WARNING in __kernel_read (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: b10b8ad8 Add linux-next specific files for 20200921
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1437eff1900000
kernel config: https://syzkaller.appspot.com/x/.config?x=3cf0782933432b43
dashboard link: https://syzkaller.appspot.com/bug?extid=51177e4144d764827c45
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10f9f08d900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13d67c81900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+51177e...@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 7028 at fs/read_write.c:440 __kernel_read+0x80e/0xa10 fs/read_write.c:440
Modules linked in:
CPU: 0 PID: 7028 Comm: syz-executor458 Not tainted 5.9.0-rc5-next-20200921-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__kernel_read+0x80e/0xa10 fs/read_write.c:440
Code: 8a e8 c6 97 12 02 31 ff 89 c3 89 c6 e8 2b ac b3 ff 85 db 0f 85 6e 3b 55 06 49 c7 c5 ea ff ff ff e9 bd fd ff ff e8 b2 af b3 ff <0f> 0b 49 c7 c5 ea ff ff ff e9 aa fd ff ff e8 9f af b3 ff 48 89 ea
RSP: 0018:ffffc90006027b38 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffffffff81c1715b
RDX: ffff888091eba480 RSI: ffffffff81c1787e RDI: 0000000000000005
RBP: 000000000008801c R08: 0000000000000001 R09: ffff888091ebad88
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880a16710c0
R13: 0000000000000001 R14: ffffc90006027d08 R15: ffff8880a1671144
FS: 00007efcd60f1700(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000a2dc5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
kernel_read+0x52/0x70 fs/read_write.c:471
kernel_read_file fs/exec.c:989 [inline]
kernel_read_file+0x2e5/0x620 fs/exec.c:952
kernel_read_file_from_fd+0x56/0xa0 fs/exec.c:1076
__do_sys_finit_module+0xe6/0x190 kernel/module.c:4066
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x44a639
Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b cc fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007efcd60f0db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 00000000006dbc68 RCX: 000000000044a639
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00000000006dbc60 R08: 00007efcd60f1700 R09: 0000000000000000
R10: 00007efcd60f1700 R11: 0000000000000246 R12: 00000000006dbc6c
R13: 00007ffd3d8928ef R14: 00007efcd60f19c0 R15: 0000000000000001


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[David Laight]

> From: syzbot <syzbot+51177e...@syzkaller.appspotmail.com>
> Sent: 26 September 2020 03:58
> To: linux-...@vger.kernel.org; linux-...@vger.kernel.org; syzkall...@googlegroups.com;
> vi...@zeniv.linux.org.uk
> Subject: WARNING in __kernel_read (2)

I suspect this is calling finit_module() on an fd
that doesn't have read permissions.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

[David Laight]

From: David Laight
> Sent: 26 September 2020 12:16
> To: 'syzbot' <syzbot+51177e...@syzkaller.appspotmail.com>; linux-...@vger.kernel.org;
> linux-...@vger.kernel.org; syzkall...@googlegroups.com; vi...@zeniv.linux.org.uk
> Subject: RE: WARNING in __kernel_read (2)

>
> > From: syzbot <syzbot+51177e...@syzkaller.appspotmail.com>
> > Sent: 26 September 2020 03:58
> > To: linux-...@vger.kernel.org; linux-...@vger.kernel.org; syzkall...@googlegroups.com;
> > vi...@zeniv.linux.org.uk
> > Subject: WARNING in __kernel_read (2)
>
> I suspect this is calling finit_module() on an fd
> that doesn't have read permissions.

Code inspection also seems to imply that the check means
the exec() also requires read permissions on the file.

This isn't traditionally true.
suid #! scripts are particularly odd without 'owner read'
(everyone except the owner can run them!).

David

[Eric Biggers]

On Sat, Sep 26, 2020 at 01:17:04PM +0000, David Laight wrote:
> From: David Laight
> > Sent: 26 September 2020 12:16
> > To: 'syzbot' <syzbot+51177e...@syzkaller.appspotmail.com>; linux-...@vger.kernel.org;
> > linux-...@vger.kernel.org; syzkall...@googlegroups.com; vi...@zeniv.linux.org.uk
> > Subject: RE: WARNING in __kernel_read (2)
> >
> > > From: syzbot <syzbot+51177e...@syzkaller.appspotmail.com>
> > > Sent: 26 September 2020 03:58
> > > To: linux-...@vger.kernel.org; linux-...@vger.kernel.org; syzkall...@googlegroups.com;
> > > vi...@zeniv.linux.org.uk
> > > Subject: WARNING in __kernel_read (2)
> >
> > I suspect this is calling finit_module() on an fd
> > that doesn't have read permissions.
>
> Code inspection also seems to imply that the check means
> the exec() also requires read permissions on the file.
>
> This isn't traditionally true.
> suid #! scripts are particularly odd without 'owner read'
> (everyone except the owner can run them!).

Christoph, any thoughts here? You added this WARN_ON_ONCE in:

commit 61a707c543e2afe3aa7e88f87267c5dafa4b5afa
Author: Christoph Hellwig <h...@lst.de>
Date: Fri May 8 08:54:16 2020 +0200

fs: add a __kernel_read helper

[Christoph Hellwig]

Linus asked for it. What is the call chain that we hit it with?

[Eric Biggers]

Call Trace:
kernel_read+0x52/0x70 fs/read_write.c:471
kernel_read_file fs/exec.c:989 [inline]
kernel_read_file+0x2e5/0x620 fs/exec.c:952
kernel_read_file_from_fd+0x56/0xa0 fs/exec.c:1076
__do_sys_finit_module+0xe6/0x190 kernel/module.c:4066
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9

See the email from syzbot for the full details:
https://lkml.kernel.org/linux-fsdevel/000000000000da...@google.com

[Christoph Hellwig]

On Mon, Sep 28, 2020 at 11:46:48PM -0700, Eric Biggers wrote:
> > Linus asked for it. What is the call chain that we hit it with?
>
> Call Trace:
> kernel_read+0x52/0x70 fs/read_write.c:471
> kernel_read_file fs/exec.c:989 [inline]
> kernel_read_file+0x2e5/0x620 fs/exec.c:952
> kernel_read_file_from_fd+0x56/0xa0 fs/exec.c:1076
> __do_sys_finit_module+0xe6/0x190 kernel/module.c:4066
> do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> See the email from syzbot for the full details:
> https://lkml.kernel.org/linux-fsdevel/000000000000da...@google.com

Passing a fs without read permissions definitively looks bogus for
the finit_module syscall. So I think all we need is an extra check
to validate the fd.

[David Laight]

From: Christoph Hellwig
> Sent: 29 September 2020 07:56

The sysbot test looked like it didn't even have a regular file.
I thought I saw a test for that - but it might be in a different path.

You do need to ensure that 'exec' doesn't need read access.

[Dmitry Vyukov]

On Tue, Sep 29, 2020 at 10:06 AM David Laight <David....@aculab.com> wrote:
>
> From: Christoph Hellwig
> > Sent: 29 September 2020 07:56
> >
> > On Mon, Sep 28, 2020 at 11:46:48PM -0700, Eric Biggers wrote:
> > > > Linus asked for it. What is the call chain that we hit it with?
> > >
> > > Call Trace:
> > > kernel_read+0x52/0x70 fs/read_write.c:471
> > > kernel_read_file fs/exec.c:989 [inline]
> > > kernel_read_file+0x2e5/0x620 fs/exec.c:952
> > > kernel_read_file_from_fd+0x56/0xa0 fs/exec.c:1076
> > > __do_sys_finit_module+0xe6/0x190 kernel/module.c:4066
> > > do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >
> > > See the email from syzbot for the full details:
> > > https://lkml.kernel.org/linux-fsdevel/000000000000da...@google.com
> >
> > Passing a fs without read permissions definitively looks bogus for
> > the finit_module syscall. So I think all we need is an extra check
> > to validate the fd.
>
> The sysbot test looked like it didn't even have a regular file.
> I thought I saw a test for that - but it might be in a different path.
>
> You do need to ensure that 'exec' doesn't need read access.

The test tried to load a module from /dev/input/mouse

r2 = syz_open_dev$mouse(&(0x7f0000000000)='/dev/input/mouse#\x00',
0x101, 0x109887)
finit_module(r2, 0x0, 0x0)

because... why not? Everything is a file! :)

[Christoph Hellwig]

Yes, syzbot is fine here. It is the modules code that needs to better
verify the fd.