lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cfe550cf-301a-92c4-7270-6a50ea3ed19c@redhat.com>
Date:   Fri, 12 Mar 2021 14:33:37 +0800
From:   Jason Wang <jasowang@...hat.com>
To:     Stefano Garzarella <sgarzare@...hat.com>,
        virtualization@...ts.linux-foundation.org
Cc:     netdev@...r.kernel.org, Zhu Lingshan <lingshan.zhu@...el.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        linux-kernel@...r.kernel.org, kvm@...r.kernel.org
Subject: Re: [PATCH 1/2] vhost-vdpa: fix use-after-free of v->config_ctx


On 2021/3/11 9:52 下午, Stefano Garzarella wrote:
> When the 'v->config_ctx' eventfd_ctx reference is released we didn't
> set it to NULL. So if the same character device (e.g. /dev/vhost-vdpa-0)
> is re-opened, the 'v->config_ctx' is invalid and calling again
> vhost_vdpa_config_put() causes use-after-free issues like the
> following refcount_t underflow:
>
>      refcount_t: underflow; use-after-free.
>      WARNING: CPU: 2 PID: 872 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0
>      RIP: 0010:refcount_warn_saturate+0xae/0xf0
>      Call Trace:
>       eventfd_ctx_put+0x5b/0x70
>       vhost_vdpa_release+0xcd/0x150 [vhost_vdpa]
>       __fput+0x8e/0x240
>       ____fput+0xe/0x10
>       task_work_run+0x66/0xa0
>       exit_to_user_mode_prepare+0x118/0x120
>       syscall_exit_to_user_mode+0x21/0x50
>       ? __x64_sys_close+0x12/0x40
>       do_syscall_64+0x45/0x50
>       entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Fixes: 776f395004d8 ("vhost_vdpa: Support config interrupt in vdpa")
> Cc: lingshan.zhu@...el.com
> Cc: stable@...r.kernel.org
> Signed-off-by: Stefano Garzarella <sgarzare@...hat.com>


Acked-by: Jason Wang <jasowang@...hat.com>


> ---
>   drivers/vhost/vdpa.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
> index ef688c8c0e0e..00796e4ecfdf 100644
> --- a/drivers/vhost/vdpa.c
> +++ b/drivers/vhost/vdpa.c
> @@ -308,8 +308,10 @@ static long vhost_vdpa_get_vring_num(struct vhost_vdpa *v, u16 __user *argp)
>   
>   static void vhost_vdpa_config_put(struct vhost_vdpa *v)
>   {
> -	if (v->config_ctx)
> +	if (v->config_ctx) {
>   		eventfd_ctx_put(v->config_ctx);
> +		v->config_ctx = NULL;
> +	}
>   }
>   
>   static long vhost_vdpa_set_config_call(struct vhost_vdpa *v, u32 __user *argp)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ