crypto: Kernel memory overwrite attempt detected to spans multiple pages
Eric Biggers
ebiggers at kernel.org
Tue Mar 19 17:09:13 UTC 2019
On Tue, Mar 19, 2019 at 12:54:23PM +0100, Geert Uytterhoeven wrote:
> When running the sha1-asm crypto selftest on arm with
> CONFIG_HARDENED_USERCOPY_PAGESPAN=y:
>
> usercopy: Kernel memory overwrite attempt detected to spans
> multiple pages (offset 0, size 42)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102!
> Internal error: Oops - BUG: 0 [#1] SMP ARM
> Modules linked in:
> CPU: 0 PID: 35 Comm: cryptomgr_test Not tainted
> 5.1.0-rc1-koelsch-01109-gbeb7d6376ecfbf07-dirty #397
> Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
> PC is at usercopy_abort+0x68/0x90
> LR is at usercopy_abort+0x68/0x90
> pc : [<c030fd60>] lr : [<c030fd60>] psr: 60000013
> sp : ea54bc60 ip : 00000010 fp : cccccccd
> r10: 00000000 r9 : c0e0ce04 r8 : ea54d009
> r7 : ea54d00a r6 : 00000000 r5 : 0000002a r4 : c09d1120
> r3 : dd6cd422 r2 : dd6cd422 r1 : 2abb4000 r0 : 0000005f
> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
> Control: 30c5387d Table: 40003000 DAC: fffffffd
> Process cryptomgr_test (pid: 35, stack limit = 0x(ptrval))
> Stack: (0xea54bc60 to 0xea54c000)
> bc60: c09d1120 c09d1120 c09d1120 00000000 0000002a 0000002a
> 00000000 c0310060
> bc80: 0000002a 00000000 000001c0 00000000 00000000 c0eb11e8
> ea54cfe0 ea538c00
> bca0: 00000000 ea54cfe0 ebef73e0 0000002a ea538c20 ea54bd84
> 0000003a c0427a30
> bcc0: ea54bdbc 00000000 00000000 c081cf70 eb074280 c081cf70
> 0000002a c081cf80
> bce0: 0000000e c07da138 ea54bd0c 00000000 c084061c c04248e8
> c0e0a408 eb074240
> bd00: eb074200 c04253c8 eb074280 ea550000 00000012 dd6cd422
> ebef7480 eb074200
> bd20: ea54bd84 c081cf64 ea537200 00000002 00000000 00000014
> c084061c c0428c38
> bd40: ea54bd84 ea54bdbc c081cd34 00000000 c0e4e4b4 ea538c40
> 00000002 eabe4e80
> bd60: ea538c00 00000400 ea4f7a00 ea4f7a60 eb074240 00000060
> 00000006 c09d544c
> bd80: 00000038 00000003 00000000 00000038 ea54bd7c 00000001
> eb074200 00000000
> bda0: 00000000 dead4ead ffffffff ffffffff ea54bdb0 ea54bdb0
> 00000000 c081cf70
> bdc0: c081ce68 c081ce78 ea4f7480 eb000780 00000dc0 eb000780
> c0e4ee80 443e9884
> bde0: 6ed23b1c a14aaeba e52951f9 f17046e5 fefefefe fefefefe
> fefefefe fefefefe
> be00: eb000780 c04292c4 c0e0a638 60000013 60000013 c0305298
> ea4f7a00 c03062bc
> be20: eb000780 00000cc0 ea4f7a00 dd6cd422 00000cc0 ea538c00
> 00000002 eabe4e40
> be40: ea537200 00000007 00000000 ea4f7a00 eb074200 c0429314
> eb074200 ea538c00
> be60: ea4f7a00 0000000a eabe4e80 c084061c c08405fc 00000006
> c04dace8 00000006
> be80: 00000000 c084065c ea537200 0000000e 00000400 eb04de08
> ea4f71a8 c0429420
> bea0: 00000400 ea537200 0000000e ea537200 0000000e c0429374
> 00000400 ffffffff
> bec0: 000000a2 c042a414 00000103 c0e0a408 00000000 c0e0a438
> c0e5a2a0 c0e5a2a0
> bee0: 00000001 00000001 00000017 ffffe000 00000000 60000013
> c0e5a2a0 c0269470
> bf00: c09c9ed0 ea54bf5c 00000103 00000000 00000000 c0e0a408
> ea537280 0000000e
> bf20: 00000400 c0426500 00000000 eb04de08 ea4f71a8 c02694f4
> c09c9ed0 ea54bf5c
> bf40: ea54bf28 c02699d0 ea54bf5c dd6cd422 ea537200 dd6cd422
> c09c9ed0 ea537200
> bf60: ea4af1c0 ea54a000 ea537200 c0426500 00000000 eb04de08
> ea4f71a8 c0426524
> bf80: ea4f7180 c023dcec ea54a000 ea4af1c0 c023dbb4 00000000
> 00000000 00000000
> bfa0: 00000000 00000000 00000000 c02010d8 00000000 00000000
> 00000000 00000000
> bfc0: 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000
> bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> 00000000 00000000
> [<c030fd60>] (usercopy_abort) from [<c0310060>]
> (__check_object_size+0x2d8/0x448)
> [<c0310060>] (__check_object_size) from [<c0427a30>]
> (build_test_sglist+0x268/0x2d8)
> [<c0427a30>] (build_test_sglist) from [<c0428c38>]
> (test_hash_vec_cfg+0x110/0x694)
> [<c0428c38>] (test_hash_vec_cfg) from [<c0429314>]
> (__alg_test_hash+0x158/0x1b8)
> [<c0429314>] (__alg_test_hash) from [<c0429420>] (alg_test_hash+0xac/0xf4)
> [<c0429420>] (alg_test_hash) from [<c042a414>] (alg_test.part.4+0x264/0x2f8)
> [<c042a414>] (alg_test.part.4) from [<c0426524>] (cryptomgr_test+0x24/0x44)
> [<c0426524>] (cryptomgr_test) from [<c023dcec>] (kthread+0x138/0x150)
> [<c023dcec>] (kthread) from [<c02010d8>] (ret_from_fork+0x14/0x3c)
> Exception stack(0xea54bfb0 to 0xea54bff8)
> bfa0: 00000000 00000000
> 00000000 00000000
> bfc0: 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000
> bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> Code: e58de000 e98d0012 e1a0100c ebfd6712 (e7f001f2)
> ---[ end trace 190b3cf48e720f78 ]---
> BUG: sleeping function called from invalid context at
> include/linux/percpu-rwsem.h:34
> in_atomic(): 0, irqs_disabled(): 128, pid: 35, name: cryptomgr_test
> CPU: 0 PID: 35 Comm: cryptomgr_test Tainted: G D
> 5.1.0-rc1-koelsch-01109-gbeb7d6376ecfbf07-dirty #397
> Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
> [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
> [<c020ae58>] (show_stack) from [<c07c3624>] (dump_stack+0x7c/0x9c)
> [<c07c3624>] (dump_stack) from [<c0242e14>] (___might_sleep+0xf4/0x158)
> [<c0242e14>] (___might_sleep) from [<c0230210>] (exit_signals+0x2c/0x258)
> [<c0230210>] (exit_signals) from [<c0223d6c>] (do_exit+0x114/0xa20)
> [<c0223d6c>] (do_exit) from [<c020b160>] (die+0x304/0x344)
> [<c020b160>] (die) from [<c020b388>] (do_undefinstr+0x80/0x190)
> [<c020b388>] (do_undefinstr) from [<c0201b24>] (__und_svc_finish+0x0/0x3c)
> Exception stack(0xea54bc10 to 0xea54bc58)
> bc00: 0000005f 2abb4000
> dd6cd422 dd6cd422
> bc20: c09d1120 0000002a 00000000 ea54d00a ea54d009 c0e0ce04
> 00000000 cccccccd
> bc40: 00000010 ea54bc60 c030fd60 c030fd60 60000013 ffffffff
> [<c0201b24>] (__und_svc_finish) from [<c030fd60>] (usercopy_abort+0x68/0x90)
> [<c030fd60>] (usercopy_abort) from [<c0310060>]
> (__check_object_size+0x2d8/0x448)
> [<c0310060>] (__check_object_size) from [<c0427a30>]
> (build_test_sglist+0x268/0x2d8)
> [<c0427a30>] (build_test_sglist) from [<c0428c38>]
> (test_hash_vec_cfg+0x110/0x694)
> [<c0428c38>] (test_hash_vec_cfg) from [<c0429314>]
> (__alg_test_hash+0x158/0x1b8)
> [<c0429314>] (__alg_test_hash) from [<c0429420>] (alg_test_hash+0xac/0xf4)
> [<c0429420>] (alg_test_hash) from [<c042a414>] (alg_test.part.4+0x264/0x2f8)
> [<c042a414>] (alg_test.part.4) from [<c0426524>] (cryptomgr_test+0x24/0x44)
> [<c0426524>] (cryptomgr_test) from [<c023dcec>] (kthread+0x138/0x150)
> [<c023dcec>] (kthread) from [<c02010d8>] (ret_from_fork+0x14/0x3c)
> Exception stack(0xea54bfb0 to 0xea54bff8)
> bfa0: 00000000 00000000
> 00000000 00000000
> bfc0: 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000
> bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
>
> A similar trace is seen with sha1-ce on arm64:
>
> usercopy: Kernel memory overwrite attempt detected to spans
> multiple pages (offset 0, size 42)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102!
> Internal error: Oops - BUG: 0 [#1] SMP
> Modules linked in:
> CPU: 1 PID: 33 Comm: cryptomgr_test Not tainted
> 5.1.0-rc1-salvator-x-01109-gbeb7d6376ecfbf07-dirty #352
> Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
> pstate: 60400005 (nZCv daif +PAN -UAO)
> pc : usercopy_abort+0x64/0x90
> lr : usercopy_abort+0x64/0x90
> sp : ffffff8011eb38d0
> x29: ffffff8011eb38e0 x28: 6db6db6db6db6db7
> x27: ffffffbf00000000 x26: 0000000000000038
> x25: ffffffc0778fd009 x24: 0000000000000000
> x23: ffffffc0778fd00a x22: ffffff8010d51000
> x21: 0000000000000000 x20: 000000000000002a
> x19: ffffffc0778fcfe0 x18: 000000000000000a
> x17: 00000000526a1be5 x16: 0000000000000014
> x15: 000000000009f6c2 x14: 0720072007200720
> x13: 0720072007200720 x12: 0720072007200720
> x11: 0720072007200720 x10: 0720072007200720
> x9 : ffffff80110126c8 x8 : 0000000000000000
> x7 : ffffff801015700c x6 : 0000000000000000
> x5 : 0000000000000000 x4 : ffffff8011eb4000
> x3 : 0000000000000080 x2 : a045404094166600
> x1 : 0000000000000000 x0 : 000000000000005f
> Process cryptomgr_test (pid: 33, stack limit = 0x(____ptrval____))
> Call trace:
> usercopy_abort+0x64/0x90
> __check_object_size+0x64/0x464
> build_test_sglist+0x238/0x2c8
> test_hash_vec_cfg+0x130/0x660
> __alg_test_hash+0x1b4/0x1f4
> alg_test_hash+0x88/0x104
> alg_test.part.6+0x2a8/0x330
> alg_test+0x98/0xa0
> cryptomgr_test+0x24/0x4c
> kthread+0x120/0x130
> ret_from_fork+0x10/0x18
> Code: aa0003e3 b00053e0 91148000 97fc3bf2 (d4210000)
> ---[ end trace d9f3261d50a7f84f ]---
> BUG: sleeping function called from invalid context at
> include/linux/percpu-rwsem.h:34
> in_atomic(): 0, irqs_disabled(): 128, pid: 33, name: cryptomgr_test
> INFO: lockdep is turned off.
> irq event stamp: 262
> hardirqs last enabled at (261): [<ffffff8010157050>]
> console_unlock+0x554/0x560
> hardirqs last disabled at (262): [<ffffff8010081a28>]
> do_debug_exception+0x48/0x13c
> softirqs last enabled at (258): [<ffffff8010081ee4>]
> __do_softirq+0x18c/0x4a0
> softirqs last disabled at (245): [<ffffff80100f3e10>] irq_exit+0xa4/0x100
> CPU: 1 PID: 33 Comm: cryptomgr_test Tainted: G D
> 5.1.0-rc1-salvator-x-01109-gbeb7d6376ecfbf07-dirty #352
> Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
> Call trace:
> dump_backtrace+0x0/0x118
> show_stack+0x14/0x1c
> dump_stack+0xc8/0x118
> ___might_sleep+0x24c/0x25c
> __might_sleep+0x70/0x80
> exit_signals+0x48/0x278
> do_exit+0x10c/0xa30
> die+0x1f4/0x208
> bug_handler+0x4c/0x78
> brk_handler+0x15c/0x188
> do_debug_exception+0xd4/0x13c
> el1_dbg+0x18/0xbc
> usercopy_abort+0x64/0x90
> __check_object_size+0x64/0x464
> build_test_sglist+0x238/0x2c8
> test_hash_vec_cfg+0x130/0x660
> __alg_test_hash+0x1b4/0x1f4
> alg_test_hash+0x88/0x104
> alg_test.part.6+0x2a8/0x330
> alg_test+0x98/0xa0
> cryptomgr_test+0x24/0x4c
> kthread+0x120/0x130
> ret_from_fork+0x10/0x18
>
> Gr{oetje,eeting}s,
>
> Geert
>
Well, this must happen with the new (in 5.1) crypto self-tests implementation
for any crypto algorithm when CONFIG_HARDENED_USERCOPY_PAGESPAN=y. I don't
understand why hardened usercopy considers it a bug though, as there's no buffer
overflow. The crypto tests use copy_from_iter() to copy data into a 2-page
buffer that was allocated with __get_free_pages():
__get_free_pages(GFP_KERNEL, 1)
... where 1 means an order-1 allocation.
If it copies to offset=4064 len=42, for example, then hardened usercopy
considers it a bug even though the buffer is 8192 bytes long. Why?
It isn't actually copying anything to/from userspace, BTW; it's using iov_iter
with ITER_KVEC.
- Eric
More information about the Linux-security-module-archive
mailing list