ch1/miscdrv_rdwr/miscdrv_rdwr.c is triggering null-ptr-deref on kernel 6.6

[LeonSkoog]

Hi @kaiwan ,

I've found that close_miscdrv() from ch1/miscdrv_rdwr/miscdrv_rdwr.c is failing on kernel 6.6 when read_miscdrv_rdwr() is called with count < MAXBYTES.

I noticed that when we return -EINVAL (from read_miscdrv_rdwr()), the close_miscdrv_rdwr() triggers null-ptr-deref in __lock_acquire.

Is there a way to validate filp prior calling file_path(filp, buf, PATH_MAX)?

Full trace:
[ 23.170003] BUG: KASAN: null-ptr-deref in __lock_acquire+0xda/0x2c70
[ 23.170637] Read of size 8 at addr 0000000000000058 by task dd/56
[ 23.171234]
[ 23.171419] CPU: 0 PID: 56 Comm: dd Tainted: G O 6.6.0 #16
[ 23.172063] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 23.172922] Call Trace:
[ 23.173170]
[ 23.173385] dump_stack_lvl+0x96/0x100
[ 23.173761] print_report+0x441/0x660
[ 23.174127] ? __virt_addr_valid+0x56/0x240
[ 23.174542] ? kasan_addr_to_slab+0x11/0xb0
[ 23.174934] kasan_report+0xf2/0x140
[ 23.175295] ? __lock_acquire+0xda/0x2c70
[ 23.175695] ? __lock_acquire+0xda/0x2c70
[ 23.176096] __asan_load8+0x82/0xb0
[ 23.176444] __lock_acquire+0xda/0x2c70
[ 23.176820] ? __wake_up_klogd+0xb3/0x140
[ 23.177227] ? __pfx___lock_acquire+0x10/0x10
[ 23.177668] lock_acquire+0x17e/0x3e0
[ 23.178029] ? file_path+0x19/0x20
[ 23.178375] ? __pfx_lock_acquire+0x10/0x10
[ 23.178693] ? check_preemption_disabled+0x42/0x180
[ 23.179023] d_path+0x3c6/0x520
[ 23.179244] ? file_path+0x19/0x20
[ 23.179478] ? __pfx_d_path+0x10/0x10
[ 23.179730] file_path+0x19/0x20
[ 23.179938] close_miscdrv_rdwr+0x22f/0x2f0 [miscdrv]
[ 23.180271] __fput+0x2c1/0x720
[ 23.180498] ____fput+0x12/0x20
[ 23.180728] task_work_run+0x164/0x240
[ 23.181004] ? __pfx_task_work_run+0x10/0x10
[ 23.181303] ? switch_task_namespaces+0xad/0x130
[ 23.181644] do_exit+0x6f2/0x1e20
[ 23.181868] ? do_group_exit+0x107/0x170
[ 23.182153] ? __pfx_do_exit+0x10/0x10
[ 23.182412] ? trace_preempt_on+0x63/0x1e0
[ 23.182702] ? do_group_exit+0x107/0x170
[ 23.182980] do_group_exit+0x7b/0x170
[ 23.183245] __x64_sys_exit_group+0x30/0x30
[ 23.183549] do_syscall_64+0x72/0xf0
[ 23.183803] entry_SYSCALL_64_after_hwframe+0x6e/0xd8

[kaiwan]

Hi @LeonSkoog !
Apologies! i've taken very long (too long) to see and respond to your PR; thank you for doing so...

1. A little testing I did:

• I built a custom 6.6.65 kernel with debug features (including KASAN) turned on
• I ran the module with both the 'usual' count (128 bytes) and a smaller count (1 byte / 8 bytes)
• I couldn't reproduce the bug you saw...
  • let me know if I need to do something specific in order to..

2. Logically, the file pointer struct - the struct file *filp - should not change within a process/thread performing an action, like read() or write()... I verified this; here's an example where I request just 1 byte to be read:

dd if=/dev/llkd_miscdrv_rdwr bs=1
which triggers the
dd: error reading '/dev/llkd_miscdrv_rdwr': Invalid argument
error:

Jan 27 13:48:38 Ubuntu23 kernel: miscdrv_rdwr:open_miscdrv_rdwr(): filp=ffff888035fdd900
Jan 27 13:48:38 Ubuntu23 kernel: misc llkd_miscdrv_rdwr:  opening "/dev/llkd_miscdrv_rdwr" now; wrt open file: f_flags = 0x8000
Jan 27 13:48:38 Ubuntu23 kernel: miscdrv_rdwr:read_miscdrv_rdwr(): filp=ffff888035fdd900
Jan 27 13:48:38 Ubuntu23 kernel: misc llkd_miscdrv_rdwr: dd wants to read (upto) 1 bytes
Jan 27 13:48:38 Ubuntu23 kernel: misc llkd_miscdrv_rdwr: request # of bytes (1) is < required size (128), aborting read
Jan 27 13:48:38 Ubuntu23 kernel: miscdrv_rdwr:close_miscdrv_rdwr(): filp=ffff888035fdd900
Jan 27 13:48:38 Ubuntu23 kernel: misc llkd_miscdrv_rdwr:  filename: "/dev/llkd_miscdrv_rdwr"

You can see here that it doesn't trigger a NULL-ptr dereference bug and that the filp values stays the same..
Thus, in theory, this bug shouldn't occur; which makes it interesting! If you can reproduce it, I'd love to dig deeper.
Thank you!