| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200303073358.57799-1-cengiz@kernel.wtf>
Date: Tue, 3 Mar 2020 10:33:59 +0300
From: Cengiz Can <cengiz@...nel.wtf>
To: Jens Axboe <axboe@...nel.dk>, Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>
Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
Cengiz Can <cengiz@...nel.wtf>
Subject: [PATCH] blktrace: fix dereference after null check
There was a recent change in blktrace.c that added a RCU protection to
`q->blk_trace` in order to fix a use-after-free issue during access.
However the change missed an edge case that can lead to dereferencing of
`bt` pointer even when it's NULL:
```
bt->act_mask = value; // bt can still be NULL here
```
Added a reassignment into the NULL check block to fix the issue.
Fixes: c780e86dd48 ("blktrace: Protect q->blk_trace with RCU")
Signed-off-by: Cengiz Can <cengiz@...nel.wtf>
---
Huge thanks goes to Steven Rostedt for his assistance.
kernel/trace/blktrace.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 4560878f0bac..29ea88f10b87 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1896,8 +1896,10 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev,
}
ret = 0;
- if (bt == NULL)
+ if (bt == NULL) {
ret = blk_trace_setup_queue(q, bdev);
+ bt = q->blk_trace;
+ }
if (ret == 0) {
if (attr == &dev_attr_act_mask)
--
2.25.1
Powered by blists - more mailing lists