From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751228AbdBANLs convert rfc822-to-8bit (ORCPT <rfc822;w@1wt.eu>);
        Wed, 1 Feb 2017 08:11:48 -0500
Received: from mx1.redhat.com ([209.132.183.28]:35210 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751041AbdBANLq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Feb 2017 08:11:46 -0500
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <CACT4Y+arJJW0Ge9UxcLB77dM82gEENaEYgAcJdTSRLv1X0wnZw@mail.gmail.com>
References: <CACT4Y+arJJW0Ge9UxcLB77dM82gEENaEYgAcJdTSRLv1X0wnZw@mail.gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: dhowells@redhat.com, james.l.morris@oracle.com, serge@hallyn.com,
        keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>
Subject: Re: keys: GPF in request_key
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <21518.1485954692.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: 8BIT
Date: Wed, 01 Feb 2017 13:11:32 +0000
Message-ID: <21519.1485954692@warthog.procyon.org.uk>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 01 Feb 2017 13:11:46 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Dmitry Vyukov <dvyukov@google.com> wrote:

> Code: 41 54 49 89 f4 53 49 89 d7 48 89 fb 48 83 ec 08 e8 d1 50 67 ff
> 49 8d 7c 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
> 3c 02 00 0f 85 35 02 00 00 49 83 7c 24 10 00 0f 84 bb 01 00

This disassembles to:

   0:   41 54                   push   %r12
   2:   49 89 f4                mov    %rsi,%r12
   5:   53                      push   %rbx
   6:   49 89 d7                mov    %rdx,%r15
   9:   48 89 fb                mov    %rdi,%rbx
   c:   48 83 ec 08             sub    $0x8,%rsp
  10:   e8 d1 50 67 ff          callq  0xffffffffff6750e6
  15:   49 8d 7c 24 10          lea    0x10(%r12),%rdi
  1a:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  21:   fc ff df 
  24:   48 89 fa                mov    %rdi,%rdx
  27:   48 c1 ea 03             shr    $0x3,%rdx
  2b:*  80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
  2f:   0f 85 35 02 00 00       jne    0x26a
  35:   49 83 7c 24 10 00       cmpq   $0x0,0x10(%r12)
  3b:   0f                      .byte 0xf
  3c:   84                      .byte 0x84
  3d:   bb                      .byte 0xbb
  3e:   01 00                   add    %eax,(%rax)

I can see that RAX got loaded from the instruction at 0x1a, but the code
doesn't look very much like what I get out of the compiler (your compiled
function is also at least double the size of what I get, presumably due to
kasan?).

Can you disassemble __key_link_begin() for me and send me your config?

In particular, 0xdffffc0000000000 looks very weird.  Is this code validating
the pointer in R12?

David