lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhSXJZs=f6u8m3P3PcA3PJPUMGei+vBZzLe1fvzRo90iHw@mail.gmail.com>
Date:   Tue, 24 Aug 2021 18:58:31 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Richard Guy Briggs <rgb@...hat.com>
Cc:     Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Paris <eparis@...isplace.org>,
        Steve Grubb <sgrubb@...hat.com>, Jan Kara <jack@...e.cz>,
        Will Deacon <will@...nel.org>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Seiji Nishikawa <snishika@...hat.com>
Subject: Re: [ghak-trim PATCH v1] audit: move put_tree() to avoid trim_trees
 refcount underflow and UAF

On Mon, Aug 23, 2021 at 10:05 PM Richard Guy Briggs <rgb@...hat.com> wrote:
>
> AUDIT_TRIM is expected to be idempotent, but multiple executions resulted in a
> refcount underflow and use-after-free.
>
> git bisect fingered commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca (2019-11)
>         ("locking/refcount: Consolidate implementations of refcount_t")
> but this patch with its more thorough checking that wasn't in the x86 assembly
> code merely exposed a previously existing tree refcount imbalance in the case
> of tree trimming code that was refactored with prune_one() to remove a tree
> introduced in commit 8432c70062978d9a57bde6715496d585ec520c3e (2018-11)
>         ("audit: Simplify locking around untag_chunk()")
>
> Move the put_tree() to cover only the prune_one() case.
>
> Passes audit-testsuite and 3 passes of "auditctl -t" with at least one
> directory watch.
>
> Fixes: 8432c7006297 ("audit: Simplify locking around untag_chunk()")
> Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
> Cc: Jan Kara <jack@...e.cz>
> Cc: Will Deacon <will@...nel.org>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Seiji Nishikawa <snishika@...hat.com>
> ---
>  kernel/audit_tree.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

First a quick comment about the commit description, when referencing
specific commits in the description please use the same format that
you used in the "Fixes:" tag; it makes the description easier to read.
No need to resend, I fixed it when I merged your patch, but something
to keep in mind for the future.

As for the patch itself, thanks for finding this and sending a fix.
Normally this is something I would send up to Linus at the end of the
week during the -rcX phase, but since we are currently at -rc7 I'm
going to simply add the -stable marking and merge it into audit/next
to get pushed up to Linus early next week, assuming we see v5.14
released this Sunday.  If for some reason we see a v5.14-rc8 next week
I'll adjust things and send it to Linus as a -stable patch.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ