lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 16 Jan 2015 11:46:44 +0100
From:	Peter Zijlstra <peterz@...radead.org>
To:	Jiri Olsa <jolsa@...hat.com>
Cc:	Vince Weaver <vince@...ter.net>, Ingo Molnar <mingo@...hat.com>,
	Andi Kleen <ak@...ux.intel.com>, linux-kernel@...r.kernel.org
Subject: Re: perf fuzzer crash [PATCH] perf: Get group events reference
 before moving the group

On Fri, Jan 16, 2015 at 08:57:46AM +0100, Jiri Olsa wrote:
> We need to make sure, that no event in the group lost
> the last reference and gets removed from the context
> during the group move in perf syscall.
> 
> This could happen if the child exits and calls put_event
> on the parent event which got already closed, like in
> following scenario:
> 
>   - T1 creates software event E1
>   - T1 creates other software events as group with E1 as group leader
>   - T1 forks T2
>   - T2 has cloned E1 event that holds reference on E1
>   - T1 closes event within E1 group (say E3), the event stays alive
>     due to the T2 reference
>   - following happens concurently:
>     A) T1 creates hardware event E2 with groupleader E1
>     B) T2 exits
> 
> ad A) T1 triggers the E1 group move into hardware context:
>         mutex_lock(E1->ctx)
>           - remove E1 group only from the E1->ctx context, leaving
>             the goup links untouched
>         mutex_unlock(E1->ctx)
>         mutex_lock(E2->ctx)
>           - install E1 group into E2->ctx using the E1 group links
>         mutex_unlock(E2->ctx)
> 
> ad B) put_event(E3) is called and E3 is removed from E1->ctx
>       completely, including group links
> 
> If 'A' and 'B' races, we will get unbalanced refcounts,
> because of removed group links.
> 
> Adding get_group/put_group functions to handle the event
> ref's increase/decrease for the whole group.

Its a bandaid at best :/ The problem is (again) that we changes
event->ctx without any kind of serialization.

The issue came up before:

  https://lkml.org/lkml/2014/9/5/397

and I've not been able to come up with anything much saner.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ