lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 11 Feb 2015 11:05:07 +0800
From:	Nicolas Iooss <nicolas.iooss_linux@....org>
To:	Al Viro <viro@...iv.linux.org.uk>
Cc:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	Nicolas Iooss <nicolas.iooss_linux@....org>
Subject: [PATCH] proc: get a reference to the owning module when opening file

When a module creates a file in procfs and a program uses the file with
mmap, the .owner field of the file_operations structure is ignored.
This allows removing the module while the file is still being used.

Therefore this sequence of events leads to a kernel oops:

* load a module which creates a file in procfs with an mmap operation
* open the file
* use mmap on it
* rmmod the module
* call unmap

Here are parts of the oops caused by unmap:

[ 1234.337725] BUG: unable to handle kernel paging request at ffffffffa030a268
[ 1234.338007] IP: [<ffffffff811bf054>] remove_vma+0x24/0x70
[ 1234.338007] PGD 1c17067 PUD 1c18063 PMD 3d713067 PTE 0
[ 1234.338007] Oops: 0000 [#1] SMP
[ 1234.338007] Modules linked in: fuse rpcsec_gss_krb5 nfsv4
dns_resolver nfs fscache cfg80211 rfkill ppdev bochs_drm virtio_net
serio_raw parport_pc ttm pvpanic parport drm_kms_helper drm i2c_piix4
nfsd auth_rpcgss nfs_acl lockd sunrpc virtio_blk virtio_pci virtio_ring
virtio ata_generic pata_acpi [last unloaded: procfs_mmap]

[ 1234.338007] Call Trace:
[ 1234.338007]  [<ffffffff811c155f>] do_munmap+0x27f/0x3b0
[ 1234.338007]  [<ffffffff811c16d1>] vm_munmap+0x41/0x60
[ 1234.338007]  [<ffffffff811c2652>] SyS_munmap+0x22/0x30
[ 1234.338007]  [<ffffffff817301a9>] system_call_fastpath+0x16/0x1b

Fix this by making proc_reg_open grab a reference to the module owning
pde->proc_fops.

More information and example code to reproduce this oops can be found on
https://bugzilla.kernel.org/show_bug.cgi?id=92511

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@....org>
---
 fs/proc/inode.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index 8420a2f80811..5df17cb730fa 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -329,12 +329,16 @@ static int proc_reg_open(struct inode *inode, struct file *file)
 		kfree(pdeo);
 		return -ENOENT;
 	}
+	fops_get(pde->proc_fops);
 	open = pde->proc_fops->open;
 	release = pde->proc_fops->release;
 
 	if (open)
 		rv = open(inode, file);
 
+	if (rv != 0)
+		fops_put(pde->proc_fops);
+
 	if (rv == 0 && release) {
 		/* To know what to release. */
 		pdeo->file = file;
@@ -361,6 +365,7 @@ static int proc_reg_release(struct inode *inode, struct file *file)
 		}
 	}
 	spin_unlock(&pde->pde_unload_lock);
+	fops_put(pde->proc_fops);
 	return 0;
 }
 
-- 
2.3.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ