* [PATCH] io_uring: annotate the struct io_kiocb slab for appropriate user copy
@ 2023-08-02 20:42 Jens Axboe
2023-08-02 23:30 ` Pavel Begunkov
0 siblings, 1 reply; 3+ messages in thread
From: Jens Axboe @ 2023-08-02 20:42 UTC (permalink / raw)
To: io-uring; +Cc: Breno Leitao
When compiling the kernel with clang and having HARDENED_USERCOPY
enabled, the liburing openat2.t test case fails during request setup:
usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 3 PID: 413 Comm: openat2.t Tainted: G N 6.4.3-g6995e2de6891-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die_body+0x63/0xb0
? die+0x9d/0xc0
? do_trap+0xa7/0x180
? usercopy_abort+0x84/0x90
? do_error_trap+0xc6/0x110
? usercopy_abort+0x84/0x90
? handle_invalid_op+0x2c/0x40
? usercopy_abort+0x84/0x90
? exc_invalid_op+0x2f/0x40
? asm_exc_invalid_op+0x16/0x20
? usercopy_abort+0x84/0x90
__check_heap_object+0xe2/0x110
__check_object_size+0x142/0x3d0
io_openat2_prep+0x68/0x140
io_submit_sqes+0x28a/0x680
__se_sys_io_uring_enter+0x120/0x580
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x55714834de26
Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception ]---
when it tries to copy struct open_how from userspace into the per-command
space in the io_kiocb. There's nothing wrong with the copy, but we're
missing the appropriate annotations for allowing user copies to/from the
io_kiocb slab.
Allow copies in the per-command area, which is from the 'file' pointer to
when 'opcode' starts. We do have existing user copies there, but they are
not all annotated like the one that openat2_prep() uses,
copy_struct_from_user(). But in practice opcodes should be allowed to
copy data into their per-command area in the io_kiocb.
Reported-by: Breno Leitao <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
---
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 135da2fd0eda..d8e69461786d 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4627,8 +4627,20 @@ static int __init io_uring_init(void)
io_uring_optable_init();
- req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
- SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
+ /*
+ * Allow user copy in the per-command field, which starts after the
+ * file in io_kiocb and until the opcode field. The openat2 handling
+ * requires copying in user memory into the io_kiocb object in that
+ * range, and HARDENED_USERCOPY will complain if we haven't
+ * correctly annotated this range.
+ */
+ req_cachep = kmem_cache_create_usercopy("io_kiocb",
+ sizeof(struct io_kiocb), 0,
+ SLAB_HWCACHE_ALIGN | SLAB_PANIC |
+ SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
+ offsetof(struct io_kiocb, cmd.data),
+ offsetof(struct io_kiocb, opcode) -
+ offsetof(struct io_kiocb, cmd.data), NULL);
#ifdef CONFIG_SYSCTL
register_sysctl_init("kernel", kernel_io_uring_disabled_table);
--
Jens Axboe
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] io_uring: annotate the struct io_kiocb slab for appropriate user copy
2023-08-02 20:42 [PATCH] io_uring: annotate the struct io_kiocb slab for appropriate user copy Jens Axboe
@ 2023-08-02 23:30 ` Pavel Begunkov
2023-08-03 1:34 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Begunkov @ 2023-08-02 23:30 UTC (permalink / raw)
To: Jens Axboe, io-uring; +Cc: Breno Leitao
On 8/2/23 21:42, Jens Axboe wrote:
> When compiling the kernel with clang and having HARDENED_USERCOPY
> enabled, the liburing openat2.t test case fails during request setup:
>
> usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102!
> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> CPU: 3 PID: 413 Comm: openat2.t Tainted: G N 6.4.3-g6995e2de6891-dirty #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
> RIP: 0010:usercopy_abort+0x84/0x90
> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
> FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
> Call Trace:
> <TASK>
> ? __die_body+0x63/0xb0
> ? die+0x9d/0xc0
> ? do_trap+0xa7/0x180
> ? usercopy_abort+0x84/0x90
> ? do_error_trap+0xc6/0x110
> ? usercopy_abort+0x84/0x90
> ? handle_invalid_op+0x2c/0x40
> ? usercopy_abort+0x84/0x90
> ? exc_invalid_op+0x2f/0x40
> ? asm_exc_invalid_op+0x16/0x20
> ? usercopy_abort+0x84/0x90
> __check_heap_object+0xe2/0x110
> __check_object_size+0x142/0x3d0
> io_openat2_prep+0x68/0x140
> io_submit_sqes+0x28a/0x680
> __se_sys_io_uring_enter+0x120/0x580
> do_syscall_64+0x3d/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x55714834de26
> Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
> RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
> RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
> R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
> R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:usercopy_abort+0x84/0x90
> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
> FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
> Kernel panic - not syncing: Fatal exception
> Kernel Offset: disabled
> ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> when it tries to copy struct open_how from userspace into the per-command
> space in the io_kiocb. There's nothing wrong with the copy, but we're
> missing the appropriate annotations for allowing user copies to/from the
> io_kiocb slab.
>
> Allow copies in the per-command area, which is from the 'file' pointer to
> when 'opcode' starts. We do have existing user copies there, but they are
> not all annotated like the one that openat2_prep() uses,
> copy_struct_from_user(). But in practice opcodes should be allowed to
> copy data into their per-command area in the io_kiocb.
>
> Reported-by: Breno Leitao <[email protected]>
> Signed-off-by: Jens Axboe <[email protected]>
>
> ---
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 135da2fd0eda..d8e69461786d 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -4627,8 +4627,20 @@ static int __init io_uring_init(void)
>
> io_uring_optable_init();
>
> - req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
> - SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
> + /*
> + * Allow user copy in the per-command field, which starts after the
> + * file in io_kiocb and until the opcode field. The openat2 handling
> + * requires copying in user memory into the io_kiocb object in that
> + * range, and HARDENED_USERCOPY will complain if we haven't
> + * correctly annotated this range.
> + */
> + req_cachep = kmem_cache_create_usercopy("io_kiocb",
> + sizeof(struct io_kiocb), 0,
> + SLAB_HWCACHE_ALIGN | SLAB_PANIC |
> + SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
> + offsetof(struct io_kiocb, cmd.data),
> + offsetof(struct io_kiocb, opcode) -
> + offsetof(struct io_kiocb, cmd.data), NULL);
sizeof_field(struct io_kiocb, cmd.data)
should be less awkward
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] io_uring: annotate the struct io_kiocb slab for appropriate user copy
2023-08-02 23:30 ` Pavel Begunkov
@ 2023-08-03 1:34 ` Jens Axboe
0 siblings, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2023-08-03 1:34 UTC (permalink / raw)
To: Pavel Begunkov, io-uring; +Cc: Breno Leitao
On 8/2/23 5:30?PM, Pavel Begunkov wrote:
> On 8/2/23 21:42, Jens Axboe wrote:
>> When compiling the kernel with clang and having HARDENED_USERCOPY
>> enabled, the liburing openat2.t test case fails during request setup:
>>
>> usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
>> ------------[ cut here ]------------
>> kernel BUG at mm/usercopy.c:102!
>> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
>> CPU: 3 PID: 413 Comm: openat2.t Tainted: G N 6.4.3-g6995e2de6891-dirty #19
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
>> RIP: 0010:usercopy_abort+0x84/0x90
>> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
>> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
>> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
>> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
>> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
>> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
>> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
>> FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
>> Call Trace:
>> <TASK>
>> ? __die_body+0x63/0xb0
>> ? die+0x9d/0xc0
>> ? do_trap+0xa7/0x180
>> ? usercopy_abort+0x84/0x90
>> ? do_error_trap+0xc6/0x110
>> ? usercopy_abort+0x84/0x90
>> ? handle_invalid_op+0x2c/0x40
>> ? usercopy_abort+0x84/0x90
>> ? exc_invalid_op+0x2f/0x40
>> ? asm_exc_invalid_op+0x16/0x20
>> ? usercopy_abort+0x84/0x90
>> __check_heap_object+0xe2/0x110
>> __check_object_size+0x142/0x3d0
>> io_openat2_prep+0x68/0x140
>> io_submit_sqes+0x28a/0x680
>> __se_sys_io_uring_enter+0x120/0x580
>> do_syscall_64+0x3d/0x80
>> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>> RIP: 0033:0x55714834de26
>> Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
>> RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
>> RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
>> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
>> R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
>> R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
>> </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:usercopy_abort+0x84/0x90
>> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
>> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
>> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
>> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
>> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
>> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
>> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
>> FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
>> Kernel panic - not syncing: Fatal exception
>> Kernel Offset: disabled
>> ---[ end Kernel panic - not syncing: Fatal exception ]---
>>
>> when it tries to copy struct open_how from userspace into the per-command
>> space in the io_kiocb. There's nothing wrong with the copy, but we're
>> missing the appropriate annotations for allowing user copies to/from the
>> io_kiocb slab.
>>
>> Allow copies in the per-command area, which is from the 'file' pointer to
>> when 'opcode' starts. We do have existing user copies there, but they are
>> not all annotated like the one that openat2_prep() uses,
>> copy_struct_from_user(). But in practice opcodes should be allowed to
>> copy data into their per-command area in the io_kiocb.
>>
>> Reported-by: Breno Leitao <[email protected]>
>> Signed-off-by: Jens Axboe <[email protected]>
>>
>> ---
>>
>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
>> index 135da2fd0eda..d8e69461786d 100644
>> --- a/io_uring/io_uring.c
>> +++ b/io_uring/io_uring.c
>> @@ -4627,8 +4627,20 @@ static int __init io_uring_init(void)
>> io_uring_optable_init();
>> - req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
>> - SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
>> + /*
>> + * Allow user copy in the per-command field, which starts after the
>> + * file in io_kiocb and until the opcode field. The openat2 handling
>> + * requires copying in user memory into the io_kiocb object in that
>> + * range, and HARDENED_USERCOPY will complain if we haven't
>> + * correctly annotated this range.
>> + */
>> + req_cachep = kmem_cache_create_usercopy("io_kiocb",
>> + sizeof(struct io_kiocb), 0,
>> + SLAB_HWCACHE_ALIGN | SLAB_PANIC |
>> + SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
>> + offsetof(struct io_kiocb, cmd.data),
>> + offsetof(struct io_kiocb, opcode) -
>> + offsetof(struct io_kiocb, cmd.data), NULL);
>
> sizeof_field(struct io_kiocb, cmd.data)
>
> should be less awkward
Ah yes, good point. Updated below:
commit 8c57ecb0f5e58bcff0a8b7e984b77b261440b8c3
Author: Jens Axboe <[email protected]>
Date: Wed Aug 2 14:38:01 2023 -0600
io_uring: annotate the struct io_kiocb slab for appropriate user copy
When compiling the kernel with clang and having HARDENED_USERCOPY
enabled, the liburing openat2.t test case fails during request setup:
usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 3 PID: 413 Comm: openat2.t Tainted: G N 6.4.3-g6995e2de6891-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die_body+0x63/0xb0
? die+0x9d/0xc0
? do_trap+0xa7/0x180
? usercopy_abort+0x84/0x90
? do_error_trap+0xc6/0x110
? usercopy_abort+0x84/0x90
? handle_invalid_op+0x2c/0x40
? usercopy_abort+0x84/0x90
? exc_invalid_op+0x2f/0x40
? asm_exc_invalid_op+0x16/0x20
? usercopy_abort+0x84/0x90
__check_heap_object+0xe2/0x110
__check_object_size+0x142/0x3d0
io_openat2_prep+0x68/0x140
io_submit_sqes+0x28a/0x680
__se_sys_io_uring_enter+0x120/0x580
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x55714834de26
Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
when it tries to copy struct open_how from userspace into the per-command
space in the io_kiocb. There's nothing wrong with the copy, but we're
missing the appropriate annotations for allowing user copies to/from the
io_kiocb slab.
Allow copies in the per-command area, which is from the 'file' pointer to
when 'opcode' starts. We do have existing user copies there, but they are
not all annotated like the one that openat2_prep() uses,
copy_struct_from_user(). But in practice opcodes should be allowed to
copy data into their per-command area in the io_kiocb.
Reported-by: Breno Leitao <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 135da2fd0eda..e70cf5c2dc7f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4627,8 +4627,19 @@ static int __init io_uring_init(void)
io_uring_optable_init();
- req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
- SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
+ /*
+ * Allow user copy in the per-command field, which starts after the
+ * file in io_kiocb and until the opcode field. The openat2 handling
+ * requires copying in user memory into the io_kiocb object in that
+ * range, and HARDENED_USERCOPY will complain if we haven't
+ * correctly annotated this range.
+ */
+ req_cachep = kmem_cache_create_usercopy("io_kiocb",
+ sizeof(struct io_kiocb), 0,
+ SLAB_HWCACHE_ALIGN | SLAB_PANIC |
+ SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
+ offsetof(struct io_kiocb, cmd.data),
+ sizeof_field(struct io_kiocb, cmd.data), NULL);
#ifdef CONFIG_SYSCTL
register_sysctl_init("kernel", kernel_io_uring_disabled_table);
--
Jens Axboe
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-03 1:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-02 20:42 [PATCH] io_uring: annotate the struct io_kiocb slab for appropriate user copy Jens Axboe
2023-08-02 23:30 ` Pavel Begunkov
2023-08-03 1:34 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox