Re: Fw: WARNING: bad usercopy in fanotify_read

Amir Goldstein <amir73il@xxxxxxxxx> · Tue, 12 Mar 2019 14:59:27 +0200

On Tue, Mar 12, 2019 at 1:45 PM Jan Kara <jack@xxxxxxx> wrote:
>
> Thanks for forwarding Andrew!
>
> On Mon 11-03-19 16:30:04, Andrew Morton wrote:
> > fyi
> >
> > Begin forwarded message:
> >
> > Date: Mon, 11 Mar 2019 13:42:06 -0700
> > From: syzbot <syzbot+2c49971e251e36216d1f@xxxxxxxxxxxxxxxxxxxxxxxxx>
> > To: akpm@xxxxxxxxxxxxxxxxxxxx, cai@xxxxxx, crecklin@xxxxxxxxxx, keescook@xxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-mm@xxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx
> > Subject: WARNING: bad usercopy in fanotify_read
> >
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    12ad143e Merge branch 'perf-urgent-for-linus' of git://git..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12776f57200000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e9d91b7192a5e96e
> > dashboard link: https://syzkaller.appspot.com/bug?extid=2c49971e251e36216d1f
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > userspace arch: amd64
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1287516f200000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+2c49971e251e36216d1f@xxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > ------------[ cut here ]------------
> > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > WARNING: CPU: 1 PID: 7649 at mm/usercopy.c:78 usercopy_warn+0xeb/0x110
> > mm/usercopy.c:78
>
> Yeah, right. We need to create fanotify_event cache so that copying of
> fanotify_event.fid.fh to userspace is allowed. Sadly the area is unioned
> with a possible slab pointer so that won't be protected from leaking but
> life is not perfect. Amir, something like attached patch?

I agree. We could do something like this, to first copy the inline fh
from slab to short stack buf:

static inline void *fanotify_fid_fh_user(struct fanotify_fid *fid,
                                    unsigned int fh_len, char *fh_buf)
{
        if (fh_len > FANOTIFY_INLINE_FH_LEN)
                return fid->ext_fh;
        memcpy(fh_buf, fid->fh, fh_len);
        return fh_buf;
}

But I don't think we should bother.

Thanks,
Amir.