On 2/12/20 8:24 pm, Tobias Markus wrote:
Hi David,
I'm afraid I can't provide an exactly matching disassembly of the
function since I've since updated to newer -rc kernels.
Another debugging hurdle is that the specific kernel code path seems
to be triggered by a very specific iwd code path that iwd only uses
for 802.1X/EAP-secured networks, and I simply wasn't near any
EAP-secured networks in the last few weeks.
I've tried creating a reproducer using a bash script calling various
keyctl commands but to no success>
David Howells wrote:
Tobias Markus <tob...@markus-regensburg.de> wrote:
kernel: RIP: 0010:public_key_verify_signature+0x189/0x3f0
Is it possible for you to provide a disassembly of this function
from the
kernel you were using? For this to occur on that line, it appears
that sig
would need to be NULL - but that should trip an assertion at the
top of the
function - or a very small number (which could be RCX, R09 or R11).
Thanks,
David
This problem is still in 5.10.4 (with iwd 1.10):
---
kernel: BUG: kernel NULL pointer dereference, address: 0000000000000000
kernel: #PF: supervisor read access in kernel mode
kernel: #PF: error_code(0x0000) - not-present page
kernel: PGD 0 P4D 0
kernel: Oops: 0000 [#6] PREEMPT SMP PTI
kernel: CPU: 7 PID: 6089 Comm: iwd Tainted: G S UD W OE
5.10.4-arch2-1 #1
kernel: Hardware name: LENOVO 20L7CTO1WW/20L7CTO1WW, BIOS N22ET60P
(1.37 ) 11/25/2019
kernel: RIP: 0010:public_key_verify_signature+0x189/0x400
kernel: Code: 48 8b 40 d0 44 89 ca 4c 89 fe 4c 89 e7 e8 ef 33 9b 00
85 c0 0f 85 80 01 00 00 48 8b 75 30 48 c7 c7 f8 84 99 ba b9 04 00 00
00 <f3> a6 0f 97 c0 1c 00 84 c0 75 0b 8b 45 50 85 c0 0f 85 e0 01 00 00
kernel: RSP: 0018:ffffaf6d811b3d50 EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: ffff99d6a24ba540 RCX:
0000000000000004
kernel: RDX: ffff99d6a2436c00 RSI: 0000000000000000 RDI:
ffffffffba9984f8
kernel: RBP: ffffaf6d811b3e88 R08: ffff99d681b58cc0 R09:
0000000000000008
kernel: R10: 0000000000000000 R11: 000000000000000a R12:
ffff99d6a24bab40
kernel: R13: ffff99d6a2437200 R14: ffffaf6d811b3d88 R15:
ffff99d5ce134800
kernel: FS: 00007f14d1578740(0000) GS:ffff99dac75c0000(0000)
knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000000 CR3: 00000001e26aa005 CR4:
00000000003706e0
kernel: Call Trace:
kernel: asymmetric_key_verify_signature+0x5e/0x80
kernel: keyctl_pkey_verify+0xc0/0x120
kernel: do_syscall_64+0x33/0x40
kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
kernel: RIP: 0033:0x7f14d1675d5d
kernel: Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48
89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 70 0c 00 f7 d8 64 89 01 48
kernel: RSP: 002b:00007ffce76da728 EFLAGS: 00000246 ORIG_RAX:
00000000000000fa
kernel: RAX: ffffffffffffffda RBX: 00007ffce76da7b0 RCX:
00007f14d1675d5d
kernel: RDX: 0000565457d08ac0 RSI: 00007ffce76da730 RDI:
000000000000001c
kernel: RBP: 0000565457d08ac0 R08: 0000565457d0b2dd R09:
000000303ec2c07a
kernel: R10: 00007ffce76da7b0 R11: 0000000000000246 R12:
0000565457d0b2dd
kernel: R13: 00007f14d177d9c0 R14: 0000565457d0b294 R15:
00007ffce76da7b0
kernel: Modules linked in: bnep uvcvideo videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc ccm
algif_aead des_generic libdes ecb algif_skcipher cmac md4 algif_hash
af_alg btusb btrtl btbcm btintel bluetooth snd_soc_skl elan_i2c
snd_hda_codec_hdmi snd_soc_sst_ipc snd_soc_sst_dsp ecdh_generic ecc
iTCO_wdt snd_hda_ext_core iwlmvm intel_pmc_bxt
snd_soc_acpi_intel_match mei_hdcp ee1004 iTCO_vendor_support
snd_hda_codec_realtek snd_soc_acpi wmi_bmof intel_wmi_thunderbolt
snd_hda_codec_generic intel_rapl_msr snd_hda_intel mac80211
snd_intel_dspcfg soundwire_intel soundwire_generic_allocation
soundwire_cadence snd_hda_codec x86_pkg_temp_thermal intel_powerclamp
coretemp libarc4 snd_hda_core kvm_intel snd_hwdep nls_iso8859_1
soundwire_bus vfat fat kvm snd_soc_core iwlwifi snd_compress
irqbypass rapl ac97_bus intel_cstate snd_pcm_dmaengine intel_uncore
joydev snd_pcm cfg80211 mousedev mei_me pcspkr e1000e i2c_i801
snd_timer i2c_smbus mei processor_thermal_device
kernel: intel_xhci_usb_role_switch intel_rapl_common
intel_pch_thermal roles intel_soc_dts_iosf thinkpad_acpi wmi
ledtrig_audio rfkill snd int3403_thermal soundcore
int340x_thermal_zone int3400_thermal acpi_thermal_rel acpi_pad
mac_hid pkcs8_key_parser crypto_user fuse acpi_call(OE) bpf_preload
ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 uas
usb_storage dm_crypt cbc encrypted_keys dm_mod trusted tpm rng_core
crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel
aesni_intel crypto_simd cryptd glue_helper serio_raw xhci_pci
xhci_pci_renesas i915 video intel_gtt i2c_algo_bit drm_kms_helper
syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm agpgart
kernel: CR2: 0000000000000000
kernel: ---[ end trace fcbb482b549250b6 ]---
kernel: RIP: 0010:public_key_verify_signature+0x189/0x400
kernel: Code: 48 8b 40 d0 44 89 ca 4c 89 fe 4c 89 e7 e8 ef 33 9b 00
85 c0 0f 85 80 01 00 00 48 8b 75 30 48 c7 c7 f8 84 99 ba b9 04 00 00
00 <f3> a6 0f 97 c0 1c 00 84 c0 75 0b 8b 45 50 85 c0 0f 85 e0 01 00 00
kernel: RSP: 0018:ffffaf6d80ad7d50 EFLAGS: 00010246
kernel: RAX: 0000000000000000 RBX: ffff99d61f5611c0 RCX:
0000000000000004
kernel: RDX: ffff99d66714cb00 RSI: 0000000000000000 RDI:
ffffffffba9984f8
kernel: RBP: ffffaf6d80ad7e88 R08: ffff99d5c60fe760 R09:
0000000000000008
kernel: R10: 0000000000000000 R11: 000000000000000a R12:
ffff99d5e97afec0
kernel: R13: ffff99d66714d600 R14: ffffaf6d80ad7d88 R15:
ffff99d5c6e90a00
kernel: FS: 00007f14d1578740(0000) GS:ffff99dac75c0000(0000)
knlGS:0000000000000000
kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: CR2: 0000000000000000 CR3: 00000001e26aa005 CR4:
00000000003706e0
systemd[1]: iwd.service: Main process exited, code=killed, status=9/KILL
systemd[1]: iwd.service: Failed with result 'signal'.
---
Here is the disassembly of public_key_verify_signature around the
faulting instruction
---
0xffffffffb9a4eaf9: mov 0x30(%rbp),%rsi
0xffffffffb9a4eafd: mov $0xffffffffba9984f8,%rdi
0xffffffffb9a4eb04: mov $0x4,%ecx
0xffffffffb9a4eb09: repz cmpsb %es:(%rdi),%ds:(%rsi) # fault here
0xffffffffb9a4eb0b: seta %al
0xffffffffb9a4eb0e: sbb $0x0,%al
0xffffffffb9a4eb10: test %al,%al
0xffffffffb9a4eb12: jne 0xffffffffb9a4eb1f
0xffffffffb9a4eb14: mov 0x50(%rbp),%eax
0xffffffffb9a4eb17: test %eax,%eax
0xffffffffb9a4eb19: jne 0xffffffffb9a4ecff
---
corresponding to this:
https://elixir.bootlin.com/linux/v5.10.4/source/crypto/asymmetric_keys/public_key.c#L359
---
if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) {
ret = cert_sig_digest_update(sig, tfm);
if (ret)
goto error_free_key;
}
---
So it seems like sig->pkey_algo is null. I will try to debug, but I
don't get access to an EAP-protected network often (maybe once or
twice a week), so it might take a while.