ubuntu-kernel-tests

io_uring02 from ubuntu_ltp_syscalls fails on F/oem-5.6 (timeouted / SIGKILL)

Bug #1928028 reported by Kelsey Steele
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Won't Fix
Undecided
Unassigned
linux-oem-5.6 (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Won't Fix
Medium
Thadeu Lima de Souza Cascardo

Bug Description

[Impact]
When using async io_uring OP_SENDMSG, a copy to kernel address 0 might be attempted, leading to a kernel WARN/BUG and an uninterruptible process.

[Fix]
Partial backport of dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix missing msg_name assignment"). The recvmsg side does not seed to set msg_name, as it copies from a local/stack kernel address (at ____sys_recvmsg) to a uaddr parameter, which is given when doing the copy_msghdr operation.

[Test case]
LTP io_uring02 was run, and an equivalent recvmsg test was done too. A successfull sendmsg test (without the chroot at io_uring02 test) was also tested.

[Potential regressions]
io_uring sendmsg/recvmsg paths could fail, potentially leading to a system crash or even a security vulnerability.

-----------------------------------------------------------------------

io_uring02 from ubuntu_ltp_syscalls fails on F/oem-5.6 5.6.0-1056.60 on host spitfire

This test isn't found to be ran on previous versions on F/oem-5.6, so would not consider this to be a regression.

26934. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tag=io_uring01 stime=1620398217 dur=0 exit=exited stat=0 core=no cu=0 cs=0
26935. 05/07 14:42:48 DEBUG| utils:0153| [stdout] startup='Fri May 7 14:36:57 2021'
26936. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tst_test.c:1311: TINFO: Timeout per run is 0h 05m 00s
26937. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26938. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26939. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26940. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26941. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26942. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26943. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26944. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26945. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26946. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26947. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Test timeouted, sending SIGKILL!
26948. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Cannot kill test processes!
26949. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Congratulation, likely test hit a kernel bug.
26950. 05/07 14:42:48 DEBUG| utils:0153| [stdout] Exitting uncleanly...
26951. 05/07 14:42:48 DEBUG| utils:0153| [stdout] tag=io_uring02 stime=1620398217 dur=350 exit=exited stat=1 core=no cu=0 cs=0

See original description

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Download full text (4.9 KiB)

I have verified this on various kernels (4.4 / 4.15 / 5.4 / 5.8 / 5.10 OEM). It looks like this is only affecting 5.6 OEM.

Traces can be found in dmesg:
[ 1377.246198] LTP: starting io_uring02
[ 1377.248923] usercopy: Kernel memory overwrite attempt detected to null address (offset 0, size 110)!
[ 1377.254584] ------------[ cut here ]------------
[ 1377.254587] kernel BUG at mm/usercopy.c:99!
[ 1377.257041] invalid opcode: 0000 [#1] SMP PTI
[ 1377.259183] CPU: 0 PID: 49675 Comm: io_uring02 Not tainted 5.6.0-1056-oem #60-Ubuntu
[ 1377.261706] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1377.264350] RIP: 0010:usercopy_abort+0x7b/0x7d
[ 1377.265631] Code: 4c 0f 45 de 51 4c 89 d1 48 c7 c2 75 93 7b 8f 57 48 c7 c6 d0 4d 7a 8f 48 c7 c7 40 94 7b 8f 48 0f 45 f2 4c 89 da e8 58 28 e3 ff <0f> 0b 4c 89 e1 49 89 d8 44 89 ea 31 f6 48 29 c1 48 c7 c7 b7 93 7b
[ 1377.271104] RSP: 0018:ffffafdcc09f3bd8 EFLAGS: 00010246
[ 1377.272730] RAX: 0000000000000058 RBX: 000000000000006e RCX: 0000000000000000
[ 1377.274943] RDX: 0000000000000000 RSI: ffff8caa3dc19808 RDI: ffff8caa3dc19808
[ 1377.277057] RBP: ffffafdcc09f3bf0 R08: 0000000000000264 R09: ffffafdcc0318810
[ 1377.279161] R10: ffff8caa3b977bc0 R11: 0000000000000002 R12: 0000000000000000
[ 1377.281454] R13: 0000000000000000 R14: 000000000000006e R15: 000000000000006e
[ 1377.283694] FS: 00007f6355cd6600(0000) GS:ffff8caa3dc00000(0000) knlGS:0000000000000000
[ 1377.286251] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1377.288060] CR2: 00007f6355d0c000 CR3: 0000000032062000 CR4: 00000000000006f0
[ 1377.290336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1377.292685] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1377.294826] Call Trace:
[ 1377.295535] __check_object_size.cold+0x5d/0x83
[ 1377.296995] move_addr_to_kernel.part.0+0x27/0x80
[ 1377.298499] copy_msghdr_from_user+0x112/0x150
[ 1377.299953] sendmsg_copy_msghdr+0x17/0x40
[ 1377.301281] io_sendmsg_prep+0x75/0x90
[ 1377.302514] io_req_defer_prep+0x315/0x5b0
[ 1377.303877] io_queue_sqe+0x3e2/0x9e0
[ 1377.305084] ? vma_wants_writenotify+0x55/0xd0
[ 1377.306613] ? vma_set_page_prot+0x2f/0x60
[ 1377.307954] ? _cond_resched+0x19/0x30
[ 1377.309162] ? kmem_cache_alloc+0x16d/0x230
[ 1377.310517] io_submit_sqes+0x852/0xb00
[ 1377.311787] ? vm_mmap_pgoff+0x108/0x120
[ 1377.313057] __x64_sys_io_uring_enter+0x229/0x320
[ 1377.314650] do_syscall_64+0x57/0x1b0
[ 1377.315847] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1377.317451] RIP: 0033:0x7f6355bfe89d
[ 1377.318606] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
[ 1377.324843] RSP: 002b:00007ffd525d4b28 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
[ 1377.327322] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f6355bfe89d
[ 1377.329610] RDX: 0000000000000001 RSI: 0000000000000001 RDI: 0000000000000005
[ 1377.331964] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000008
[ 1377.334330] R10: 0000000000000001 R11: 0000000000000246 R12: 000055ed...

Read more...

Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux-oem-5.6 (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

It looks like all necessary commits for CVE-2020-29373 are there on the 5.6 kernel.

I am investigating if this is caused by missing commit dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix missing msg_name assignment").

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

https://lists.ubuntu.com/archives/kernel-team/2021-May/120236.html

Sent fix to mailing list.

description: updated
Stefan Bader (smb)
Changed in linux-oem-5.6 (Ubuntu):
status: New → Invalid
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

OEM-5.6 EOL. Closing this bug.

Changed in ubuntu-kernel-tests:
status: In Progress → Won't Fix
Changed in linux-oem-5.6 (Ubuntu Focal):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.