| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f8152ef5-f71d-b8b6-fe9e-6a8678930775@monom.org>
Date: Wed, 15 Apr 2020 21:05:14 +0200
From: Daniel Wagner <wagi@...om.org>
To: Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Matt Fleming <matt@...eblueprint.co.uk>
Cc: linux-rt@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RT] signal: Prevent double-free of user struct
Hi Sebastian,
On 15.04.20 18:46, Sebastian Andrzej Siewior wrote:
> On 2020-04-07 10:54:13 [+0100], Matt Fleming wrote:
>> The way user struct reference counting works changed significantly with,
>>
>> fda31c50292a ("signal: avoid double atomic counter increments for user accounting")
>>
>> Now user structs are only freed once the last pending signal is
>> dequeued. Make sigqueue_free_current() follow this new convention to
>> avoid freeing the user struct multiple times and triggering this
>> warning:
>>
>> refcount_t: underflow; use-after-free.
>> WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 refcount_dec_not_one+0x45/0x50
>> Call Trace:
>> refcount_dec_and_lock_irqsave+0x16/0x60
>> free_uid+0x31/0xa0
>> ? schedule_hrtimeout_range_clock+0x104/0x110
>> __dequeue_signal+0x17c/0x190
>> dequeue_signal+0x5a/0x1b0
>> do_sigtimedwait+0x208/0x250
>> __x64_sys_rt_sigtimedwait+0x6f/0xd0
>> do_syscall_64+0x72/0x200
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> While all this sounds reasonable, may I ask what did you do to trigger
> this?
This can be triggered by running sigwaittest.
# sigwaittest -t -a -p 98
a few seconds should be enough to get the splat.
> This is v5.6 only, correct?
I've seen this also with a frankstein version of 5.2-rt...v5-4-rt :)
Thanks,
Daniel
Powered by blists - more mailing lists