lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4AD8852E.2090302@agilent.com>
Date:	Fri, 16 Oct 2009 07:37:34 -0700
From:	Earl Chew <earl_chew@...lent.com>
To:	linux-kernel@...r.kernel.org
Subject: [PATCH v1 1/1]: fs: pipe.c null pointer dereference

This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:


 > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
 >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
 >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
 >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
 >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
 >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67

This defect is also described in:
   http://lkml.org/lkml/2009/10/14/184
   http://bugzilla.kernel.org/show_bug.cgi?id=14416


The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:

=============================================================
#!/bin/sh
while : ; do
    { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
    PID=$!
    OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
         { read PID REST ; echo $PID; } )
    OUT="${OUT%% *}"
    DELAY=$((RANDOM * 1000 / 32768))
    usleep $((DELAY * 1000 + RANDOM % 1000 ))
    echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================

Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
        msleep(100);
        mutex_lock(&inode->i_mutex);


Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.

The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.

The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.



--- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000 
-0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
  static int
  pipe_read_open(struct inode *inode, struct file *filp)
  {
-	/* We could have perhaps used atomic_t, but this and friends
-	   below are the only places.  So it doesn't seem worthwhile.  */
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->readers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->readers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  static int
  pipe_write_open(struct inode *inode, struct file *filp)
  {
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->writers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	if (filp->f_mode & FMODE_READ)
-		inode->i_pipe->readers++;
-	if (filp->f_mode & FMODE_WRITE)
-		inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		if (filp->f_mode & FMODE_READ)
+			inode->i_pipe->readers++;
+		if (filp->f_mode & FMODE_WRITE)
+			inode->i_pipe->writers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  /*



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ