| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 May 2016 14:07:03 +0200 From: Vlastimil Babka <vbabka@...e.cz> To: Alexei Starovoitov <alexei.starovoitov@...il.com>, Sasha Levin <sasha.levin@...cle.com> Cc: ast@...nel.org, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, Tejun Heo <tj@...nel.org>, Christoph Lameter <cl@...ux.com>, Linux-MM layout <linux-mm@...ck.org> Subject: Re: bpf: use-after-free in array_map_alloc On 05/23/2016 02:01 PM, Vlastimil Babka wrote: >> if I read the report correctly it's not about bpf, but rather points to >> the issue inside percpu logic. >> First __alloc_percpu_gfp() is called, then the memory is freed with >> free_percpu() which triggers async pcpu_balance_work and then >> pcpu_extend_area_map is hitting use-after-free. >> I guess bpf percpu array map is stressing this logic the most. > > I've been staring at it for a while (not knowing the code at all) and > the first thing that struck me is that pcpu_extend_area_map() is done > outside of pcpu_lock. So what prevents the chunk from being freed during > the extend? Erm to be precise, pcpu_lock is unlocked just before calling pcpu_extend_area_map(), which relocks it after an allocation, and assumes the chunk still exists at that point. Unless I'm missing something, that's an unlocked window where chunk can be destroyed by the workfn, as the report suggests?
Powered by blists - more mailing lists