Discussion:
BUG: unable to handle kernel paging request in security_compute_sid
syzbot
2017-12-22 21:38:01 UTC
Permalink
Hello,

syzkaller hit the following crash on
6084b576dca2e898f5c101baef151f7bfdbb606d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


BUG: unable to handle kernel paging request at 00000000830e2118
IP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
PGD 0 P4D 0
Oops: 0000 [#1] SMP
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3391 Comm: kworker/u4:0 Not tainted 4.15.0-rc3-next-20171214+
#67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
RSP: 0018:ffffc90001993c70 EFLAGS: 00010293
RAX: ffff880216ba0800 RBX: 0000000000000002 RCX: ffffffff81667b88
RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffffffff83fd17a0
RBP: ffffc90001993d20 R08: 0000000000000001 R09: 0000000000000001
R10: ffffc90001993be0 R11: 0000000000000000 R12: ffff88021694f188
R13: 0000000000000010 R14: ffff880216592388 R15: 00000000830e20e0
FS: 0000000000000000(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000830e2118 CR3: 000000000301e001 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
security_bprm_set_creds+0x41/0x60 security/security.c:332
prepare_binprm+0xae/0x1f0 fs/exec.c:1561
do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
do_execve+0x31/0x40 fs/exec.c:1848
call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
Code: 40 74 15 41 83 fd 10 74 0f e8 d5 27 c5 ff 4d 85 ff 75 33 e9 6f 02 00
00 e8 c6 27 c5 ff 4d 85 ff 0f 84 e6 02 00 00 e8 b8 27 c5 ff <41> 80 7f 38
02 0f 84 5c 01 00 00 e8 a8 27 c5 ff 41 8b 06 89 45
RIP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640 RSP: ffffc90001993c70
CR2: 00000000830e2118
---[ end trace fe59d8175af57ffc ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to ***@googlegroups.com.
Please credit me with: Reported-by: syzbot <***@googlegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
Eric Biggers
2017-12-22 22:14:39 UTC
Permalink
Post by syzbot
Hello,
syzkaller hit the following crash on
6084b576dca2e898f5c101baef151f7bfdbb606d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: unable to handle kernel paging request at 00000000830e2118
IP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
PGD 0 P4D 0
Oops: 0000 [#1] SMP
(ftrace buffer empty)
CPU: 0 PID: 3391 Comm: kworker/u4:0 Not tainted 4.15.0-rc3-next-20171214+
#67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
RSP: 0018:ffffc90001993c70 EFLAGS: 00010293
RAX: ffff880216ba0800 RBX: 0000000000000002 RCX: ffffffff81667b88
RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffffffff83fd17a0
RBP: ffffc90001993d20 R08: 0000000000000001 R09: 0000000000000001
R10: ffffc90001993be0 R11: 0000000000000000 R12: ffff88021694f188
R13: 0000000000000010 R14: ffff880216592388 R15: 00000000830e20e0
FS: 0000000000000000(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000830e2118 CR3: 000000000301e001 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
security_bprm_set_creds+0x41/0x60 security/security.c:332
prepare_binprm+0xae/0x1f0 fs/exec.c:1561
do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
do_execve+0x31/0x40 fs/exec.c:1848
call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
Code: 40 74 15 41 83 fd 10 74 0f e8 d5 27 c5 ff 4d 85 ff 75 33 e9 6f 02 00
00 e8 c6 27 c5 ff 4d 85 ff 0f 84 e6 02 00 00 e8 b8 27 c5 ff <41> 80 7f 38 02
0f 84 5c 01 00 00 e8 a8 27 c5 ff 41 8b 06 89 45
RIP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640 RSP: ffffc90001993c70
CR2: 00000000830e2118
---[ end trace fe59d8175af57ffc ]---
Kernel panic - not syncing: Fatal exception
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
This is yet another one where the reproducer is using AF_ALG and binding to the
"pcrypt(gcm_base(ctr(aes-aesni),ghash-generic))" algorithm, so it's running into
the pcrypt_free() bug which is causing slab cache corruption:

https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk

https://patchwork.kernel.org/patch/10126761/

So let's mark it as a duplicate:

#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)

I wonder if it would be of any help to disable slab cache merging, i.e. set
CONFIG_SLAB_MERGE_DEFAULT=n? That would reduce the number of duplicate reports,
though perhaps at the risk of hiding bugs.

Eric
Dmitry Vyukov via Selinux
2017-12-23 11:44:15 UTC
Permalink
Post by Eric Biggers
Post by syzbot
Hello,
syzkaller hit the following crash on
6084b576dca2e898f5c101baef151f7bfdbb606d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
BUG: unable to handle kernel paging request at 00000000830e2118
IP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
PGD 0 P4D 0
Oops: 0000 [#1] SMP
(ftrace buffer empty)
CPU: 0 PID: 3391 Comm: kworker/u4:0 Not tainted 4.15.0-rc3-next-20171214+
#67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640
RSP: 0018:ffffc90001993c70 EFLAGS: 00010293
RAX: ffff880216ba0800 RBX: 0000000000000002 RCX: ffffffff81667b88
RDX: 0000000000000000 RSI: 0000000000000005 RDI: ffffffff83fd17a0
RBP: ffffc90001993d20 R08: 0000000000000001 R09: 0000000000000001
R10: ffffc90001993be0 R11: 0000000000000000 R12: ffff88021694f188
R13: 0000000000000010 R14: ffff880216592388 R15: 00000000830e20e0
FS: 0000000000000000(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000830e2118 CR3: 000000000301e001 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
security_bprm_set_creds+0x41/0x60 security/security.c:332
prepare_binprm+0xae/0x1f0 fs/exec.c:1561
do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
do_execve+0x31/0x40 fs/exec.c:1848
call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
Code: 40 74 15 41 83 fd 10 74 0f e8 d5 27 c5 ff 4d 85 ff 75 33 e9 6f 02 00
00 e8 c6 27 c5 ff 4d 85 ff 0f 84 e6 02 00 00 e8 b8 27 c5 ff <41> 80 7f 38 02
0f 84 5c 01 00 00 e8 a8 27 c5 ff 41 8b 06 89 45
RIP: security_compute_sid.part.11+0x418/0x710
security/selinux/ss/services.c:1640 RSP: ffffc90001993c70
CR2: 00000000830e2118
---[ end trace fe59d8175af57ffc ]---
Kernel panic - not syncing: Fatal exception
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
This is yet another one where the reproducer is using AF_ALG and binding to the
"pcrypt(gcm_base(ctr(aes-aesni),ghash-generic))" algorithm, so it's running into
https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk
https://patchwork.kernel.org/patch/10126761/
#syz dup: KASAN: use-after-free Read in __list_del_entry_valid (2)
I wonder if it would be of any help to disable slab cache merging, i.e. set
CONFIG_SLAB_MERGE_DEFAULT=n? That would reduce the number of duplicate reports,
though perhaps at the risk of hiding bugs.
Disabling slab cache merging will only pepper over the real problem.
If we have crypto cache badly corrupted, it still can manifest in
multiple different ways. I think it's the right time to make KASAN
properly detect such invalid frees. I am drafting changes to KASAN,
with them on this reproducer it reports:


BUG: KASAN: double-free or invalid-free in pcrypt_free+0x21/0x30
crypto/pcrypt.c:357
Freed pointer ffff880065034e10

CPU: 2 PID: 3241 Comm: cryptomgr_test Not tainted 4.15.0-rc4-mm1+ #38
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_invalid_free+0x64/0x90 mm/kasan/report.c:337
kasan_check_slab_object+0xdc/0x100 mm/kasan/kasan.c:499
kasan_slab_free+0x14/0x70 mm/kasan/kasan.c:526
__cache_free mm/slab.c:3485 [inline]
kfree+0xd9/0x260 mm/slab.c:3800
pcrypt_free+0x21/0x30 crypto/pcrypt.c:357
crypto_aead_free_instance+0x9e/0xd0 crypto/aead.c:155
crypto_free_instance+0x6d/0x100 crypto/algapi.c:77
crypto_destroy_instance+0x3c/0x80 crypto/algapi.c:85
crypto_alg_put crypto/internal.h:116 [inline]
crypto_remove_final+0x212/0x370 crypto/algapi.c:331
crypto_alg_tested+0x445/0x6f0 crypto/algapi.c:320
cryptomgr_test+0x17/0x30 crypto/algboss.c:226
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524

Allocated by task 3236:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:556
kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3607
kmalloc include/linux/slab.h:516 [inline]
kzalloc include/linux/slab.h:705 [inline]
pcrypt_create_aead crypto/pcrypt.c:291 [inline]
pcrypt_create+0x137/0x6c0 crypto/pcrypt.c:346
cryptomgr_probe+0x74/0x240 crypto/algboss.c:75
kthread+0x33c/0x400 kernel/kthread.c:238
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524

The buggy address belongs to the object at ffff880065d5b200
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 80 bytes inside of
1024-byte region [ffff880065d5b200, ffff880065d5b600)

Loading...