block: NULL ptr deref in bio_copy_user_iov

From: Sasha Levin
Date: Mon Feb 22 2016 - 10:22:29 EST

Next message: Deepa Dinamani: "[PATCH 4/8] fs: configfs: Replace CURRENT_TIME by current_fs_time()"
Previous message: Deepa Dinamani: "[PATCH 3/8] fs: devpts: Replace CURRENT_TIME by current_fs_time()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I've hit the following NULL ptr deref while fuzzing with trinity inside a kvmtool guest
running the latest -next kernel:

[ 1274.081122] BUG: unable to handle kernel NULL pointer dereference at (null)

[ 1274.081140] IP: __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.081154] PGD 1ac685067 PUD 1ad6a2067 PMD 0

[ 1274.081165] Oops: 0000 [#6] SMP KASAN

[ 1274.081209] Modules linked in:

[ 1274.081228] CPU: 1 PID: 27544 Comm: trinity-c334 Tainted: G B D 4.5.0-rc4-next-20160219-sasha-00026-g7978205-dirty #2978

[ 1274.081239] task: ffff8801d1071000 ti: ffff8801b4a40000 task.ti: ffff8801b4a40000

[ 1274.081265] RIP: __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.081273] RSP: 0018:ffff8801b4a46dc8 EFLAGS: 00010206

[ 1274.081283] RAX: ffff8801ad4e0000 RBX: 000000000000072b RCX: 00000000000000e5

[ 1274.081292] RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff8801ad4e0000

[ 1274.081302] RBP: ffff8801b4a46de8 R08: ffffed0035a9c0e5 R09: ffff8801ad4e072a

[ 1274.081311] R10: ffffed0035a9c0e6 R11: 1ffff10035a9c000 R12: ffff8801ad4e0000

[ 1274.081319] R13: 0000000000000000 R14: ffff8801b4a47280 R15: 000000000000072b

[ 1274.081330] FS: 00007f20f3ab3700(0000) GS:ffff8801d3b00000(0000) knlGS:0000000000000000

[ 1274.081339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ 1274.081346] CR2: 0000000000000000 CR3: 00000001b6b19000 CR4: 00000000000406e0

[ 1274.081360] Stack:

[ 1274.081377] ffffffffa183a2c6 ffff8801b4a46fd8 000000000000072b 000000000000072b

[ 1274.081392] ffff8801b4a46e50 ffffffffa3425379 ffff8801d1071000 0000000000000000

[ 1274.081408] ffff8801b4a47288 ffff8801b4a46fe0 ffff8801b4a46fe8 ffff8801ad4e0000

[ 1274.081411] Call Trace:

[ 1274.081442] copy_from_iter (lib/iov_iter.c:416 (discriminator 15))
[ 1274.081460] copy_page_from_iter (lib/iov_iter.c:467)
[ 1274.081523] bio_copy_user_iov (block/bio.c:1028 block/bio.c:1224)
[ 1274.081573] blk_rq_map_user_iov (block/blk-map.c:111)
[ 1274.081673] blk_rq_map_user (block/blk-map.c:154)
[ 1274.081750] sg_common_write.isra.11 (drivers/scsi/sg.c:1766 drivers/scsi/sg.c:782)
[ 1274.081828] sg_write (drivers/scsi/sg.c:686)
[ 1274.081978] __vfs_write (fs/read_write.c:529)
[ 1274.082037] __kernel_write (fs/read_write.c:551)
[ 1274.082052] write_pipe_buf (fs/splice.c:1062)
[ 1274.082095] __splice_from_pipe (fs/splice.c:771 fs/splice.c:895)
[ 1274.082124] splice_from_pipe (fs/splice.c:931)
[ 1274.082186] default_file_splice_write (fs/splice.c:1081)
[ 1274.082214] direct_splice_actor (fs/splice.c:1290)
[ 1274.082227] splice_direct_to_actor (fs/splice.c:1241)
[ 1274.082312] do_splice_direct (fs/splice.c:1332)
[ 1274.082354] do_sendfile (include/linux/fs.h:1234 include/linux/fs.h:2515 fs/read_write.c:1268)
[ 1274.082414] SyS_sendfile64 (fs/read_write.c:1328 fs/read_write.c:1314)
[ 1274.082462] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:200)
[ 1274.082615] Code: 42 fe eb 85 31 f6 48 c7 c7 e0 a1 7b b2 e8 81 0a 0e 00 e9 bc fe ff ff 90 90 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3

All code
========
0: 42 fe rex.X (bad)
2: eb 85 jmp 0xffffffffffffff89
4: 31 f6 xor %esi,%esi
6: 48 c7 c7 e0 a1 7b b2 mov $0xffffffffb27ba1e0,%rdi
d: e8 81 0a 0e 00 callq 0xe0a93
12: e9 bc fe ff ff jmpq 0xfffffffffffffed3
17: 90 nop
18: 90 nop
19: 66 66 90 data32 xchg %ax,%ax
1c: 66 90 xchg %ax,%ax
1e: 48 89 f8 mov %rdi,%rax
21: 48 89 d1 mov %rdx,%rcx
24: 48 c1 e9 03 shr $0x3,%rcx
28: 83 e2 07 and $0x7,%edx
2b: f3 48 a5 rep movsq %ds:(%rsi),%es:*(%rdi) <-- trapping instruction
2e: 89 d1 mov %edx,%ecx
30: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
32: c3 retq
33: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
39: 48 89 f8 mov %rdi,%rax
3c: 48 89 d1 mov %rdx,%rcx
3f: f3 repz
...

Code starting with the faulting instruction
===========================================
0: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi)
3: 89 d1 mov %edx,%ecx
5: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
7: c3 retq
8: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
e: 48 89 f8 mov %rdi,%rax
11: 48 89 d1 mov %rdx,%rcx
14: f3 repz
...
[ 1274.082631] RIP __memcpy (arch/x86/lib/memcpy_64.S:36)
[ 1274.082636] RSP <ffff8801b4a46dc8>

[ 1274.082641] CR2: 0000000000000000

Thanks,
Sasha

Next message: Deepa Dinamani: "[PATCH 4/8] fs: configfs: Replace CURRENT_TIME by current_fs_time()"
Previous message: Deepa Dinamani: "[PATCH 3/8] fs: devpts: Replace CURRENT_TIME by current_fs_time()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]