Re: [PATCH RFC 12/20] input: remove f_version abuse

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Christian Brauner,

Greetings!

I used Syzkaller and found that there is BUG: unable to handle kernel paging request in input_proc_devices_poll in next-20240909.

After bisection and the first bad commit is:
"
7c3d158418c2 input: remove f_version abuse
"

All detailed into can be found at:
https://github.com/laifryiee/syzkaller_logs/tree/main/240911_155303_input_proc_devices_poll
Syzkaller repro code:
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/repro.c
Syzkaller repro syscall steps:
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/repro.prog
Syzkaller report:
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/repro.report
Kconfig(make olddefconfig):
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/kconfig_origin
Bisect info:
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/bisect_info.log
bzImage:
https://github.com/laifryiee/syzkaller_logs/raw/main/240911_155303_input_proc_devices_poll/bzImage_100cc857359b5d731407d1038f7e76cd0e871d94
Issue dmesg:
https://github.com/laifryiee/syzkaller_logs/blob/main/240911_155303_input_proc_devices_poll/100cc857359b5d731407d1038f7e76cd0e871d94_dmesg.log

"
[   23.266063] ==================================================================
[   23.268350] BUG: KASAN: slab-out-of-bounds in input_proc_devices_poll+0x113/0x140
[   23.270806] Read of size 8 at addr ffff88801101fa40 by task repro/729
[   23.272537] 
[   23.272980] CPU: 1 UID: 0 PID: 729 Comm: repro Not tainted 6.11.0-rc7-next-20240909-100cc857359b-dirty #1
[   23.274230] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[   23.275200] Call Trace:
[   23.275432]  <TASK>
[   23.275633]  dump_stack_lvl+0xea/0x150
[   23.275972]  print_report+0xce/0x610
[   23.276269]  ? input_proc_devices_poll+0x113/0x140
[   23.276650]  ? kasan_complete_mode_report_info+0x40/0x200
[   23.277058]  ? input_proc_devices_poll+0x113/0x140
[   23.277400]  kasan_report+0xcc/0x110
[   23.277668]  ? input_proc_devices_poll+0x113/0x140
[   23.277989]  ? __pfx___pollwait+0x10/0x10
[   23.278288]  __asan_report_load8_noabort+0x18/0x20
[   23.278634]  input_proc_devices_poll+0x113/0x140
[   23.278963]  ? __pfx_input_proc_devices_poll+0x10/0x10
[   23.279325]  proc_reg_poll+0x210/0x2e0
[   23.279607]  ? __pfx_proc_reg_poll+0x10/0x10
[   23.279917]  do_sys_poll+0x521/0xdd0
[   23.280188]  ? __pfx_do_sys_poll+0x10/0x10
[   23.280485]  ? __kasan_check_read+0x15/0x20
[   23.280791]  ? mark_lock.part.0+0xf3/0x17b0
[   23.281101]  ? __pfx_mark_lock.part.0+0x10/0x10
[   23.281427]  ? __kasan_check_read+0x15/0x20
[   23.281736]  ? mark_lock.part.0+0xf3/0x17b0
[   23.282039]  ? mutex_unlock+0x16/0x20
[   23.282311]  ? seq_read_iter+0x72/0x1300
[   23.282604]  ? __pfx_mark_lock.part.0+0x10/0x10
[   23.282935]  ? __pfx___pollwait+0x10/0x10
[   23.283235]  ? __pfx_pollwake+0x10/0x10
[   23.283526]  ? __pfx___lock_acquire+0x10/0x10
[   23.283848]  ? __this_cpu_preempt_check+0x21/0x30
[   23.284200]  ? __this_cpu_preempt_check+0x21/0x30
[   23.284542]  ? lock_release+0x441/0x870
[   23.284825]  ? __sanitizer_cov_trace_cmp8+0x1c/0x30
[   23.285180]  ? timespec64_add_safe+0x192/0x220
[   23.285505]  ? __pfx_timespec64_add_safe+0x10/0x10
[   23.285851]  ? __sanitizer_cov_trace_const_cmp1+0x1e/0x30
[   23.286236]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
[   23.286622]  ? ktime_get_ts64+0x1db/0x2e0
[   23.286925]  __x64_sys_poll+0x1bf/0x560
[   23.287205]  ? __pfx___x64_sys_poll+0x10/0x10
[   23.287524]  x64_sys_call+0x1294/0x2140
[   23.287808]  do_syscall_64+0x6d/0x140
[   23.288083]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   23.288457] RIP: 0033:0x7faf33c3ee5d
[   23.288721] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48
[   23.289988] RSP: 002b:00007ffff3de1fe8 EFLAGS: 00000207 ORIG_RAX: 0000000000000007
[   23.290531] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faf33c3ee5d
[   23.291025] RDX: 0000000000000029 RSI: 0000000000000005 RDI: 0000000020000040
[   23.291519] RBP: 00007ffff3de2000 R08: 00007ffff3de2000 R09: 00007ffff3de2000
[   23.292201] R10: 00007ffff3de2000 R11: 0000000000000207 R12: 00007ffff3de2158
[   23.292800] R13: 0000000000401810 R14: 0000000000403e08 R15: 00007faf33e55000
[   23.293320]  </TASK>
[   23.293487] 
[   23.293609] Allocated by task 1:
[   23.293862]  kasan_save_stack+0x2c/0x60
[   23.294153]  kasan_save_track+0x18/0x40
[   23.294435]  kasan_save_alloc_info+0x3c/0x50
[   23.294744]  __kasan_kmalloc+0x88/0xa0
[   23.295019]  __kmalloc_noprof+0x1cd/0x4a0
[   23.295316]  cgroup_mkdir+0x282/0x1320
[   23.295602]  kernfs_iop_mkdir+0x15a/0x1f0
[   23.295899]  vfs_mkdir+0x57d/0x860
[   23.296157]  do_mkdirat+0x2e2/0x3b0
[   23.296414]  __x64_sys_mkdir+0xfd/0x150
[   23.296692]  x64_sys_call+0x1c5a/0x2140
[   23.296974]  do_syscall_64+0x6d/0x140
[   23.297246]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   23.297611] 
[   23.297735] The buggy address belongs to the object at ffff88801101e000
[   23.297735]  which belongs to the cache kmalloc-4k of size 4096
[   23.298583] The buggy address is located 4584 bytes to the right of
[   23.298583]  allocated 2136-byte region [ffff88801101e000, ffff88801101e858)
[   23.299489] 
[   23.299611] The buggy address belongs to the physical page:
[   23.300004] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801101c000 pfn:0x11018
[   23.300643] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   23.301177] flags: 0xfffffc0000240(workingset|head|node=0|zone=1|lastcpupid=0x1fffff)
[   23.301729] page_type: f5(slab)
[   23.301968] raw: 000fffffc0000240 ffff88800d442140 ffffea00004e3610 ffffea0000446410
[   23.302505] raw: ffff88801101c000 0000000000040002 00000001f5000000 0000000000000000
[   23.303048] head: 000fffffc0000240 ffff88800d442140 ffffea00004e3610 ffffea0000446410
[   23.303597] head: ffff88801101c000 0000000000040002 00000001f5000000 0000000000000000
[   23.304147] head: 000fffffc0000003 ffffea0000440601 ffffffffffffffff 0000000000000000
[   23.304692] head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000
[   23.305238] page dumped because: kasan: bad access detected
[   23.305632] 
[   23.305752] Memory state around the buggy address:
[   23.306096]  ffff88801101f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.306600]  ffff88801101f980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.307102] >ffff88801101fa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.307612]                                            ^
[   23.307984]  ffff88801101fa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.308490]  ffff88801101fb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   23.308993] ==================================================================
[   23.309546] Disabling lock debugging due to kernel taint

"

I hope you find it useful.

Regards,
Yi Lai

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
  // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
  // You could change the bzImage_xxx as you want
  // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.

Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install 

On Fri, Aug 30, 2024 at 03:04:53PM +0200, Christian Brauner wrote:
> Remove the f_version abuse from input. Use seq_private_open() to stash
> the information for poll.
> 
> Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
> ---
>  drivers/input/input.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/input/input.c b/drivers/input/input.c
> index 54c57b267b25..b03ae43707d8 100644
> --- a/drivers/input/input.c
> +++ b/drivers/input/input.c
> @@ -1081,9 +1081,11 @@ static inline void input_wakeup_procfs_readers(void)
>  
>  static __poll_t input_proc_devices_poll(struct file *file, poll_table *wait)
>  {
> +	struct seq_file *m = file->private_data;
> +
>  	poll_wait(file, &input_devices_poll_wait, wait);
> -	if (file->f_version != input_devices_state) {
> -		file->f_version = input_devices_state;
> +	if (*(u64 *)m->private != input_devices_state) {
> +		*(u64 *)m->private = input_devices_state;
>  		return EPOLLIN | EPOLLRDNORM;
>  	}
>  
> @@ -1210,7 +1212,7 @@ static const struct seq_operations input_devices_seq_ops = {
>  
>  static int input_proc_devices_open(struct inode *inode, struct file *file)
>  {
> -	return seq_open(file, &input_devices_seq_ops);
> +	return seq_open_private(file, &input_devices_seq_ops, sizeof(u64));
>  }
>  
>  static const struct proc_ops input_devices_proc_ops = {
> 
> -- 
> 2.45.2
> 




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux