| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Aug 2018 22:39:47 +0530
From: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
To: LKML <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
Dmitry Torokhov <dmitry.torokhov@...il.com>,
"David S . Miller" <davem@...emloft.net>
Subject: [PATCH] kobject: Access kobject name with caution if state is not initialized
If kobject state is not initialized, then its not even certain that
kobject'name is initialized. Hence when accessing the kobject's name
tread carefully.
A stupid module test like
https://github.com/srikard/tests/blob/master/modules/kobject_test.c
can panic the system.
With patch: We will see the correct warning.
[ 2058.129913] ------------[ cut here ]------------
[ 2058.129919] kobject: ' ' (00000000ad405b63): is not initialized, yet kobject_get() is being called.
[ 2058.129938] WARNING: CPU: 58 PID: 18529 at /home/srikar/work/linux.git/lib/kobject.c:620 kobject_get+0x90/0xb0
[ 2058.129946] Modules linked in: kobject_test(OE+) uio_pdrv_genirq(E) uio(E) leds_powernv(E) powernv_op_panel(E) ipmi_powernv(E) ipmi_devintf(E) powernv_rng(E) ibmpowernv(E) ipmi_msghandler(E) vmx_crypto(E) crct10dif_vpmsum(E) sch_fq_codel(E) ip_tables(E) x_tables(E) autofs4(E) ses enclosure scsi_transport_sas mlx4_ib mlx4_en ib_core lpfc crc32c_vpmsum mlx4_core nvmet_fc nvmet nvme_fc ipr nvme_fabrics devlink scsi_transport_fc tg3 [last unloaded: module_test]
[ 2058.130014] CPU: 58 PID: 18529 Comm: insmod Tainted: G W OEL 4.18.0-master+ #3
[ 2058.130022] NIP: c000000000d5f530 LR: c000000000d5f52c CTR: 0000000000000000
[ 2058.130029] REGS: c000002fd32f3640 TRAP: 0700 Tainted: G W OEL (4.18.0-master+)
[ 2058.130036] MSR: 9000000002029033 <SF,HV,VEC,EE,ME,IR,DR,RI,LE> CR: 48002282 XER: 20000000
[ 2058.130054] CFAR: c000000000114e10 IRQMASK: 0
GPR00: c000000000d5f52c c000002fd32f38c0 c0000000017bc200 0000000000000057
GPR04: 0000000000000001 000000000000107e 9000000002009033 00000000000000f2
GPR08: 0000000000000007 0000000000000007 0000000000000001 9000000002001003
GPR12: 0000000000002200 c000002ffffe0d00 0000000000000000 0000000000000000
GPR16: 0000000000000000 c0000000001e92e0 0000000000000000 0000000000000100
GPR20: 0000000000000001 c000000001662e60 c000000001662ed8 c000002feb4114a0
GPR24: 0000000000000001 c000000000dbd438 c000000001662ea0 c000000001662ec0
GPR28: c000002fe5f0cea0 d00000001ded03d0 c000002fd32f39a0 c000002fd32f39a0
[ 2058.130133] NIP [c000000000d5f530] kobject_get+0x90/0xb0
[ 2058.130140] LR [c000000000d5f52c] kobject_get+0x8c/0xb0
[ 2058.130146] Call Trace:
[ 2058.130150] [c000002fd32f38c0] [c000000000d5f52c] kobject_get+0x8c/0xb0 (unreliable)
[ 2058.130159] [c000002fd32f3940] [d00000001ded0088] kobject_test_init+0x80/0xb0 [kobject_test]
[ 2058.130168] [c000002fd32f39f0] [c0000000000101f8] do_one_initcall+0x58/0x240
[ 2058.130178] [c000002fd32f3ab0] [c0000000001ef2b0] do_init_module+0x90/0x260
[ 2058.130186] [c000002fd32f3b40] [c0000000001edec8] load_module+0x2d88/0x3320
[ 2058.130193] [c000002fd32f3d20] [c0000000001ee764] sys_finit_module+0xc4/0x130
[ 2058.130204] [c000002fd32f3e30] [c00000000000b288] system_call+0x5c/0x70
[ 2058.130210] Instruction dump:
[ 2058.130215] e89f0000 4b5b4c15 60000000 2f830000 419e0030 3c82ff8c 388491e0 3c62ff90
[ 2058.130228] 7fe5fb78 3863e9b0 4b3b5881 60000000 <0fe00000> e8010090 7c0803a6 4bffff88
[ 2058.130240] ---[ end trace 0f471c192555a013 ]---
[ 2070.084234] kobject_test module unloaded
Signed-off-by: Srikar Dronamraju <srikar@...ux.vnet.ibm.com>
---
lib/kobject.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/lib/kobject.c b/lib/kobject.c
index 389829d3a1d1..2d65be37fd7b 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -16,6 +16,7 @@
#include <linux/stat.h>
#include <linux/slab.h>
#include <linux/random.h>
+#include <linux/uaccess.h>
/**
* kobject_namespace - return @kobj's namespace tag
@@ -417,8 +418,11 @@ int kobject_add(struct kobject *kobj, struct kobject *parent,
return -EINVAL;
if (!kobj->state_initialized) {
+ char tmp;
+ int ret = probe_kernel_address(kobject_name(kobj), tmp);
+
pr_err("kobject '%s' (%p): tried to add an uninitialized object, something is seriously wrong.\n",
- kobject_name(kobj), kobj);
+ ret ? " " : kobject_name(kobj), kobj);
dump_stack();
return -EINVAL;
}
@@ -606,10 +610,14 @@ EXPORT_SYMBOL(kobject_del);
struct kobject *kobject_get(struct kobject *kobj)
{
if (kobj) {
- if (!kobj->state_initialized)
+ if (!kobj->state_initialized) {
+ char tmp;
+ int ret = probe_kernel_address(kobject_name(kobj), tmp);
+
WARN(1, KERN_WARNING
"kobject: '%s' (%p): is not initialized, yet kobject_get() is being called.\n",
- kobject_name(kobj), kobj);
+ ret ? " " : kobject_name(kobj), kobj);
+ }
kref_get(&kobj->kref);
}
return kobj;
@@ -701,10 +709,14 @@ static void kobject_release(struct kref *kref)
void kobject_put(struct kobject *kobj)
{
if (kobj) {
- if (!kobj->state_initialized)
+ if (!kobj->state_initialized) {
+ char tmp;
+ int ret = probe_kernel_address(kobject_name(kobj), tmp);
+
WARN(1, KERN_WARNING
"kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n",
- kobject_name(kobj), kobj);
+ ret ? " " : kobject_name(kobj), kobj);
+ }
kref_put(&kobj->kref, kobject_release);
}
}
--
2.17.1
Powered by blists - more mailing lists