lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87k10voo13.fsf@nanos.tec.linutronix.de>
Date:   Thu, 28 May 2020 21:30:32 +0200
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Jay Lang <jaytlang@....edu>
Cc:     jaytlang@....edu, Ingo Molnar <mingo@...hat.com>,
        Borislav Petkov <bp@...en8.de>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>,
        Christian Brauner <christian@...uner.io>,
        Andy Lutomirski <luto@...nel.org>,
        Juergen Gross <jgross@...e.com>,
        Jan Beulich <jbeulich@...e.com>,
        Benjamin Thiel <b.thiel@...teo.de>,
        Matthew Garrett <mjg59@...f.ucam.org>,
        "Peter Zijlstra \(Intel\)" <peterz@...radead.org>,
        Brian Gerst <brgerst@...il.com>,
        Marcelo Tosatti <mtosatti@...hat.com>,
        yu kuai <yukuai3@...wei.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] x86/ioperm: fix a memory leak bug

Jay,

Jay Lang <jaytlang@....edu> writes:

> In the copy_process() routine called by _do_fork(), failure to allocate
> a PID (or further along in the function) will trigger an invocation to
> exit_thread(). This is done to clean up from an earlier call to
> copy_thread_tls(). Naturally, the child task is passed into exit_thread(),
> however during the process, io_bitmap_exit() nullifies the parent's
> io_bitmap rather than the child's.
>
> As copy_thread_tls() has been called ahead of the failure, the reference
> count on the calling thread's io_bitmap is incremented as we would expect.
> However, io_bitmap_exit() doesn't accept any arguments, and thus assumes
> it should trash the current thread's io_bitmap reference rather than the
> child's. This is pretty sneaky in practice, because in all instances but
> this one, exit_thread() is called with respect to the current task and
> everything works out.
>
> A determined attacker can issue an appropriate ioctl (i.e. KDENABIO) to
> get a bitmap allocated, and force a clone3() syscall to fail by passing
> in a zeroed clone_args structure. The kernel handles the erroneous struct
> and the buggy code path is followed, and even though the parent's reference
> to the io_bitmap is trashed, the child still holds a reference and thus
> the structure will never be freed.

Nice catch! I'm sure I thought about that at some point and then forgot
again.

> Fix this by tweaking io_bitmap_exit() and its subroutines to accept a
> task_struct argument which to operate on.

> This may not be the most elegant solution, but it mitigates the
> trigger described above on an x86_64 kernel.

It's well done and straight forward and comes with a well done change
log. Appreciated!

Thanks,

        tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ