| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0dcbf9c5-3c28-0f57-0069-3fe5dc3aa7f6@gmail.com>
Date: Mon, 4 Jan 2021 12:52:44 +0100
From: Christian König <ckoenig.leichtzumerken@...il.com>
To: Charan Teja Reddy <charante@...eaurora.org>,
sumit.semwal@...aro.org, christian.koenig@....com, arnd@...db.de,
linux-media@...r.kernel.org, dri-devel@...ts.freedesktop.org
Cc: linaro-mm-sig@...ts.linaro.org, linux-kernel@...r.kernel.org
Subject: Re: [Linaro-mm-sig] [PATCH] dmabuf: fix use-after-free of dmabuf's
file->f_inode
Am 04.01.21 um 12:36 schrieb Charan Teja Reddy:
> It is observed 'use-after-free' on the dmabuf's file->f_inode with the
> race between closing the dmabuf file and reading the dmabuf's debug
> info.
>
> Consider the below scenario where P1 is closing the dma_buf file
> and P2 is reading the dma_buf's debug info in the system:
>
> P1 P2
> dma_buf_debug_show()
> dma_buf_put()
> __fput()
> file->f_op->release()
> dput()
> ....
> dentry_unlink_inode()
> iput(dentry->d_inode)
> (where the inode is freed)
> mutex_lock(&db_list.lock)
> read 'dma_buf->file->f_inode'
> (the same inode is freed by P1)
> mutex_unlock(&db_list.lock)
> dentry->d_op->d_release()-->
> dma_buf_release()
> .....
> mutex_lock(&db_list.lock)
> removes the dmabuf from the list
> mutex_unlock(&db_list.lock)
>
> In the above scenario, when dma_buf_put() is called on a dma_buf, it
> first frees the dma_buf's file->f_inode(=dentry->d_inode) and then
> removes this dma_buf from the system db_list. In between P2 traversing
> the db_list tries to access this dma_buf's file->f_inode that was freed
> by P1 which is a use-after-free case.
>
> Since, __fput() calls f_op->release first and then later calls the
> d_op->d_release, move the dma_buf's db_list removal from d_release() to
> f_op->release(). This ensures that dma_buf's file->f_inode is not
> accessed after it is released.
>
> Fixes: 4ab59c3c638c ("dma-buf: Move dma_buf_release() from fops to dentry_ops")
> Signed-off-by: Charan Teja Reddy <charante@...eaurora.org>
Not an expert on the debugfs stuff in DMA-buf, but the explanation
sounds perfectly correct to me.
Acked-by: Christian König <christian.koenig@....com>
> ---
> drivers/dma-buf/dma-buf.c | 21 +++++++++++++++++----
> 1 file changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 0eb80c1..a14dcbb 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -76,10 +76,6 @@ static void dma_buf_release(struct dentry *dentry)
>
> dmabuf->ops->release(dmabuf);
>
> - mutex_lock(&db_list.lock);
> - list_del(&dmabuf->list_node);
> - mutex_unlock(&db_list.lock);
> -
> if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
> dma_resv_fini(dmabuf->resv);
>
> @@ -88,6 +84,22 @@ static void dma_buf_release(struct dentry *dentry)
> kfree(dmabuf);
> }
>
> +static int dma_buf_file_release(struct inode *inode, struct file *file)
> +{
> + struct dma_buf *dmabuf;
> +
> + if (!is_dma_buf_file(file))
> + return -EINVAL;
> +
> + dmabuf = file->private_data;
> +
> + mutex_lock(&db_list.lock);
> + list_del(&dmabuf->list_node);
> + mutex_unlock(&db_list.lock);
> +
> + return 0;
> +}
> +
> static const struct dentry_operations dma_buf_dentry_ops = {
> .d_dname = dmabuffs_dname,
> .d_release = dma_buf_release,
> @@ -413,6 +425,7 @@ static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file)
> }
>
> static const struct file_operations dma_buf_fops = {
> + .release = dma_buf_file_release,
> .mmap = dma_buf_mmap_internal,
> .llseek = dma_buf_llseek,
> .poll = dma_buf_poll,
Powered by blists - more mailing lists