search

intel / ccc-linux-guest-hardening

Linux Security Hardening for Confidential Compute
https://intel.github.io/ccc-linux-guest-hardening-docs
MIT License
64 stars 13 forks source link

BUG: KASAN: slab-out-of-bounds in handle_control_message (drivers/char/virtio_console.c:1575) #100

Closed ereshetova closed 3 months ago

ereshetova commented 1 year ago

Found on 6.0.-rc2 via BOOT_DOINITCALLS_VIRTIO harness.

BUG: KASAN: slab-out-of-bounds in handle_control_message (drivers/char/virtio_console.c:1575) Read of size 4 at addr ffff888006560000 by task kworker/0:1/23

CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler Call Trace:

dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:325 mm/kasan/report.c:440) ? handle_control_message (drivers/char/virtio_console.c:1575) kasan_report (mm/kasan/report.c:504) ? memmove (mm/kasan/shadow.c:54) ? handle_control_message (drivers/char/virtio_console.c:1575) __asan_report_load4_noabort (mm/kasan/report_generic.c:306) handle_control_message (drivers/char/virtio_console.c:1575) control_work_handler (include/linux/spinlock.h:349 drivers/char/virtio_console.c:1720) ? handle_control_message (drivers/char/virtio_console.c:1702) ? __kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) vring_alloc_desc_extra (include/linux/slab.h:640 drivers/virtio/virtio_ring.c:1823) vring_alloc_state_extra_split (drivers/virtio/virtio_ring.c:1011) vring_new_virtqueue (drivers/virtio/virtio_ring.c:2522) vring_create_virtqueue (drivers/virtio/virtio_ring.c:1109 drivers/virtio/virtio_ring.c:2556) setup_vq (drivers/virtio/virtio_pci_modern.c:321) vp_setup_vq (drivers/virtio/virtio_pci_common.c:190) vp_find_vqs_msix (drivers/virtio/virtio_pci_common.c:329) vp_find_vqs (drivers/virtio/virtio_pci_common.c:411) vp_modern_find_vqs (drivers/virtio/virtio_pci_modern.c:357) virtcons_probe (drivers/char/virtio_console.c:1901 drivers/char/virtio_console.c:2063) virtio_dev_probe (drivers/virtio/virtio.c:307) really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)

The buggy address belongs to the object at ffff888006560800 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 2048 bytes to the left of 2048-byte region [ffff888006560800, ffff888006561000)

The buggy address belongs to the physical page: page:ffffea0000195800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6560 head:ffffea0000195800 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 ffffea000019ee08 ffffea0000195608 ffff888005c42340 raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff88800655ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800655ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888006560000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888006560080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888006560100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Disabling lock debugging due to kernel taint

Similar taint:

BUG: KASAN: slab-out-of-bounds in kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) Write of size 100 at addr ffff888006839d08 by task kworker/0:1/23

CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler Call Trace:

dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:325 mm/kasan/report.c:440) ? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) kasan_report (mm/kasan/report.c:504) ? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) kasan_check_range (mm/kasan/generic.c:190) memcpy (mm/kasan/shadow.c:65 (discriminator 1)) kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) virtqueue_get_buf (drivers/virtio/virtio_ring.c:2299) control_work_handler (drivers/char/virtio_console.c:1712) ? handle_control_message (drivers/char/virtio_console.c:1702) ? __kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Allocated by task 1: kasan_save_stack (mm/kasan/common.c:39) kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) alloc_buf (include/linux/slab.h:605 drivers/char/virtio_console.c:424) fill_queue (drivers/char/virtio_console.c:1335) virtcons_probe (drivers/char/virtio_console.c:2083) virtio_dev_probe (drivers/virtio/virtio.c:307) really_probe (drivers/base/dd.c:530 drivers/base/dd.c:614) driver_probe_device (drivers/base/dd.c:753) driver_probe_device (drivers/base/dd.c:783) __driver_attach (drivers/base/dd.c:1156) bus_for_each_dev (drivers/base/bus.c:300) driver_attach (drivers/base/dd.c:1173) bus_add_driver (drivers/base/bus.c:618) driver_register (drivers/base/driver.c:240) register_virtio_driver (drivers/virtio/virtio.c:360) virtio_console_init (drivers/char/virtio_console.c:2268) do_one_initcall (init/main.c:1421) kernel_init_freeable (init/main.c:1509 init/main.c:1531 init/main.c:1553 init/main.c:1768) kernel_init (init/main.c:1654) ret_from_fork (arch/x86/entry/entry_64.S:312)

The buggy address belongs to the object at ffff888006839d08 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 0 bytes inside of 96-byte region [ffff888006839d08, ffff888006839d68)

The buggy address belongs to the physical page: page:ffffea00001a0e40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6839 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 ffffea00001a3488 ffffea00001aa3c8 ffff888005c41940 raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888006839c00: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 ffff888006839c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888006839d00: fc 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ^ ffff888006839d80: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 ffff888006839e00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc

Disabling lock debugging due to kernel taint

ereshetova commented 1 year ago

Likely related one:

general protection fault, probably for non-canonical address 0xe0003c0000020003: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: maybe wild-memory-access in range [0x0002000000100018-0x000200000010001f] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b

All code

0: 00 fc add %bh,%ah 2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4) 7: 48 c1 ea 03 shr $0x3,%rdx b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) f: 0f 85 05 07 00 00 jne 0x71a 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 49 03 5e 18 add 0x18(%r14),%rbx 23: 48 89 da mov %rbx,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction 2e: 48 89 d8 mov %rbx,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 d0 cmp %dl,%al 39: 7c 08 jl 0x43 3b: 84 d2 test %dl,%dl 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 6b .byte 0x6b

Code starting with the faulting instruction

0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: 000200000010001e RCX: 1ffff11000d073a3 RDX: 0000400000020003 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 000200000010001e R09: 0000000000800000 R10: 000200000010001e R11: 0000000000800000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:

control_work_handler (include/linux/spinlock.h:349 drivers/char/virtio_console.c:1720) ? handle_control_message (drivers/char/virtio_console.c:1702) ? __kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in: ---[ end trace 0000000000000000 ]---

ereshetova commented 1 year ago

Another one:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b

All code

0: 00 fc add %bh,%ah 2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4) 7: 48 c1 ea 03 shr $0x3,%rdx b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) f: 0f 85 05 07 00 00 jne 0x71a 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 49 03 5e 18 add 0x18(%r14),%rbx 23: 48 89 da mov %rbx,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction 2e: 48 89 d8 mov %rbx,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 d0 cmp %dl,%al 39: 7c 08 jl 0x43 3b: 84 d2 test %dl,%dl 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 6b .byte 0x6b

Code starting with the faulting instruction

0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffff11000d073a3 RDX: 0000000000000000 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:

control_work_handler (include/linux/spinlock.h:349 drivers/char/virtio_console.c:1720) ? handle_control_message (drivers/char/virtio_console.c:1702) ? __kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in: ---[ end trace 0000000000000000 ]---

ereshetova commented 1 year ago

And one more:

general protection fault, probably for non-canonical address 0xdffffc000001a000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: probably user-memory-access in range [0x00000000000d0000-0x00000000000d0007] CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.0.0-rc2-g1d588de205f8 #1 Workqueue: events control_work_handler RIP: 0010:handle_control_message (drivers/char/virtio_console.c:1575) Code: 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 05 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 03 5e 18 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 6b All code

0: 00 fc add %bh,%ah 2: ff (bad)
3: df 4c 89 fa fisttps -0x6(%rcx,%rcx,4) 7: 48 c1 ea 03 shr $0x3,%rdx b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) f: 0f 85 05 07 00 00 jne 0x71a 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 49 03 5e 18 add 0x18(%r14),%rbx 23: 48 89 da mov %rbx,%rdx 26: 48 c1 ea 03 shr $0x3,%rdx 2a:* 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction 2e: 48 89 d8 mov %rbx,%rax 31: 83 e0 07 and $0x7,%eax 34: 83 c0 03 add $0x3,%eax 37: 38 d0 cmp %dl,%al 39: 7c 08 jl 0x43 3b: 84 d2 test %dl,%dl 3d: 0f .byte 0xf 3e: 85 .byte 0x85 3f: 6b .byte 0x6b

Code starting with the faulting instruction

0: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx 4: 48 89 d8 mov %rbx,%rax 7: 83 e0 07 and $0x7,%eax a: 83 c0 03 add $0x3,%eax d: 38 d0 cmp %dl,%al f: 7c 08 jl 0x19 11: 84 d2 test %dl,%dl 13: 0f .byte 0xf 14: 85 .byte 0x85 15: 6b .byte 0x6b RSP: 0000:ffffc9000017fca0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 00000000000d0000 RCX: 1ffff11000d073a3 RDX: 000000000001a000 RSI: ffff88802c51cab8 RDI: ffff888007ad9c00 RBP: ffffc9000017fcd8 R08: 00000000000d0000 R09: 000f0000e9000000 R10: 002310a100000000 R11: 0000010000000000 R12: ffff888009e28a00 R13: ffff88802c51cab8 R14: ffff888006839d08 R15: ffff888006839d20 FS: 0000000000000000(0000) GS:ffffffff83cab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88802dffb000 CR3: 0000000003c32001 CR4: 00000000001706f0 Call Trace:

control_work_handler (include/linux/spinlock.h:349 drivers/char/virtio_console.c:1720) ? handle_control_message (drivers/char/virtio_console.c:1702) ? __kasan_check_read (mm/kasan/shadow.c:32) ? read_word_at_a_time (include/asm-generic/rwonce.h:86) ? strscpy (lib/string.c:204) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) ? pci_mmcfg_check_reserved (kernel/sched/core.c:6376) ? process_one_work (kernel/workqueue.c:2379) kthread (kernel/kthread.c:376) ? calculate_sigpending (arch/x86/include/asm/preempt.h:103 include/linux/spinlock.h:399 kernel/signal.c:198) ? kthread_complete_and_exit (kernel/kthread.c:335) ret_from_fork (arch/x86/entry/entry_64.S:312)

Modules linked in: ---[ end trace 0000000000000000 ]---

ereshetova commented 3 months ago

This has been confirmed as false positive. The reason was fuzzing of the whole buf structure returned from virtqueue_get_buf() vs. the correct buf->buf buffer. Closing this one.