lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 May 2020 18:15:10 -0700
From:   Bart Van Assche <bvanassche@....org>
To:     Luis Chamberlain <mcgrof@...nel.org>,
        Christoph Hellwig <hch@...radead.org>
Cc:     axboe@...nel.dk, viro@...iv.linux.org.uk,
        gregkh@...uxfoundation.org, rostedt@...dmis.org, mingo@...hat.com,
        jack@...e.cz, ming.lei@...hat.com, nstange@...e.de,
        akpm@...ux-foundation.org, mhocko@...e.com, yukuai3@...wei.com,
        linux-block@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Omar Sandoval <osandov@...com>,
        Hannes Reinecke <hare@...e.com>,
        Michal Hocko <mhocko@...nel.org>,
        syzbot+603294af2d01acfdd6da@...kaller.appspotmail.com
Subject: Re: [PATCH v5 5/7] blktrace: fix debugfs use after free

On 2020-05-26 20:12, Luis Chamberlain wrote:
> +	/*
> +	 * Blktrace needs a debugsfs name even for queues that don't register
> +	 * a gendisk, so it lazily registers the debugfs directory.  But that
> +	 * can get us into a situation where a SCSI device is found, with no
> +	 * driver for it (yet).  Then blktrace is used on the device, creating
> +	 * the debugfs directory, and only after that a drivers is loaded. In
                                                        ^^^^^^^
                                                        driver?

> @@ -494,6 +490,38 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
>  	 */
>  	strreplace(buts->name, '/', '_');
>  
> +	/*
> +	 * We also have to use a partition directory if a partition is
> +	 * being worked on, even though the same request_queue is shared.
> +	 */
> +	if (bdev && bdev != bdev->bd_contains)
> +		dir = bdev->bd_part->debugfs_dir;

Please balance braces in if-statements as required by the kernel coding style.

> +	else {
> +		/*
> +		 * For queues that do not have a gendisk attached to them, the
> +		 * debugfs directory will not have been created at setup time.
> +		 * Create it here lazily, it will only be removed when the
> +		 * queue is torn down.
> +		 */

Is the above comment perhaps a reference to blk_register_queue()? If so, please
mention the name of that function explicitly.

> +		if (!q->debugfs_dir) {
> +			q->debugfs_dir =
> +				debugfs_create_dir(buts->name,
> +						   blk_debugfs_root);
> +		}
> +		dir = q->debugfs_dir;
> +	}
> +
> +	/*
> +	 * As blktrace relies on debugfs for its interface the debugfs directory
> +	 * is required, contrary to the usual mantra of not checking for debugfs
> +	 * files or directories.
> +	 */
> +	if (IS_ERR_OR_NULL(q->debugfs_dir)) {
> +		pr_warn("debugfs_dir not present for %s so skipping\n",
> +			buts->name);
> +		return -ENOENT;
> +	}

How are do_blk_trace_setup() calls serialized against the debugfs directory
creation code in blk_register_queue()? Perhaps via q->blk_trace_mutex? Are
mutex lock and unlock calls for that mutex perhaps missing from
compat_blk_trace_setup()?

How about adding a lockdep_assert_held(&q->blk_trace_mutex) statement in
do_blk_trace_setup()?

Thanks,

Bart.

Powered by blists - more mailing lists