lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211009065951.11567-1-qiang.zhang1211@gmail.com>
Date:   Sat,  9 Oct 2021 14:59:51 +0800
From:   Zqiang <qiang.zhang1211@...il.com>
To:     axboe@...nel.dk
Cc:     penguin-kernel@...ove.SAKURA.ne.jp, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org, Zqiang <qiang.zhang1211@...il.com>
Subject: [PATCH] block: fix syzbot report UAF in bdev_free_inode()

BUG: KASAN: use-after-free in bdev_free_inode+0x202/0x220
Read of size 8 at addr ffff88806e022148 by task systemd-udevd/8843
Call Trace:
 <IRQ>
 __dump_stack [inline]
 dump_stack_lvl+0xcd/0x134
 print_address_description.constprop.0.cold+0x6c/0x2d6
 __kasan_report [inline]
 kasan_report.cold+0x83/0xdf
 bdev_free_inode+0x202/0x220
 i_callback+0x3f/0x70
 rcu_do_batch [inline]
 rcu_core+0x7ab/0x1470
 __do_softirq+0x29b/0x9c2
 invoke_softirq [inline]
 __irq_exit_rcu+0x123/0x180
 irq_exit_rcu+0x5/0x20

Allocated by task 15227:
 kasan_save_stack+0x1b/0x40
 kasan_set_track [inline]
 set_alloc_info [inline]
 ____kasan_kmalloc [inline]
 ____kasan_kmalloc [inline]
 __kasan_kmalloc+0xa1/0xd0
 kasan_kmalloc [inline]
 kmem_cache_alloc_node_trace+0x20b/0x5d0
 kmalloc_node [inline]
 kzalloc_node [inline]
 __alloc_disk_node+0x77/0x580
 __blk_mq_alloc_disk+0xed/0x160
 loop_add+0x340/0x960
 loop_control_get_free [inline]
 loop_control_ioctl+0x227/0x4a0

 Freed by task 15227:
 kasan_save_stack+0x1b/0x40
 kasan_set_track+0x1c/0x30
 kasan_set_free_info+0x20/0x30
 ____kasan_slab_free [inline]
 ____kasan_slab_free [inline]
 __kasan_slab_free+0xd1/0x110
 kasan_slab_free [inline]
 __cache_free [inline]
 kfree+0x10a/0x2c0
 __alloc_disk_node+0x474/0x580
 __blk_mq_alloc_disk+0xed/0x160
 loop_add+0x340/0x960
 loop_control_get_free [inline]
 loop_control_ioctl+0x227/0x4a0

The xa_insert() may be return error in __alloc_disk_node(), and the disk
object will be release, however there are two operations that will release
it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
will call call_rcu(), because the rcu callback executed is an asynchronous
actionthe, so when free disk object in rcu callback, the disk object haven
been released. solve it through a unified release action.

Reported-by: syzbot+8281086e8a6fbfbd952a@...kaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang1211@...il.com>
---
 block/genhd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/block/genhd.c b/block/genhd.c
index 5e8aa0ab66c2..924b75d9dfa6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1269,11 +1269,13 @@ struct gendisk *__alloc_disk_node(struct request_queue *q, int node_id,
 
 out_destroy_part_tbl:
 	xa_destroy(&disk->part_tbl);
-	iput(disk->part0->bd_inode);
 out_free_bdi:
 	bdi_put(disk->bdi);
 out_free_disk:
-	kfree(disk);
+	if (disk->part0)
+		iput(disk->part0->bd_inode);
+	else
+		kfree(disk);
 out_put_queue:
 	blk_put_queue(q);
 	return NULL;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ