lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 21 Dec 2017 14:40:43 +0100
From:   Miroslav Benes <mbenes@...e.cz>
To:     jpoimboe@...hat.com, jeyu@...nel.org, jikos@...nel.org
Cc:     pmladek@...e.com, jbaron@...mai.com, live-patching@...r.kernel.org,
        linux-kernel@...r.kernel.org, Miroslav Benes <mbenes@...e.cz>
Subject: [PATCH v2] livepatch: add locking to force and signal functions

klp_send_signals() and klp_force_transition() do not acquire klp_mutex,
because it seemed to be superfluous. A potential race in
klp_send_signals() was harmless and there was nothing in
klp_force_transition() which needed to be synchronized. That changed
with the addition of klp_forced variable during the review process.

There is a small window now, when klp_complete_transition() does not see
klp_forced set to true while all tasks have been already transitioned to
the target state. module_put() is called and the module can be removed.

Acquire klp_mutex in sysfs callback to prevent it. Do the same for the
signal sending just to be sure. There is no real downside to that.

Reported-by: Jason Baron <jbaron@...mai.com>
Signed-off-by: Miroslav Benes <mbenes@...e.cz>
---
Changes v1->v2:
- Add (patch != klp_transition_patch) check to critical sections and
  move the locking to sysfs callbacks (Petr)

 kernel/livepatch/core.c | 52 ++++++++++++++++++++++++++-----------------------
 1 file changed, 28 insertions(+), 24 deletions(-)

diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 1c3c9b27c916..8fd8e8f126da 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -537,22 +537,24 @@ static ssize_t signal_store(struct kobject *kobj, struct kobj_attribute *attr,
 	int ret;
 	bool val;
 
-	patch = container_of(kobj, struct klp_patch, kobj);
-
-	/*
-	 * klp_mutex lock is not grabbed here intentionally. It is not really
-	 * needed. The race window is harmless and grabbing the lock would only
-	 * hold the action back.
-	 */
-	if (patch != klp_transition_patch)
-		return -EINVAL;
-
 	ret = kstrtobool(buf, &val);
 	if (ret)
 		return ret;
 
-	if (val)
-		klp_send_signals();
+	if (!val)
+		return count;
+
+	mutex_lock(&klp_mutex);
+
+	patch = container_of(kobj, struct klp_patch, kobj);
+	if (patch != klp_transition_patch) {
+		mutex_unlock(&klp_mutex);
+		return -EINVAL;
+	}
+
+	klp_send_signals();
+
+	mutex_unlock(&klp_mutex);
 
 	return count;
 }
@@ -564,22 +566,24 @@ static ssize_t force_store(struct kobject *kobj, struct kobj_attribute *attr,
 	int ret;
 	bool val;
 
-	patch = container_of(kobj, struct klp_patch, kobj);
-
-	/*
-	 * klp_mutex lock is not grabbed here intentionally. It is not really
-	 * needed. The race window is harmless and grabbing the lock would only
-	 * hold the action back.
-	 */
-	if (patch != klp_transition_patch)
-		return -EINVAL;
-
 	ret = kstrtobool(buf, &val);
 	if (ret)
 		return ret;
 
-	if (val)
-		klp_force_transition();
+	if (!val)
+		return count;
+
+	mutex_lock(&klp_mutex);
+
+	patch = container_of(kobj, struct klp_patch, kobj);
+	if (patch != klp_transition_patch) {
+		mutex_unlock(&klp_mutex);
+		return -EINVAL;
+	}
+
+	klp_force_transition();
+
+	mutex_unlock(&klp_mutex);
 
 	return count;
 }
-- 
2.15.1

Powered by blists - more mailing lists