From: "Dae R. Jeong" <threeearcat@gmail.com>
To: brauner@kernel.org, mcgrof@kernel.org, dhowells@redhat.com,
nick.alcock@oracle.com, code@siddh.me, ddiss@suse.de,
linux-kernel@vger.kernel.org
Cc: ywchoi@casys.kaist.ac.kr
Subject: BUG: unable to handle kernel NULL pointer dereference in _find_first_bit
Date: Mon, 30 Oct 2023 20:26:41 +0900 [thread overview]
Message-ID: <ZT-S8Q7tyutcvu_q@dragonet> (raw)
Hello,
It seems watch_queue_set_size() and post_one_notification() miss
memory barriers, potentially causing a kernel crash in the following
scenario:
CPU0 CPU1
watch_queue_set_size() post_one_notification()
----- -----
wqueue->notes_bitmap;
wqueue->nr_notes = nr_notes;
// In find_first_bit()
// In _find_first_bit()
for (idx = 0;
idx * BITS_PER_LONG < wqueue->nr_notes;
idx++) {
wqueue->notes_bitmap[idx];
}
In the above scenario, it seems that nothing prevents reordering of
accesses to wqueue->notes_bitmap and wqueue->nr_notes in both
functions.
Our research prototype found the following issue, which seems to be
due to the above scenario.
BUG: kernel NULL pointer dereference, address: 0000000000000000
<...>
_find_first_bit+0x18d/0x1a0 lib/find_bit.c:101
find_first_bit include/linux/find.h:208 [inline]
post_one_notification+0x197/0xbd0 kernel/watch_queue.c:115
__post_watch_notification+0x5ac/0x1080 kernel/watch_queue.c:225
post_watch_notification include/linux/watch_queue.h:108 [inline]
notify_key security/keys/internal.h:197 [inline]
__key_update security/keys/key.c:775 [inline]
__key_create_or_update+0xec0/0xfb0 security/keys/key.c:968
key_create_or_update+0x3e/0x50 security/keys/key.c:1011
__do_sys_add_key security/keys/keyctl.c:134 [inline]
__se_sys_add_key+0x2f3/0x3f0 security/keys/keyctl.c:74
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x50/0xa0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Please note that this issue is found by a research prototype which
significantly transforms a kernel binary. So, I can't guarantee that
the issue is not a false positive, although I tried my best to
analyze and understand the issue.
Best regards,
Dae R. Jeong
reply other threads:[~2023-10-30 11:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZT-S8Q7tyutcvu_q@dragonet \
--to=threeearcat@gmail.com \
--cc=brauner@kernel.org \
--cc=code@siddh.me \
--cc=ddiss@suse.de \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=nick.alcock@oracle.com \
--cc=ywchoi@casys.kaist.ac.kr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox