lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Oct 2017 23:11:10 +0100 (CET)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     mingo@...nel.org, dvyukov@...gle.com, hpa@...or.com,
        linux-kernel@...r.kernel.org,
        bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765@...kaller.appspotmail.com,
        torvalds@...ux-foundation.org, peterz@...radead.org,
        gratian.crisan@...com
cc:     linux-tip-commits@...r.kernel.org
Subject: Re: [tip:core/urgent] futex: Fix more put_pi_state() vs.
 exit_pi_state_list() races

On Tue, 31 Oct 2017, tip-bot for Peter Zijlstra wrote:
> Commit-ID:  d5f6ac33189af48a0dc011190af5144947a30a76
> Gitweb:     https://git.kernel.org/tip/d5f6ac33189af48a0dc011190af5144947a30a76
> Author:     Peter Zijlstra <peterz@...radead.org>
> AuthorDate: Tue, 31 Oct 2017 11:18:53 +0100
> Committer:  Ingo Molnar <mingo@...nel.org>
> CommitDate: Tue, 31 Oct 2017 11:54:52 +0100
> 
> futex: Fix more put_pi_state() vs. exit_pi_state_list() races
> 
> Dmitry (through syzbot) reported being able to trigger the WARN in
> get_pi_state() and a use-after-free on:
> 
> 	raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
> 
> Both are due to this race:
> 
>   exit_pi_state_list()				put_pi_state()
> 
>   lock(&curr->pi_lock)
>   while() {
> 	pi_state = list_first_entry(head);
> 	hb = hash_futex(&pi_state->key);
> 	unlock(&curr->pi_lock);
> 
> 						dec_and_test(&pi_state->refcount);
> 
> 	lock(&hb->lock)
> 	lock(&pi_state->pi_mutex.wait_lock)	// uaf if pi_state free'd
> 	lock(&curr->pi_lock);
> 
> 	....
> 
> 	unlock(&curr->pi_lock);
> 	get_pi_state();				// WARN; refcount==0
> 
> The problem is we take the reference count too late, and don't allow it
> being 0. Fix it by using inc_not_zero() and simply retrying the loop
> when we fail to get a refcount. In that case put_pi_state() should
> remove the entry from the list.
> 
> Reported-by: Dmitry Vyukov <dvyukov@...gle.com>
> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
> Cc: Gratian Crisan <gratian.crisan@...com>
> Cc: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Thomas Gleixner <tglx@...utronix.de>
> Cc: dvhart@...radead.org
> Cc: syzbot <bot+2af19c9e1ffe4d4ee1d16c56ae7580feaee75765@...kaller.appspotmail.com>
> Cc: syzkaller-bugs@...glegroups.com
> Fixes: c74aef2d06a9 ("futex: Fix pi_state->owner serialization")
> Link: http://lkml.kernel.org/r/20171031101853.xpfh72y643kdfhjs@hirez.programming.kicks-ass.net
> Signed-off-by: Ingo Molnar <mingo@...nel.org>

That lacks a stable tag.

Other than that a late:

Reviewed-by: Thomas Gleixner <tglx@...utronix.de>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ