Re: [Bug 203559] New: usercopy_abort triggered by build_test_sglist

Eric Biggers <ebiggers@xxxxxxxxxx> · Thu, 9 May 2019 16:20:59 -0700

[+Kees Cook <keescook@xxxxxxxxxxxx>]

On Thu, May 09, 2019 at 03:46:08PM -0700, Andrew Morton wrote:
> 
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
> On Thu, 09 May 2019 09:37:08 +0000 bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote:
> 
> > https://bugzilla.kernel.org/show_bug.cgi?id=203559
> > 
> >             Bug ID: 203559
> >            Summary: usercopy_abort triggered by build_test_sglist
> >            Product: Memory Management
> >            Version: 2.5
> >     Kernel Version: 5.1
> >           Hardware: x86-64
> >                 OS: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: low
> >           Priority: P1
> >          Component: Other
> >           Assignee: akpm@xxxxxxxxxxxxxxxxxxxx
> >           Reporter: mihai.dontu@xxxxxxxxx
> >         Regression: No
> > 
> > Created attachment 282687
> >   --> https://bugzilla.kernel.org/attachment.cgi?id=282687&action=edit
> > kernel config
> > 
> > I have CONFIG_CRYPTO_FIPS and CONFIG_HARDENED_USERCOPY_PAGESPAN enabled from an
> > experiment I forgot about, that started triggering a crash very early at boot
> > with kernel 5.1:
> > 
> > usercopy: Kernel memory overwrite attempt detected to spans multiple pages
> > (offset 0, size 372)!
> > ------------[ cut here]------------
> > kernel BUG at mm/usercopy.c:102!
> > invalid opcode: 0000 [#1] PREEMPT SMP PTI
> > CPU: 0 PID: 42 Comm: cryptomgr_test Trainted: G        T 5.1.0-gentoo #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-1.fc28
> > 04/01/2014
> > RIP: 0010:usercopy_abort+0x87/0x89
> > Code: c3 ae 48 c7 c6 c9 9c ba ae 41 55 48 c7 c7 38 9e bb ae 48 0f 45 d1 48 c7
> > c1 51
> >       9d bb ae 50 48 0f 45 f1 4c 89 e1 e8 fb 50 e8 ff <0f> 0b 49 89 d8 31 c9 44
> > 89
> >       ea 31 f6 48 c7 c7 9a 9d bb ae e8 61 ff
> > ...
> > Call Trace:
> >  __check_object_size.cold+0x16/0xa6
> >  build_test_sglist+0x283/0x370
> >  ? skcipher_walk_done+0x105/0x220
> >  ? ecb_crypt+0xa5/0x110
> >  build_cipher_test_sglist+0xa0/0x120
> >  test_skcipher_vec_cfg+0x1c4/0x6e0
> > ...
> > 
> > The information above is from a screenshot, thus some opcodes or offsets might
> > be wrong.
> > 
> > The 5.0.13 kernel does not have this issue.
> > 
> > -- 
> > You are receiving this mail because:
> > You are the assignee for the bug.

There was already a long discussion on this where it was concluded that the
pagespan check is broken.  See https://lkml.org/lkml/2019/3/19/279 and
https://lkml.org/lkml/2019/4/14/313

I think CONFIG_HARDENED_USERCOPY_PAGESPAN should be removed or marked 'depends
on BROKEN', until someone can find a way to make it work properly.

- Eric