lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2375c9f90910210238i744fec42gb4d9a1c5229696f0@mail.gmail.com>
Date:	Wed, 21 Oct 2009 17:38:22 +0800
From:	Américo Wang <xiyou.wangcong@...il.com>
To:	Earl Chew <earl_chew@...lent.com>
Cc:	linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign 
	off + unmangled diffs

On Tue, Oct 20, 2009 at 6:55 AM, Earl Chew <earl_chew@...lent.com> wrote:
> [ Exactly as before, but really sign off and tabs preserved ]
>
>
> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
>
>
>> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
>
>
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
>
> =============================================================
> #!/bin/sh
> while : ; do
>   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
>   PID=$!
>   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
>        { read PID REST ; echo $PID; } )
>   OUT="${OUT%% *}"


Well, you can use 'pgrep', it will save you a lot here.
Try: pgrep -f 'sleep 1' -n

>   DELAY=$((RANDOM * 1000 / 32768))
>   usleep $((DELAY * 1000 + RANDOM % 1000 ))
>   echo n > /proc/$OUT/fd/1                 # Trigger defect
> done
> =============================================================
>

This still has very little chance to trigger it, I am afraid.
I tried on my machine, didn't get any oops.

Trying to use C to write it may be better.


> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
>
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
>       msleep(100);
>       mutex_lock(&inode->i_mutex);
>
>
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
>
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
>
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.


So, if I understand you correctly, you mean we have a small window
between calling sys_open() and fifo_open(), during this little period,
we don't have i_mutex held, thun another process have a chance
to release that pipe and make i_pipe NULL. Right?

Hmm, sounds reasonable. :-/

I'd like you to put the explanations into the code, as comments.

>
>
> Signed-off-by: Earl Chew <earl_chew@...lent.com>


Add some Cc, fs-devel and Al.


>
>
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig       2009-10-15 20:33:53.000000000 -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c    2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
>  static int
>  pipe_read_open(struct inode *inode, struct file *filp)
>  {
> -       /* We could have perhaps used atomic_t, but this and friends
> -          below are the only places.  So it doesn't seem worthwhile.  */
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       inode->i_pipe->readers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               inode->i_pipe->readers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  static int
>  pipe_write_open(struct inode *inode, struct file *filp)
>  {
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       inode->i_pipe->writers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               inode->i_pipe->writers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       if (filp->f_mode & FMODE_READ)
> -               inode->i_pipe->readers++;
> -       if (filp->f_mode & FMODE_WRITE)
> -               inode->i_pipe->writers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               if (filp->f_mode & FMODE_READ)
> +                       inode->i_pipe->readers++;
> +               if (filp->f_mode & FMODE_WRITE)
> +                       inode->i_pipe->writers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  /*
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ