| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d11bc954-5a30-e6bd-1668-866a187e0aac@i-love.sakura.ne.jp>
Date: Thu, 25 Oct 2018 22:14:59 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Oleg Nesterov <oleg@...hat.com>
Cc: serge@...lyn.com,
syzbot <syzbot+a9ac39bf55329e206219@...kaller.appspotmail.com>,
jmorris@...ei.org, keescook@...omium.org,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in task_is_descendant
On 2018/10/25 21:17, Oleg Nesterov wrote:
>>> And yes, task_is_descendant() can hit the dead child, if nothing else it can
>>> be killed. This can explain the kasan report.
>>
>> The kasan is reporting that child->real_parent (or maybe child->real_parent->real_parent
>> or child->real_parent->real_parent->real_parent ...) was pointing to already freed memory,
>> isn't it?
>
> Yes. and you know, I am all confused. I no longer can understand you :/
Why don't we need to check every time like shown below?
Why checking only once is sufficient?
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -285,7 +285,7 @@ static int task_is_descendant(struct task_struct *parent,
rcu_read_lock();
if (!thread_group_leader(parent))
parent = rcu_dereference(parent->group_leader);
- while (walker->pid > 0) {
+ while (pid_alive(walker) && walker->pid > 0) {
if (!thread_group_leader(walker))
walker = rcu_dereference(walker->group_leader);
if (walker == parent) {
Powered by blists - more mailing lists