a/0x50 mm/kasan/report.c:585 >>>> __kuid_val include/linux/uidgid.h:36 [inline] >>>> uid_eq include/linux/uidgid.h:63 [inline] >>>> key_task_permission+0x394/0x410 security/keys/permission.c:54 >>>> search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 >>> >>> Snip all below away: >>> >>>> keyring_search_rcu+0x1b6/0x310 security/keys/keyring.c:922 >>>> search_cred_keyrings_rcu+0x111/0x2e0 >>>> security/keys/process_keys.c:459 >>>> search_process_keyrings_rcu+0x1d/0x310 >>>> security/keys/process_keys.c:544 >>>> lookup_user_key+0x782/0x12e0 security/keys/process_keys.c:762 >>>> keyctl_invalidate_key+0x20/0x190 security/keys/keyctl.c:434 >>>> __do_sys_keyctl security/keys/keyctl.c:1978 [inline] >>>> __se_sys_keyctl+0x1de/0x5b0 security/keys/keyctl.c:1880 >>>> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 >>>> entry_SYSCALL_64_after_hwframe+0x67/0xd1 >>> >>> Remember to cut only the relevant part of the stack trace to make >>> this >>> commit message more compact and readable. >>> >> Thank you, I will do that. >> >>>> >>>> However, we can't reproduce this issue. >>>> After our analysis, it can make this issue by following steps. >>>> 1.As syzkaller reported, the memory is allocated for struct >>> >>> "1." >>> >>>> assoc_array_shortcut in the >>>> assoc_array_insert_into_terminal_node >>>> functions. >>>> 2.In the search_nested_keyrings, when we go through the slots in >>>> a >>>> node, >>>> (bellow tag ascend_to_node), and the slot ptr is meta and >>>> node->back_pointer != NULL, we will proceed to >>>> descend_to_node. >>>> However, there is an exception. If node is the root, and one >>>> of the >>>> slots points to a shortcut, it will be treated as a keyring. >>>> 3.Whether the ptr is keyring decided by keyring_ptr_is_keyring >>>> function. >>>> However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as >>>> ASSOC_ARRAY_PTR_SUBTYPE_MASK, >>>> 4.As mentioned above, If a slot of the root is a shortcut, it may >>>> be >>>> mistakenly be transferred to a key*, leading to an read out- >>>> of- >>>> bounds >>>> read. >>> >>> Delete the whole list and write a description of the problem and >>> why >>> your change resolves it. >>> >>> As per code change, let's layout it something more readable first: >>> >>> /* Traverse branches into depth: */ >>> if (assoc_array_ptr_is_meta(ptr)) { >>> if (node->back_pointer || >>> assoc_array_ptr_is_shortcut(ptr)) >>> goto descend_to_node; >>> } >>> >>> So one thing that should be explained just to make the description >>> rigid is why 'ptr' is passed to assoc_array_ptr_is_shortcut() and >>> not 'node'. I'm actually 100% sure about that part, which kind >>> of supports my view here, right? :-) >>> >>> The first part of the if-statement obviously filters out everything >>> that is not root (when it comes to 'node'). Explain the second >>> part. >>> At that point it is know that node is a root node, so continue from >>> there. >>> >>> BR, Jarkko >>> >> >> Thank you for your patience. >> I will update soon. > > Yeah of course, and I did low quality job earlier no issues admitting > that, so let's do this correct this time. I just try to describe > what I'm seeing as accurately as I can :-) > > Here it is just important to get the explanation and the code change > in-sync so that it is easy to verify and compare them, given that it > is quite sensitive functionality and somewhat obfuscated peace of code > showing age. > > Also I think a good is to make sure that every fix will leave it at > least a bit cleaner state. From this basis I proposed a bit different > layout for the code. > >> >> Best regards, >> Ridong > > BR,Jarkko Hi, Jarkko, I sent the v2 several days ago. I don't know whether you have received it. I hope you have time to look into it, and I am still looking forward to your reply. v2: https://lore.kernel.org/linux-kernel/20241008124639.70000-1-chenridong@huaweicloud.com/ Best regards, Ridong ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2024-10-11 2:11 UTC | newest] Thread overview: 18+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-09-13 7:09 [PATCH] security/keys: fix slab-out-of-bounds in key_task_permission Chen Ridong 2024-09-14 10:43 ` Chen Ridong 2024-09-14 11:33 ` Jarkko Sakkinen 2024-09-15 0:55 ` Chen Ridong 2024-09-15 13:59 ` Jarkko Sakkinen 2024-09-18 7:30 ` Chen Ridong 2024-09-18 20:57 ` Jarkko Sakkinen 2024-09-26 3:48 ` Chen Ridong 2024-09-26 8:53 ` Jarkko Sakkinen 2024-09-26 8:55 ` Jarkko Sakkinen 2024-09-26 9:54 ` Jarkko Sakkinen 2024-09-26 11:20 ` chenridong 2024-09-26 17:08 ` Jarkko Sakkinen 2024-09-27 8:20 ` chenridong 2024-10-07 23:15 ` Jarkko Sakkinen 2024-10-08 1:40 ` chenridong 2024-10-08 2:41 ` Jarkko Sakkinen 2024-10-11 2:11 ` Chen Ridong
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).