lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2375c9f90910210238i744fec42gb4d9a1c5229696f0@mail.gmail.com> Date: Wed, 21 Oct 2009 17:38:22 +0800 From: Américo Wang <xiyou.wangcong@...il.com> To: Earl Chew <earl_chew@...lent.com> Cc: linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign off + unmangled diffs On Tue, Oct 20, 2009 at 6:55 AM, Earl Chew <earl_chew@...lent.com> wrote: > [ Exactly as before, but really sign off and tabs preserved ] > > > This patch fixes a null pointer exception in pipe_rdwr_open() which > generates the stack trace: > > >> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP: >> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70 >> [<ffffffff8028125c>] __dentry_open+0x13c/0x230 >> [<ffffffff8028143d>] do_filp_open+0x2d/0x40 >> [<ffffffff802814aa>] do_sys_open+0x5a/0x100 >> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67 > > > The failure mode is triggered by an attempt to open an anonymous > pipe via /proc/pid/fd/* as exemplified by this script: > > ============================================================= > #!/bin/sh > while : ; do > { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } & > PID=$! > OUT=$(ps -efl | grep 'sleep 1' | grep -v grep | > { read PID REST ; echo $PID; } ) > OUT="${OUT%% *}" Well, you can use 'pgrep', it will save you a lot here. Try: pgrep -f 'sleep 1' -n > DELAY=$((RANDOM * 1000 / 32768)) > usleep $((DELAY * 1000 + RANDOM % 1000 )) > echo n > /proc/$OUT/fd/1 # Trigger defect > done > ============================================================= > This still has very little chance to trigger it, I am afraid. I tried on my machine, didn't get any oops. Trying to use C to write it may be better. > Note that the failure window is quite small and I could only > reliably reproduce the defect by inserting a small delay > in pipe_rdwr_open(). For example: > > static int > pipe_rdwr_open(struct inode *inode, struct file *filp) > { > msleep(100); > mutex_lock(&inode->i_mutex); > > > Although the defect was observed in pipe_rdwr_open(), I think it > makes sense to replicate the change through all the pipe_*_open() > functions. > > The core of the change is to verify that inode->i_pipe has not > been released before attempting to manipulate it. If inode->i_pipe > is no longer present, return ENOENT to indicate so. > > The comment about potentially using atomic_t for i_pipe->readers > and i_pipe->writers has also been removed because it is no longer > relevant in this context. The inode->i_mutex lock must be used so > that inode->i_pipe can be dealt with correctly. So, if I understand you correctly, you mean we have a small window between calling sys_open() and fifo_open(), during this little period, we don't have i_mutex held, thun another process have a chance to release that pipe and make i_pipe NULL. Right? Hmm, sounds reasonable. :-/ I'd like you to put the explanations into the code, as comments. > > > Signed-off-by: Earl Chew <earl_chew@...lent.com> Add some Cc, fs-devel and Al. > > > --- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000 -0700 > +++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700 > @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s > static int > pipe_read_open(struct inode *inode, struct file *filp) > { > - /* We could have perhaps used atomic_t, but this and friends > - below are the only places. So it doesn't seem worthwhile. */ > + int ret = -ENOENT; > + > mutex_lock(&inode->i_mutex); > - inode->i_pipe->readers++; > + > + if (inode->i_pipe) { > + ret = 0; > + inode->i_pipe->readers++; > + } > + > mutex_unlock(&inode->i_mutex); > > - return 0; > + return ret; > } > > static int > pipe_write_open(struct inode *inode, struct file *filp) > { > + int ret = -ENOENT; > + > mutex_lock(&inode->i_mutex); > - inode->i_pipe->writers++; > + > + if (inode->i_pipe) { > + ret = 0; > + inode->i_pipe->writers++; > + } > + > mutex_unlock(&inode->i_mutex); > > - return 0; > + return ret; > } > > static int > pipe_rdwr_open(struct inode *inode, struct file *filp) > { > + int ret = -ENOENT; > + > mutex_lock(&inode->i_mutex); > - if (filp->f_mode & FMODE_READ) > - inode->i_pipe->readers++; > - if (filp->f_mode & FMODE_WRITE) > - inode->i_pipe->writers++; > + > + if (inode->i_pipe) { > + ret = 0; > + if (filp->f_mode & FMODE_READ) > + inode->i_pipe->readers++; > + if (filp->f_mode & FMODE_WRITE) > + inode->i_pipe->writers++; > + } > + > mutex_unlock(&inode->i_mutex); > > - return 0; > + return ret; > } > > /* > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists