lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201201042208.JHG52695.OLStHFQOFFMVJO@I-love.SAKURA.ne.jp>
Date:	Wed, 4 Jan 2012 22:08:09 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2] kmod: Avoid deadlock by recursive kmod call.

Tetsuo Handa wrote:
> I noticed that the system deadlocks if do_execve() request by kmod() triggered
> recursive do_execve() request.
> 
> An example operation for triggering this deadlock:
> 
>   # : > /tmp/dummy
>   # chmod 755 /tmp/dummy
>   # echo /tmp/dummy > /proc/sys/kernel/hotplug
>   # modprobe whatever
> 
> Although this patch works for me, I'm not sure that this is a correct fix.
> Also, my analysis in the patch description may be wrong. Please check.

Well, we should not unconditionally prevent all vfork()ed threads from using
request_module() at search_binary_handler(). We should prevent only kernel
threads created by __call_usermodehelper(). Updated to filter only kmod threads.
--------------------
[PATCH v2] kmod: Avoid deadlock by recursive kmod call.

call_usermodehelper(UMH_WAIT_EXEC or UMH_WAIT_PROC) request depends on an
assumption that do_execve() will not trigger recursive
call_usermodehelper(UMH_WAIT_EXEC or UMH_WAIT_PROC) request, for
"khelper cannot start processing recursive call_usermodehelper() request until
do_execve() of original call_usermodehelper() request completes" but
"do_execve() of original call_usermodehelper() cannot be completed until
recursive call_usermodehelper() request completes".

There are several callers that break this assumption and lead to deadlock.
We need to make sure that do_execve() request by kmod thread does not trigger
recursive call_usermodehelper(UMH_WAIT_PROC or UMH_WAIT_EXEC).

Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
---
 include/linux/sched.h |    3 +++
 kernel/kmod.c         |   18 +++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

--- linux-3.1.7.orig/include/linux/sched.h
+++ linux-3.1.7/include/linux/sched.h
@@ -1305,6 +1305,9 @@ struct task_struct {
 	unsigned sched_reset_on_fork:1;
 	unsigned sched_contributes_to_load:1;
 
+	/* Prevent recursive kmod request. */
+	unsigned kmod_thread:1;
+
 	pid_t pid;
 	pid_t tgid;
 
--- linux-3.1.7.orig/kernel/kmod.c
+++ linux-3.1.7/kernel/kmod.c
@@ -189,6 +189,13 @@ fail:
 	do_exit(0);
 }
 
+static int call_helper(void *data)
+{
+	/* Do not trigger recursive kmod call. */
+	current->kmod_thread = 1;
+	return ____call_usermodehelper(data);
+}
+
 void call_usermodehelper_freeinfo(struct subprocess_info *info)
 {
 	if (info->cleanup)
@@ -252,7 +259,7 @@ static void __call_usermodehelper(struct
 		pid = kernel_thread(wait_for_helper, sub_info,
 				    CLONE_FS | CLONE_FILES | SIGCHLD);
 	else
-		pid = kernel_thread(____call_usermodehelper, sub_info,
+		pid = kernel_thread(call_helper, sub_info,
 				    CLONE_VFORK | SIGCHLD);
 
 	switch (wait) {
@@ -428,6 +435,15 @@ int call_usermodehelper_exec(struct subp
 		retval = -EBUSY;
 		goto out;
 	}
+	/*
+	 * We can't call wait_for_completion() if current thread was created by
+	 * call_helper(), or we will deadlock when current thread calls
+	 * request_module() from search_binary_handler().
+	 */
+	if (wait != UMH_NO_WAIT && current->kmod_thread) {
+		retval = -EBUSY;
+		goto out;
+	}
 
 	sub_info->complete = &done;
 	sub_info->wait = wait;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ