From: Eric Dumazet <edumazet@google.com>

Date: Fri, 14 Aug 2020 11:16:17 -0700

Subject: x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task

Git-commit: 8ab49526b53d3172d1d8dd03a75c7d1f5bd21239

Patch-mainline: v5.9-rc1

References: bsc#1112178

syzbot found its way in 86_fsgsbase_read_task() and triggered this oops:

   KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

   CPU: 0 PID: 6866 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0

   RIP: 0010:x86_fsgsbase_read_task+0x16d/0x310 arch/x86/kernel/process_64.c:393

   Call Trace:

     putreg32+0x3ab/0x530 arch/x86/kernel/ptrace.c:876

     genregs32_set arch/x86/kernel/ptrace.c:1026 [inline]

     genregs32_set+0xa4/0x100 arch/x86/kernel/ptrace.c:1006

     copy_regset_from_user include/linux/regset.h:326 [inline]

     ia32_arch_ptrace arch/x86/kernel/ptrace.c:1061 [inline]

     compat_arch_ptrace+0x36c/0xd90 arch/x86/kernel/ptrace.c:1198

     __do_compat_sys_ptrace kernel/ptrace.c:1420 [inline]

     __se_compat_sys_ptrace kernel/ptrace.c:1389 [inline]

     __ia32_compat_sys_ptrace+0x220/0x2f0 kernel/ptrace.c:1389

     do_syscall_32_irqs_on arch/x86/entry/common.c:84 [inline]

     __do_fast_syscall_32+0x57/0x80 arch/x86/entry/common.c:126

     do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:149

     entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

This can happen if ptrace() or sigreturn() pokes an LDT selector into FS

or GS for a task with no LDT and something tries to read the base before

a return to usermode notices the bad selector and fixes it.

The fix is to make sure ldt pointer is not NULL.

Fixes: 07e1d88adaae ("x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately")

Co-developed-by: Jann Horn <jannh@google.com>

Signed-off-by: Eric Dumazet <edumazet@google.com>

Reported-by: syzbot <syzkaller@googlegroups.com>

Acked-by: Andy Lutomirski <luto@kernel.org>

Cc: Chang S. Bae <chang.seok.bae@intel.com>

Cc: Andy Lutomirski <luto@amacapital.net>

Cc: Borislav Petkov <bp@alien8.de>

Cc: Brian Gerst <brgerst@gmail.com>

Cc: Dave Hansen <dave.hansen@linux.intel.com>

Cc: Denys Vlasenko <dvlasenk@redhat.com>

Cc: H. Peter Anvin <hpa@zytor.com>

Cc: Markus T Metzger <markus.t.metzger@intel.com>

Cc: Peter Zijlstra <peterz@infradead.org>

Cc: Ravi Shankar <ravi.v.shankar@intel.com>

Cc: Rik van Riel <riel@surriel.com>

Cc: Thomas Gleixner <tglx@linutronix.de>

Cc: Ingo Molnar <mingo@kernel.org>

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Acked-by: Borislav Petkov <bp@suse.de>

---

 arch/x86/kernel/process_64.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c

index d6f946707270..9afefe325acb 100644

--- a/arch/x86/kernel/process_64.c

+++ b/arch/x86/kernel/process_64.c

@@ -390,7 +390,7 @@ unsigned long x86_fsgsbase_read_task(struct task_struct *task,

 		 */

 		mutex_lock(&task->mm->context.lock);

 		ldt = task->mm->context.ldt;

-		if (unlikely(idx >= ldt->nr_entries))

+		if (unlikely(!ldt || idx >= ldt->nr_entries))

 			base = 0;

 		else

 			base = get_desc_base(ldt->entries + idx);