[syzbot] BUG: unable to handle kernel access to user memory in schedule_tail

Alex Ghiti alex at ghiti.fr
Thu Mar 11 06:39:58 GMT 2021 

Hi Ben,

Le 3/10/21 à 5:24 PM, Ben Dooks a écrit :
> On 10/03/2021 17:16, Dmitry Vyukov wrote:
>> On Wed, Mar 10, 2021 at 5:46 PM syzbot
>> <syzbot+e74b94fe601ab9552d69 at syzkaller.appspotmail.com> wrote:
>>>
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    0d7588ab riscv: process: Fix no prototype for 
>>> arch_dup_tas..
>>> git tree:       
>>> git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1212c6e6d00000
>>> kernel config:  
>>> https://syzkaller.appspot.com/x/.config?x=e3c595255fb2d136
>>> dashboard link: 
>>> https://syzkaller.appspot.com/bug?extid=e74b94fe601ab9552d69
>>> userspace arch: riscv64
>>>
>>> Unfortunately, I don't have any reproducer for this issue yet.
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the 
>>> commit:
>>> Reported-by: syzbot+e74b94fe601ab9552d69 at syzkaller.appspotmail.com
>>
>> +riscv maintainers
>>
>> This is riscv64-specific.
>> I've seen similar crashes in put_user in other places. It looks like
>> put_user crashes in the user address is not mapped/protected (?).
> 
> The unmapped case should have been handled.
> 
> I think this issue is that the check for user-mode access added. From
> what I read the code may be wrong in
> 
> +    if (!user_mode(regs) && addr < TASK_SIZE &&
> +            unlikely(!(regs->status & SR_SUM)))
> +        die_kernel_fault("access to user memory without uaccess routines",
> +                addr, regs);
> 
> I think the SR_SUM check might be wrong, as I read the standard the
> SR_SUM should be set to disable user-space access. So the check
> should be unlikely(regs->status & SR_SUM) to say access without
> having disabled the protection.

The check that is done seems correct to me: "The SUM (permit Supervisor 
User Memory access) bit modifies the privilege with which S-mode loads 
and stores access virtual memory.  *When SUM=0, S-mode memory accesses 
to pages that are accessible by U-mode (U=1 in Figure 4.15) will fault*. 
  When SUM=1, these accesses are permitted.SUM  has  no  effect  when 
page-based  virtual  memory  is  not  in  effect".

I will try to reproduce the problem locally.

Thanks,

Alex

> 
> Without this, you can end up with an infinite loop in the fault handler.
> 
>>
>>> Unable to handle kernel access to user memory without uaccess 
>>> routines at virtual address 000000002749f0d0
>>> Oops [#1]
>>> Modules linked in:
>>> CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted 
>>> 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
>>> Hardware name: riscv-virtio,qemu (DT)
>>> epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
>>>   ra : task_pid_vnr include/linux/sched.h:1421 [inline]
>>>   ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264
>>> epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0
>>>   gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000
>>>   t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0
>>>   s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003
>>>   a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00
>>>   a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba
>>>   s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0
>>>   s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850
>>>   s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8
>>>   s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2
>>>   t5 : ffffffc4043cafba t6 : 0000000000040000
>>> status: 0000000000000120 badaddr: 000000002749f0d0 cause: 
>>> 000000000000000f
>>> Call Trace:
>>> [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
>>> [<ffffffe000005570>] ret_from_exception+0x0/0x14
>>> Dumping ftrace buffer:
>>>     (ftrace buffer empty)
>>> ---[ end trace b5f8f9231dc87dda ]---
>>>
>>>
>>> ---
>>> This report is generated by a bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for more information about syzbot.
>>> syzbot engineers can be reached at syzkaller at googlegroups.com.
>>>
>>> syzbot will keep track of this issue. See:
>>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "syzkaller-bugs" group.
>>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an email to syzkaller-bugs+unsubscribe at googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/syzkaller-bugs/000000000000b74f1b05bd316729%40google.com. 
>>>
>>
>> _______________________________________________
>> linux-riscv mailing list
>> linux-riscv at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/linux-riscv
>>
> 
>

More information about the linux-riscv mailing list