| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jun 2021 10:06:39 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Christian Brauner <christian.brauner@...ntu.com>,
Oleg Nesterov <oleg@...hat.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Peter Zijlstra <peterz@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [GIT PULL] sigqueue cache fix
On Sun, Jun 27, 2021 at 10:14 PM Ingo Molnar <mingo@...nel.org> wrote:
>
> The most fundamental race we can have is this:
No. It's this (all on the same CPU):
sigqueue_cache_or_free():
if (!READ_ONCE(current->sigqueue_cache))
<-- Interrupt happens here
WRITE_ONCE(current->sigqueue_cache, q);
and then the interrupt sends a SIGCONT, which ends up flushing
previous process control signals, which ends up freeing them, which
ends up in sigqueue_cache_or_free() again, at which point you have
if (!READ_ONCE(current->sigqueue_cache))
WRITE_ONCE(current->sigqueue_cache, q);
again.
And both the original and the interrupting one sees a NULL
current->sigqueue_cache, so both of them will do that WRITE_ONCE(),
and when the interrupt returns, the original case will overwrite the
value that the interrupt free'd.
Boom - memory leak.
It does seem to be very small race window, and it's "only" a memory
leak, but it's a very simple example of how this cache was broken even
on UP.
Linus
Powered by blists - more mailing lists