| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 03 Jan 2019 15:26:28 +1100
From: Benjamin Herrenschmidt <benh@...nel.crashing.org>
To: David Howells <dhowells@...hat.com>,
Jia-Ju Bai <baijiaju1990@...il.com>
Cc: joel@....id.au, eajames@...ux.vnet.ibm.com, andrew@...id.au,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fsi:fsi-sbefifo: Fix possible concurrency
use-after-free bugs in sbefifo_user_release
On Thu, 2019-01-03 at 14:27 +1100, Benjamin Herrenschmidt wrote:
> On Wed, 2019-01-02 at 09:34 +0000, David Howells wrote:
> > Jia-Ju Bai <baijiaju1990@...il.com> wrote:
> >
> > > + mutex_lock(&user->file_lock);
> > > sbefifo_release_command(user);
> > > free_page((unsigned long)user->cmd_page);
> > > + mutex_unlock(&user->file_lock);
> >
> > It shouldn't be necessary to do the free_page() call inside the locked
> > section.
>
> True. However, I didn't realize read/write could be concurrent with
> release so we have another problem.
>
> I assume when release is called, no new read/write can be issued, I am
> correct ? So all we have to protect against is a read/write that has
> started prior to release being called, right ?
Hrm... looking briefly at the vfs, read/write are wrapped in
fdget/fdput, so release shouldn't happen concurrently or am I missing
something here ?
Cheers,
Ben.
Powered by blists - more mailing lists