lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ff8ab9da-6548-647a-a375-4aab13e86c74@gmail.com>
Date:   Tue, 11 Feb 2020 14:43:53 +0300
From:   Pavel Begunkov <asml.silence@...il.com>
To:     David Laight <David.Laight@...LAB.COM>,
        Jens Axboe <axboe@...nel.dk>,
        "io-uring@...r.kernel.org" <io-uring@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] io_uring: fix iovec leaks

On 2/11/2020 2:16 PM, David Laight wrote:
> From: Pavel Begunkov
>> Sent: 11 February 2020 11:05
>> On 2/11/2020 1:07 PM, David Laight wrote:
>>> From: Pavel Begunkov
>>>> Sent: 07 February 2020 19:05
>>>> Allocated iovec is freed only in io_{read,write,send,recv)(), and just
>>>> leaves it if an error occured. There are plenty of such cases:
>>>> - cancellation of non-head requests
>>>> - fail grabbing files in __io_queue_sqe()
>>>> - set REQ_F_NOWAIT and returning in __io_queue_sqe()
>>>> - etc.
>>>>
>>>> Add REQ_F_NEED_CLEANUP, which will force such requests with custom
>>>> allocated resourses go through cleanup handlers on put.
>>>
>>> This looks horribly fragile.
>>
>> Well, not as horrible as it may appear -- set the flag, whenever you
>> want the corresponding destructor to be called, and clear it when is not
>> needed anymore.
>>
>> I'd love to have something better, maybe even something more intrusive
>> for-next, but that shouldn't hurt the hot path. Any ideas?
> 
> Given all the 'cud chewing' that happens in code paths
> like the one that read iov from userspace just adding:
> 
> 	if (unlikely(foo->ptr))
> 		kfree(foo->ptr);
> 
> before 'foo' goes out of scope (or is reused) is probably
> not measurable.

There are a bunch of problems with it:

1. "out of scope" may end up in the generic code, but not opcode
handler, so the deallocation should be in the generic path, otherwise
it'll leak.

2. @iovec is an opcode-specific thing, so you would need to call a
proper destructor. And that's an indirect call or a switch (as in the
cleanup()) in the hot path.

2. we may need several such resources and/or other resource types (e.g.
struct file, which is needed for splice(2).

4. such fields are not initialised until custom opcode handler came to
the scene. And I'm not sure zeroing will solve all cases and won't hurt
performance. Workarounds with something like REQ_F_INITIALISED are not
much better.

That's why I think it's good enough for an immediate fix, it solves the
issue and is easy to be backported. It'd be great to look for a more
gracious approach, but that's most probably for 5.7

> 
> 	David
> 
> -
> Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
> Registration No: 1397386 (Wales)
> 

-- 
Pavel Begunkov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ