Re: BUG: unable to handle kernel paging request in crypto_sha3_update

From: Herbert Xu
Date: Tue Apr 02 2024 - 04:36:50 EST


On Wed, Mar 20, 2024 at 10:57:53AM +0800, xingwei lee wrote:
>
> syscall(__NR_bind, /*fd=*/r[0], /*addr=*/0x20000000ul, /*addrlen=*/0x58ul);
> res = syscall(__NR_accept, /*fd=*/r[0], /*peer=*/0ul, /*peerlen=*/0ul);
> if (res != -1)
> r[1] = res;
> res = syscall(__NR_memfd_secret, /*flags=*/0ul);
> if (res != -1)
> r[2] = res;

So this is the key to the issue. The whole point of memfd_secret is
to make the pages inaccessible to the kernel. The issue is those
pages are then gifted to the kernel through sendmsg. Somewhere
along the line someone is supposed to throw up an error about this,
or map the pages properly. I guess neither happened which is why
we end up with a page fault.

I'll cc the memfd_secret authors to see what should catch this.

> syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0xb36000ul,
> /*prot=*/0x2000003ul, /*flags=*/0x28011ul, /*fd=*/r[2],
> /*offset=*/0ul);
> syscall(__NR_ftruncate, /*fd=*/r[2], /*len=*/0xde99ul);
> *(uint64_t*)0x20000180 = 0;
> *(uint32_t*)0x20000188 = 0;
> *(uint64_t*)0x20000190 = 0x20000140;
> *(uint64_t*)0x20000140 = 0x20000080;
> *(uint64_t*)0x20000148 = 0xb0;
> *(uint64_t*)0x20000198 = 1;
> *(uint64_t*)0x200001a0 = 0;
> *(uint64_t*)0x200001a8 = 0;
> *(uint32_t*)0x200001b0 = 0;
> syscall(__NR_sendmsg, /*fd=*/r[1], /*msg=*/0x20000180ul,
> /*f=*/0x47933e2b0522cf63ul);

This is the spot where the memfd_secret pages are given to the kernel
for processing through sendmsg.

Thanks,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt