io_uring02 from ubuntu_ltp_syscalls fails on F/oem-5.6 (timeouted / SIGKILL)

Bug #1928028 reported by Kelsey Skunberg on 2021-05-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Unassigned
linux-oem-5.6 (Ubuntu)
Undecided
Unassigned
Focal
Medium
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
When using async io_uring OP_SENDMSG, a copy to kernel address 0 might be attempted, leading to a kernel WARN/BUG and an uninterruptible process.

[Fix]
Partial backport of dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix missing msg_name assignment"). The recvmsg side does not seed to set msg_name, as it copies from a local/stack kernel address (at ____sys_recvmsg) to a uaddr parameter, which is given when doing the copy_msghdr operation.

[Test case]
LTP io_uring02 was run, and an equivalent recvmsg test was done too. A successfull sendmsg test (without the chroot at io_uring02 test) was also tested.

[Potential regressions]
io_uring sendmsg/recvmsg paths could fail, potentially leading to a system crash or even a security vulnerability.

-----------------------------------------------------------------------

io_uring02 from ubuntu_ltp_syscalls fails on F/oem-5.6 5.6.0-1056.60 on host spitfire

This test isn't found to be ran on previous versions on F/oem-5.6, so would not consider this to be a regression.

26934. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tag=io_uring01 stime=1620398217 dur=0 exit=exited stat=0 core=no cu=0 cs=0
26935. 05/07 14:42:48 DEBUG| utils:0153| [stdout] startup='Fri May 7 14:36:57 2021'
26936. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tst_test.c:1311: TINFO: Timeout per run is 0h 05m 00s
26937. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26938. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26939. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26940. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26941. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26942. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26943. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26944. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26945. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26946. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26947. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26948. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Cannot kill test processes!
26949. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Congratulation, likely test hit a kernel bug.
26950. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Exitting uncleanly...
26951. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tag=io_uring02 stime=1620398217 dur=350 exit=exited stat=1 core=no cu=0 cs=0

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Download full text (4.9 KiB)

I have verified this on various kernels (4.4 / 4.15 / 5.4 / 5.8 / 5.10 OEM). It looks like this is only affecting 5.6 OEM.

Traces can be found in dmesg:
[ 1377.246198] LTP: starting io_uring02
[ 1377.248923] usercopy: Kernel memory overwrite attempt detected to null address (offset 0, size 110)!
[ 1377.254584] ------------[ cut here ]------------
[ 1377.254587] kernel BUG at mm/usercopy.c:99!
[ 1377.257041] invalid opcode: 0000 [#1] SMP PTI
[ 1377.259183] CPU: 0 PID: 49675 Comm: io_uring02 Not tainted 5.6.0-1056-oem #60-Ubuntu
[ 1377.261706] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1377.264350] RIP: 0010:usercopy_abort+0x7b/0x7d
[ 1377.265631] Code: 4c 0f 45 de 51 4c 89 d1 48 c7 c2 75 93 7b 8f 57 48 c7 c6 d0 4d 7a 8f 48 c7 c7 40 94 7b 8f 48 0f 45 f2 4c 89 da e8 58 28 e3 ff <0f> 0b 4c 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 b7 93 7b
[ 1377.271104] RSP: 0018:ffffafdcc09f3bd8 EFLAGS: 00010246
[ 1377.272730] RAX: 0000000000000058 RBX: 000000000000006e RCX: 0000000000000000
[ 1377.274943] RDX: 0000000000000000 RSI: ffff8caa3dc19808 RDI: ffff8caa3dc19808
[ 1377.277057] RBP: ffffafdcc09f3bf0 R08: 0000000000000264 R09: ffffafdcc0318810
[ 1377.279161] R10: ffff8caa3b977bc0 R11: 0000000000000002 R12: 0000000000000000
[ 1377.281454] R13: 0000000000000000 R14: 000000000000006e R15: 000000000000006e
[ 1377.283694] FS: 00007f6355cd6600(0000) GS:ffff8caa3dc00000(0000) knlGS:0000000000000000
[ 1377.286251] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1377.288060] CR2: 00007f6355d0c000 CR3: 0000000032062000 CR4: 00000000000006f0
[ 1377.290336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1377.292685] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1377.294826] Call Trace:
[ 1377.295535] __check_object_size.cold+0x5d/0x83
[ 1377.296995] move_addr_to_kernel.part.0+0x27/0x80
[ 1377.298499] copy_msghdr_from_user+0x112/0x150
[ 1377.299953] sendmsg_copy_msghdr+0x17/0x40
[ 1377.301281] io_sendmsg_prep+0x75/0x90
[ 1377.302514] io_req_defer_prep+0x315/0x5b0
[ 1377.303877] io_queue_sqe+0x3e2/0x9e0
[ 1377.305084] ? vma_wants_writenotify+0x55/0xd0
[ 1377.306613] ? vma_set_page_prot+0x2f/0x60
[ 1377.307954] ? _cond_resched+0x19/0x30
[ 1377.309162] ? kmem_cache_alloc+0x16d/0x230
[ 1377.310517] io_submit_sqes+0x852/0xb00
[ 1377.311787] ? vm_mmap_pgoff+0x108/0x120
[ 1377.313057] __x64_sys_io_uring_enter+0x229/0x320
[ 1377.314650] do_syscall_64+0x57/0x1b0
[ 1377.315847] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1377.317451] RIP: 0033:0x7f6355bfe89d
[ 1377.318606] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
[ 1377.324843] RSP: 002b:00007ffd525d4b28 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[ 1377.327322] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f6355bfe89d
[ 1377.329610] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000005
[ 1377.331964] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000008
[ 1377.334330] R10: 0000000000000001 R11: 0000000000000246 R12: 000055ed...

Read more...

Changed in linux-oem-5.6 (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

It looks like all necessary commits for CVE-2020-29373 are there on the 5.6 kernel.

I am investigating if this is caused by missing commit dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix missing msg_name assignment").

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :
description: updated
Stefan Bader (smb) on 2021-05-17
Changed in linux-oem-5.6 (Ubuntu):
status: New → Invalid
Po-Hsu Lin (cypressyew) on 2021-05-20
Changed in ubuntu-kernel-tests:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers