【OLK-5.10】[Syzkaller] WARNING in do_open_execat

【标题描述】execv/uselib和remount可能导致内核产生WARNING

WARNING: CPU: 3 PID: 3188 at fs/exec.c:922 do_open_execat+0x176/0x440 fs/exec.c:922
Modules linked in:
CPU: 3 PID: 3188 Comm: syz-executor104 Not tainted 5.10.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:do_open_execat+0x176/0x440 fs/exec.c:922
Code: df e8 2e c9 f7 ff 44 0f b7 33 bf 00 80 ff ff 66 41 81 e6 00 f0 44 89 f6 e8 17 8b c7 ff 66 41 81 fe 00 80 74 7d e8 5a 93 c7 ff <0f> 0b 48 c7 c3 f3 ff ff ff e8 4c 93 c7 ff 4c 89 e7 49 89 dc e8 31
RSP: 0018:ffff888107a8fcf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88800a5b7310 RCX: ffffffffa92e8166
RDX: ffff888106e2c380 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 1ffff11020f51fa0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000001 R12: ffff8880073c8480
R13: ffff8880bf00d500 R14: ffff888103b08620 R15: 0000000000000000
FS:  00007f595f081700(0000) GS:ffff888109780000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b03b0 CR3: 000000010621a005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 bprm_execve.part.0+0x4f/0x2b0 fs/exec.c:1801
 bprm_execve+0xf1/0x140 fs/exec.c:1795
 do_execveat_common+0x360/0x4a0 fs/exec.c:1915
 do_execveat fs/exec.c:1994 [inline]
 __do_sys_execveat fs/exec.c:2070 [inline]
 __se_sys_execveat fs/exec.c:2062 [inline]
 __x64_sys_execveat+0x8c/0xa0 fs/exec.c:2062
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x454649
Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f595f080d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000142
RAX: ffffffffffffffda RBX: 00000000006d94c8 RCX: 0000000000454649
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004
RBP: 00000000006d94c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e
R13: 0000000000000000 R14: 00000000006d94c0 R15: 00007ffd555653d0
---[ end trace ea0e86e27b774ef9 ]---

【环境信息】
硬件信息：
NA
软件信息：
OLK5.10
【问题复现步骤】

打入diff延时补丁
编译执行repo.c
【预期结果】
内核打印WARNON
【实际结果】

[   19.624098] WARNING: CPU: 1 PID: 2515 at fs/exec.c:933 do_open_execat+0x1ee/0x390
[   19.626444] Modules linked in:
[   19.627442] CPU: 1 PID: 2515 Comm: repo Not tainted 5.18.0-rc6-00092-gafea41c68705-dirty #495
[   19.630112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc314
[   19.633969] RIP: 0010:do_open_execat+0x1ee/0x390
[   19.634615] Code: 65 48 33 04 25 28 00 00 00 0f 85 ae 01 00 00 48 83 c4 20 4c 89 e0 5b 41 5c c3 48 83 05 d2 90 fc 0b 01 48 83 05 d2 90 fc8
[   19.637103] RSP: 0018:ffffc90001493e40 EFLAGS: 00010202
[   19.637831] RAX: 0000000000008000 RBX: ffff888100bab000 RCX: 0000000000000000
[   19.638806] RDX: ffff88817a205b40 RSI: ffff88817dff0800 RDI: 0000000000000000
[   19.639780] RBP: 00000000ffffff9c R08: ffff888237cac0a8 R09: 0000000000000004
[   19.640756] R10: 00000000000002f1 R11: 000000048aad5d08 R12: ffff88817ea47700
[   19.641727] R13: ffff888100bab000 R14: 0000000000000000 R15: 0000000000000001
[   19.642671] FS:  00007f4398c0e440(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000
[   19.643736] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   19.644504] CR2: 00007ffd176e4ba8 CR3: 00000001748e7000 CR4: 00000000000006e0
[   19.645439] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   19.646382] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   19.647325] Call Trace:
[   19.647677]  <TASK>
[   19.647970]  bprm_execve+0x1c6/0xa60
[   19.648444]  ? copy_string_kernel+0xc9/0x3c0
[   19.649030]  do_execveat_common.isra.0+0x2df/0x320
[   19.649683]  __x64_sys_execve+0x4b/0x70
[   19.650194]  do_syscall_64+0x35/0x80
[   19.650689]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   19.651355] RIP: 0033:0x7f43984d5027
[   19.651852] Code: ff 76 e0 f7 d8 64 41 89 01 eb d8 0f 1f 84 00 00 00 00 00 f7 d8 64 41 89 01 eb d7 0f 1f 84 00 00 00 00 00 b8 3b 00 00 008
[   19.654291] RSP: 002b:00007ffd4615f6f8 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
[   19.655304] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f43984d5027
[   19.656255] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000040079f
[   19.657206] RBP: 00007ffd4615f710 R08: 00007f4398c0e440 R09: 00007f4398811090
[   19.658162] R10: 0000000000000003 R11: 0000000000000202 R12: 0000000000400520
[   19.659116] R13: 00007ffd4615f7f0 R14: 0000000000000000 R15: 0000000000000000
[   19.660074]  </TASK>
[   19.660376] ---[ end trace 0000000000000000 ]---
[   19.661008] exec my_bin 4 0 tmpfs

【附件信息】
diff

diff --git a/fs/exec.c b/fs/exec.c
index e3e55d5e0be1..388d38b87e9a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -897,6 +897,7 @@ EXPORT_SYMBOL(transfer_args_to_stack);
 
 #endif /* CONFIG_MMU */
 
+#include <linux/delay.h>
 static struct file *do_open_execat(int fd, struct filename *name, int flags)
 {
 	struct file *file;
@@ -925,9 +926,15 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
 	 * and check again at the very end too.
 	 */
 	err = -EACCES;
+	if (!strcmp(file->f_path.dentry->d_iname, "my_bin")) {
+		pr_err("wait ...\n");
+		msleep(3000);
+	}
 	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
-			 path_noexec(&file->f_path)))
+			 path_noexec(&file->f_path))) {
+		pr_err("exec %pd %d %d %s\n", file->f_path.dentry, file->f_path.mnt->mnt_flags & MNT_NOEXEC, file->f_path.mnt->mnt_sb->s_iflags & SB_I_NOEXEC, file->f_path.mnt->mnt_sb->s_type->name);
 		goto exit;
+	}
 
 	err = deny_write_access(file);
 	if (err)
diff --git a/fs/namei.c b/fs/namei.c
index 509657fdf4f5..443e2fe6f6c4 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3095,6 +3095,8 @@ static int may_open(struct user_namespace *mnt_userns, const struct path *path,
 	case S_IFREG:
 		if ((acc_mode & MAY_EXEC) && path_noexec(path))
 			return -EACCES;
+		if (!strcmp(path->dentry->d_iname, "my_bin"))
+			pr_err("check pass %d %d\n", acc_mode & MAY_EXEC, path_noexec(path));
 		break;
 	}

repo.c

#define _GNU_SOURCE             /* See feature_test_macros(7) */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mount.h>
#include <getopt.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/xattr.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>

#define __NR_uselib 86

int main(void)
{
	int ret;

	system("umount temp 2>&1 > /dev/null");
	system("mount -t tmpfs none temp");
	system("echo 12312 > temp/my_bin && chmod +x temp/my_bin");
	ret = fork();
	if (ret < 0) {
		perror("fork fail");
		return 0;
	}
	if (ret == 0) {
		system("mount -oremount,noexec temp");
		exit(0);
	} else {
		execve("/root/temp/my_bin", NULL, 0);
		//syscall(__NR_uselib, "/root/temp/my_bin");
	}
	return 0;
}

Hi czh549642238, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers: @YangYingliang , @pi3orama , @成坚 (CHENG Jian) , @jiaoff , @zhengzengkai , @Qiuuuuu , @刘勇强 , @Xie XiuQi

GVP openEuler / kernel

内容风险标识

评论 (1)

GVPopenEuler / kernel

内容风险标识

【OLK-5.10】[Syzkaller] WARNING in do_open_execat

评论 (1)

搜索帮助

GVP openEuler / kernel