| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <964956e9-e75a-257c-ac9e-4365b2be0020@gmail.com>
Date: Tue, 27 Apr 2021 18:04:11 +0100
From: Pavel Begunkov <asml.silence@...il.com>
To: Jens Axboe <axboe@...nel.dk>, Palash Oswal <hello@...alpalash.com>
Cc: dvyukov@...gle.com, io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org, oswalpalash@...il.com,
syzbot+be51ca5a4d97f017cd50@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com, stable@...r.kernel.org
Subject: Re: [PATCH 5.13] io_uring: Check current->io_uring in
io_uring_cancel_sqpoll
On 4/27/21 6:00 PM, Jens Axboe wrote:
> On 4/27/21 11:00 AM, Pavel Begunkov wrote:
>> On 4/27/21 2:37 PM, Jens Axboe wrote:
>>> On 4/27/21 6:51 AM, Palash Oswal wrote:
>>>> syzkaller identified KASAN: null-ptr-deref Write in
>>>> io_uring_cancel_sqpoll on v5.12
>>>>
>>>> io_uring_cancel_sqpoll is called by io_sq_thread before calling
>>>> io_uring_alloc_task_context. This leads to current->io_uring being
>>>> NULL. io_uring_cancel_sqpoll should not have to deal with threads
>>>> where current->io_uring is NULL.
>>>>
>>>> In order to cast a wider safety net, perform input sanitisation
>>>> directly in io_uring_cancel_sqpoll and return for NULL value of
>>>> current->io_uring.
>>>
>>> Thanks applied - I augmented the commit message a bit.
>>
>> btw, does it fixes the replied before syz report? Should
>> syz fix or tag it if so.
>> Reported-by: syzbot+be51ca5a4d97f017cd50@...kaller.appspotmail.com
>
> That tag was already there.
Oh, right, missed it
--
Pavel Begunkov
Powered by blists - more mailing lists