11:09 p.m.
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git mmap-clear-setid
commit b953933104b23dc80a166b3c2bdc9c8fe077c8a3
Author: Kees Cook <keescook(a)chromium.org>
AuthorDate: Thu Nov 19 12:14:53 2015 -0800
Commit: Kees Cook <keescook(a)chromium.org>
CommitDate: Wed Dec 2 16:08:26 2015 -0800
fs: clear file privilege bits when mmap writing
Normally, when a user can modify a file that has setuid or setgid bits,
those bits are cleared when they are not the file owner or a member
of the group. This is enforced when using write and truncate but not
when writing to a shared mmap on the file. This could allow the file
writer to gain privileges by changing a binary without losing the
setuid/setgid/caps bits.
Changing the bits requires holding inode->i_mutex, so it cannot be done
during the page fault (due to mmap_sem being held during the fault).
Instead, clear the bits if PROT_WRITE is being used at mmap time.
Signed-off-by: Kees Cook <keescook(a)chromium.org>
Cc: stable(a)vger.kernel.org
+----------------------------------------------------+------------+------------+------------+
| | 25364a9e54 | b953933104 |
9aea286229 |
+----------------------------------------------------+------------+------------+------------+
| boot_successes | 1699 | 65 | 8
|
| boot_failures | 3 | 17 | 5
|
| page_allocation_failure:order:#,mode | 1 | 1 |
|
| warn_alloc_failed+0x | 1 | 1 |
|
| Mem-Info | 1 | 1 |
|
| invoked_oom-killer:gfp_mask=0x | 1 | 1 |
|
| Out_of_memory:Kill_process | 1 | 1 |
|
| backtrace:ring_buffer_consumer_thread | 1 | 1 |
|
| backtrace:__mm_populate | 1 | 1 |
|
| backtrace:SyS_mlockall | 1 | 1 |
|
| IP-Config:Auto-configuration_of_network_failed | 2 | 2 |
|
| INFO:possible_circular_locking_dependency_detected | 0 | 14 | 5
|
| backtrace:SyS_remap_file_pages | 0 | 14 | 5
|
| backtrace:iterate_dir | 0 | 14 | 5
|
| backtrace:SyS_getdents64 | 0 | 14 | 5
|
| backtrace:do_mmap | 0 | 14 | 5
|
+----------------------------------------------------+------------+------------+------------+
[ 37.702184] mmap: trinity-c0 (742) uses deprecated remap_file_pages() syscall. See
Documentation/vm/remap_file_pages.txt.
[ 37.734059]
[ 37.734380] ======================================================
[ 37.735417] [ INFO: possible circular locking dependency detected ]
[ 37.739704] 4.4.0-rc3-00025-gb953933 #21 Not tainted
[ 37.740401] -------------------------------------------------------
[ 37.741286] trinity-c0/742 is trying to acquire lock:
[ 37.741982] (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [<811c3b34>]
do_mmap+0x544/0x670
[ 37.752562]
[ 37.752562] but task is already holding lock:
[ 37.753442] (&mm->mmap_sem){++++++}, at: [<811c3d70>]
SyS_remap_file_pages+0xe0/0x350
[ 37.754782]
[ 37.754782] which lock already depends on the new lock.
[ 37.754782]
[ 37.762868]
[ 37.762868] the existing dependency chain (in reverse order) is:
[ 37.764056]
-> #1 (&mm->mmap_sem){++++++}:
[ 37.764827] [<810bd1cc>] lock_acquire+0xac/0x1c0
[ 37.765628] [<811b4d7e>] __might_fault+0xae/0xd0
[ 37.786463] [<8121ad0c>] filldir64+0x14c/0x1f0
[ 37.787214] [<8123acde>] dcache_readdir+0x1ee/0x2f0
[ 37.787991] [<8121a6dc>] iterate_dir+0xcc/0x1e0
[ 37.788711] [<8121b177>] SyS_getdents64+0xf7/0x1f0
[ 37.808520] [<81002a9e>] do_fast_syscall_32+0x26e/0x480
[ 37.809466] [<815a5b39>] sysenter_past_esp+0x42/0x79
[ 37.810395]
-> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}:
[ 37.811392] [<810bcba8>] __lock_acquire+0x1b38/0x1c20
[ 37.816425] [<810bd1cc>] lock_acquire+0xac/0x1c0
[ 37.820696] [<8159f6b7>] mutex_lock_nested+0x47/0x570
[ 37.821592] [<811c3b34>] do_mmap+0x544/0x670
[ 37.822361] [<811c3e8f>] SyS_remap_file_pages+0x1ff/0x350
[ 37.823350] [<81002a9e>] do_fast_syscall_32+0x26e/0x480
[ 37.824318] [<815a5b39>] sysenter_past_esp+0x42/0x79
[ 37.837365]
[ 37.837365] other info that might help us debug this:
[ 37.837365]
[ 37.838654] Possible unsafe locking scenario:
[ 37.838654]
[ 37.839581] CPU0 CPU1
[ 37.840262] ---- ----
[ 37.840955] lock(&mm->mmap_sem);
[ 37.850881] lock(&sb->s_type->i_mutex_key#8);
[ 37.851792] lock(&mm->mmap_sem);
[ 37.852561] lock(&sb->s_type->i_mutex_key#8);
[ 37.853177]
[ 37.853177] *** DEADLOCK ***
[ 37.853177]
[ 37.853884] 1 lock held by trinity-c0/742:
[ 37.854386] #0: (&mm->mmap_sem){++++++}, at: [<811c3d70>]
SyS_remap_file_pages+0xe0/0x350
[ 37.855491]
[ 37.855491] stack backtrace:
[ 37.856043] CPU: 0 PID: 742 Comm: trinity-c0 Not tainted 4.4.0-rc3-00025-gb953933 #21
[ 37.856987] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1
04/01/2014
[ 37.858051] 00000001 81f42f30 867ebe04 812ddc81 867ebe34 810b8170 81819717 818196a8
[ 37.870829] 8181968b 818196a0 8181968b 867ebe6c 897d84c0 897d8980 897d8964 00000001
[ 37.872346] 867ebe9c 810bcba8 897d8964 00000001 897d8980 81b06d38 00000000 00000001
[ 37.873793] Call Trace:
[ 37.874219] [<812ddc81>] dump_stack+0x16/0x25
[ 37.874954] [<810b8170>] print_circular_bug+0x190/0x280
[ 37.875805] [<810bcba8>] __lock_acquire+0x1b38/0x1c20
[ 37.880753] [<810ba7d6>] ? __lock_is_held+0x46/0x70
[ 37.881682] [<810bd1cc>] lock_acquire+0xac/0x1c0
[ 37.882456] [<811c3b34>] ? do_mmap+0x544/0x670
[ 37.883163] [<8159f6b7>] mutex_lock_nested+0x47/0x570
[ 37.883946] [<811c3b34>] ? do_mmap+0x544/0x670
[ 37.889339] [<811bedb7>] ? get_unmapped_area+0x137/0x150
[ 37.890166] [<811c3b34>] do_mmap+0x544/0x670
[ 37.893549] [<811c3e8f>] SyS_remap_file_pages+0x1ff/0x350
[ 37.894486] [<81002a9e>] do_fast_syscall_32+0x26e/0x480
[ 37.895357] [<815a5b39>] sysenter_past_esp+0x42/0x79
[watchdog] Watchdog is alive. (pid:1698)
[child0:742] io_destroy (246) returned ENOSYS, marking as inactive.
[child0:742] io_cancel (249) returned ENOSYS, marking as inactive.
git bisect start 9aea286229fc87f71d754618c27fd6702139bbe1
31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8 --
git bisect bad 1434b38f86455f4245dea30bc31c0eecd9b71e75 # 12:59 31- 8 Merge
'linux-review/Dmitry-Torokhov/Input-psmouse-rename-ps2pp_init-to-ps2pp_detect/20151203-032734'
into devel-spot-201512031228
git bisect bad 1f31d16160af919f7433641ab867c28cabebca0d # 13:03 15- 6 Merge
'drm-intel/drm-intel-nightly' into devel-spot-201512031228
git bisect bad 04cd5fd63c146772cfc924a6c5871456ce3492d4 # 13:07 63- 15 Merge
'mkp-scsi/4.5/ncr5380' into devel-spot-201512031228
git bisect bad d8d5ab4374ada5a09092f5b191f712c93a86cad7 # 13:10 17- 9 Merge
'kees/mmap-clear-setid' into devel-spot-201512031228
git bisect good 376981b119c94ac5a858527d66588367d0b40789 # 13:15 78+ 2 Merge
'kees/ptdump' into devel-spot-201512031228
git bisect good 04dadc0739e7f3fd7c9da4c562dee7832e34b23a # 13:19 78+ 2 Merge
'kees/nak/recv-leak' into devel-spot-201512031228
git bisect good 2ec98599a46b788e9c4ebd351f268719428ceec8 # 13:23 78+ 3 Merge
'kees/nak/proc-r' into devel-spot-201512031228
git bisect bad b953933104b23dc80a166b3c2bdc9c8fe077c8a3 # 13:26 24- 4 fs:
clear file privilege bits when mmap writing
# first bad commit: [b953933104b23dc80a166b3c2bdc9c8fe077c8a3] fs: clear file privilege
bits when mmap writing
git bisect good 25364a9e54fb8296837061bf684b76d20eec01fb # 13:37 848+ 3 Merge
branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
# extra tests with DEBUG_INFO
git bisect bad b953933104b23dc80a166b3c2bdc9c8fe077c8a3 # 13:41 11- 2 fs:
clear file privilege bits when mmap writing
# extra tests on HEAD of linux-devel/devel-spot-201512031228
git bisect bad 9aea286229fc87f71d754618c27fd6702139bbe1 # 13:41 0- 5 0day
head guard for 'devel-spot-201512031228'
# extra tests on tree/branch kees/mmap-clear-setid
git bisect bad b953933104b23dc80a166b3c2bdc9c8fe077c8a3 # 13:43 0- 17 fs:
clear file privilege bits when mmap writing
# extra tests with first bad commit reverted
git bisect good 1cddd656f8d8831adddf63a2d330e7b38b2046db # 13:55 847+ 4 Revert
"fs: clear file privilege bits when mmap writing"
# extra tests on tree/branch linus/master
git bisect good 25364a9e54fb8296837061bf684b76d20eec01fb # 14:10 847+ 3 Merge
branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
# extra tests on tree/branch linux-next/master
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
initrd=quantal-core-i386.cgz
wget --no-clobber
https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu kvm64
-kernel $kernel
-initrd $initrd
-m 300
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
systemd.log_level=err
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation