| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Oct 2021 14:59:51 +0800
From: Zqiang <qiang.zhang1211@...il.com>
To: axboe@...nel.dk
Cc: penguin-kernel@...ove.SAKURA.ne.jp, linux-block@...r.kernel.org,
linux-kernel@...r.kernel.org, Zqiang <qiang.zhang1211@...il.com>
Subject: [PATCH] block: fix syzbot report UAF in bdev_free_inode()
BUG: KASAN: use-after-free in bdev_free_inode+0x202/0x220
Read of size 8 at addr ffff88806e022148 by task systemd-udevd/8843
Call Trace:
<IRQ>
__dump_stack [inline]
dump_stack_lvl+0xcd/0x134
print_address_description.constprop.0.cold+0x6c/0x2d6
__kasan_report [inline]
kasan_report.cold+0x83/0xdf
bdev_free_inode+0x202/0x220
i_callback+0x3f/0x70
rcu_do_batch [inline]
rcu_core+0x7ab/0x1470
__do_softirq+0x29b/0x9c2
invoke_softirq [inline]
__irq_exit_rcu+0x123/0x180
irq_exit_rcu+0x5/0x20
Allocated by task 15227:
kasan_save_stack+0x1b/0x40
kasan_set_track [inline]
set_alloc_info [inline]
____kasan_kmalloc [inline]
____kasan_kmalloc [inline]
__kasan_kmalloc+0xa1/0xd0
kasan_kmalloc [inline]
kmem_cache_alloc_node_trace+0x20b/0x5d0
kmalloc_node [inline]
kzalloc_node [inline]
__alloc_disk_node+0x77/0x580
__blk_mq_alloc_disk+0xed/0x160
loop_add+0x340/0x960
loop_control_get_free [inline]
loop_control_ioctl+0x227/0x4a0
Freed by task 15227:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
____kasan_slab_free [inline]
____kasan_slab_free [inline]
__kasan_slab_free+0xd1/0x110
kasan_slab_free [inline]
__cache_free [inline]
kfree+0x10a/0x2c0
__alloc_disk_node+0x474/0x580
__blk_mq_alloc_disk+0xed/0x160
loop_add+0x340/0x960
loop_control_get_free [inline]
loop_control_ioctl+0x227/0x4a0
The xa_insert() may be return error in __alloc_disk_node(), and the disk
object will be release, however there are two operations that will release
it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
will call call_rcu(), because the rcu callback executed is an asynchronous
actionthe, so when free disk object in rcu callback, the disk object haven
been released. solve it through a unified release action.
Reported-by: syzbot+8281086e8a6fbfbd952a@...kaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang1211@...il.com>
---
block/genhd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/block/genhd.c b/block/genhd.c
index 5e8aa0ab66c2..924b75d9dfa6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1269,11 +1269,13 @@ struct gendisk *__alloc_disk_node(struct request_queue *q, int node_id,
out_destroy_part_tbl:
xa_destroy(&disk->part_tbl);
- iput(disk->part0->bd_inode);
out_free_bdi:
bdi_put(disk->bdi);
out_free_disk:
- kfree(disk);
+ if (disk->part0)
+ iput(disk->part0->bd_inode);
+ else
+ kfree(disk);
out_put_queue:
blk_put_queue(q);
return NULL;
--
2.17.1
Powered by blists - more mailing lists