x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

PlaidCat · PlaidCat · commit b3b9dc5355c5 · 2024-09-12T12:19:24.000-04:00
jira LE-1907 cve CVE-2024-26906 Rebuild_History Non-Buildable kernel-4.18.0-553.8.1.el8_10 commit-author Hou Tao <houtao1@huawei.com> commit 32019c6 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.8.1.el8_10/32019c65.failed When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault(). Originally-by: Thomas Gleixner <tglx@linutronix.de> Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com Reported-by: xingwei lee <xrivendell7@gmail.com> Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com Signed-off-by: Hou Tao <houtao1@huawei.com> Reviewed-by: Sohil Mehta <sohil.mehta@intel.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit 32019c6) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # arch/x86/mm/maccess.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.8.1.el8_10/32019c65.failed b/ciq/ciq_backports/kernel-4.18.0-553.8.1.el8_10/32019c65.failed
@@ -0,0 +1,145 @@
+x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
+
+jira LE-1907
+cve CVE-2024-26906
+Rebuild_History Non-Buildable kernel-4.18.0-553.8.1.el8_10
+commit-author Hou Tao <houtao1@huawei.com>
+commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.8.1.el8_10/32019c65.failed
+
+When trying to use copy_from_kernel_nofault() to read vsyscall page
+through a bpf program, the following oops was reported:
+
+  BUG: unable to handle page fault for address: ffffffffff600000
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
+  Oops: 0000 [#1] PREEMPT SMP PTI
+  CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
+  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
+  RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
+  ......
+  Call Trace:
+   <TASK>
+   ? copy_from_kernel_nofault+0x6f/0x110
+   bpf_probe_read_kernel+0x1d/0x50
+   bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
+   trace_call_bpf+0xc5/0x1c0
+   perf_call_bpf_enter.isra.0+0x69/0xb0
+   perf_syscall_enter+0x13e/0x200
+   syscall_trace_enter+0x188/0x1c0
+   do_syscall_64+0xb5/0xe0
+   entry_SYSCALL_64_after_hwframe+0x6e/0x76
+   </TASK>
+  ......
+  ---[ end trace 0000000000000000 ]---
+
+The oops is triggered when:
+
+1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
+page and invokes copy_from_kernel_nofault() which in turn calls
+__get_user_asm().
+
+2) Because the vsyscall page address is not readable from kernel space,
+a page fault exception is triggered accordingly.
+
+3) handle_page_fault() considers the vsyscall page address as a user
+space address instead of a kernel space address. This results in the
+fix-up setup by bpf not being applied and a page_fault_oops() is invoked
+due to SMAP.
+
+Considering handle_page_fault() has already considered the vsyscall page
+address as a userspace address, fix the problem by disallowing vsyscall
+page read for copy_from_kernel_nofault().
+
+Originally-by: Thomas Gleixner <tglx@linutronix.de>
+	Reported-by: syzbot+72aa0161922eba61b50e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/CAG48ez06TZft=ATH1qh2c5mpS5BT8UakwNkzi6nvK5_djC-4Nw@mail.gmail.com
+	Reported-by: xingwei lee <xrivendell7@gmail.com>
+Closes: https://lore.kernel.org/bpf/CABOYnLynjBoFZOf3Z4BhaZkc5hx_kHfsjiW+UWLoB=w33LvScw@mail.gmail.com
+	Signed-off-by: Hou Tao <houtao1@huawei.com>
+	Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
+	Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20240202103935.3154011-3-houtao@huaweicloud.com
+	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+(cherry picked from commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	arch/x86/mm/maccess.c
+diff --cc arch/x86/mm/maccess.c
+index e3b7882e4a9a,42115ac079cf..000000000000
+--- a/arch/x86/mm/maccess.c
++++ b/arch/x86/mm/maccess.c
+@@@ -3,36 -3,41 +3,61 @@@
+  #include <linux/uaccess.h>
+  #include <linux/kernel.h>
+  
++ #include <asm/vsyscall.h>
++ 
+  #ifdef CONFIG_X86_64
+ -bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
+ +static __always_inline bool invalid_probe_range(u64 vaddr)
+  {
+ -	unsigned long vaddr = (unsigned long)unsafe_src;
+ -
+  	/*
+ -	 * Do not allow userspace addresses.  This disallows
+ -	 * normal userspace and the userspace guard page:
+ +	 * Range covering the highest possible canonical userspace address
+ +	 * as well as non-canonical address range. For the canonical range
+ +	 * we also need to include the userspace guard page.
+  	 */
+++<<<<<<< HEAD
+ +	return vaddr < TASK_SIZE_MAX + PAGE_SIZE ||
+ +	       !__is_canonical_address(vaddr, boot_cpu_data.x86_virt_bits);
+++=======
++ 	if (vaddr < TASK_SIZE_MAX + PAGE_SIZE)
++ 		return false;
++ 
++ 	/*
++ 	 * Reading from the vsyscall page may cause an unhandled fault in
++ 	 * certain cases.  Though it is at an address above TASK_SIZE_MAX, it is
++ 	 * usually considered as a user space address.
++ 	 */
++ 	if (is_vsyscall_vaddr(vaddr))
++ 		return false;
++ 
++ 	/*
++ 	 * Allow everything during early boot before 'x86_virt_bits'
++ 	 * is initialized.  Needed for instruction decoding in early
++ 	 * exception handlers.
++ 	 */
++ 	if (!boot_cpu_data.x86_virt_bits)
++ 		return true;
++ 
++ 	return __is_canonical_address(vaddr, boot_cpu_data.x86_virt_bits);
+++>>>>>>> 32019c659ecf (x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault())
+  }
+  #else
+ -bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
+ +static __always_inline bool invalid_probe_range(u64 vaddr)
+  {
+ -	return (unsigned long)unsafe_src >= TASK_SIZE_MAX;
+ +	return vaddr < TASK_SIZE_MAX;
+  }
+  #endif
+ +
+ +long probe_kernel_read_strict(void *dst, const void *src, size_t size)
+ +{
+ +	if (unlikely(invalid_probe_range((unsigned long)src)))
+ +		return -EFAULT;
+ +
+ +	return __probe_kernel_read(dst, src, size);
+ +}
+ +
+ +long strncpy_from_unsafe_strict(char *dst, const void *unsafe_addr, long count)
+ +{
+ +	if (unlikely(invalid_probe_range((unsigned long)unsafe_addr)))
+ +		return -EFAULT;
+ +
+ +	return __strncpy_from_unsafe(dst, unsafe_addr, count);
+ +}
+* Unmerged path arch/x86/mm/maccess.c
