lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 9 Oct 2021 12:00:37 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     Wang Hai <wanghai38@...wei.com>
Cc:     jpoimboe@...hat.com, jbaron@...mai.com, rostedt@...dmis.org,
        ardb@...nel.org, mingo@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] static_call: fix null-ptr-deref in static_call_del_module

On Sat, Oct 09, 2021 at 03:44:28PM +0800, Wang Hai wrote:
> I got a NULL pointer dereference report when doing fault injection test:
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000009
> ...
> RIP: 0010:static_call_del_module+0x7a/0x100
> ...
> Call Trace:
>  static_call_module_notify+0x1e1/0x200
>  notifier_call_chain_robust+0x6f/0xe0
>  blocking_notifier_call_chain_robust+0x4e/0x70
>  load_module+0x21f7/0x2b60
>  __do_sys_finit_module+0xb0/0xf0
>  ? __do_sys_finit_module+0xb0/0xf0
>  __x64_sys_finit_module+0x1a/0x20
>  do_syscall_64+0x34/0xb0
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> When loading a module, if it fails to allocate memory for static
> calls, it will delete the non-existent mods (mods == 1) in the
> static_call_module_notify()'s error path.
> 
> static_call_module_notify
> 	static_call_add_module
> 		__static_call_init
> 			site_mod = kzalloc() // fault injection
> 	static_call_del_module // access non-existent mods
> 
> This patch fixes the bug by skipping the operation when the key
> has no mods.
> 
> Fixes: a945c8345ec0 ("static_call: Allow early init")
> Signed-off-by: Wang Hai <wanghai38@...wei.com>
> ---
>  kernel/static_call.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/static_call.c b/kernel/static_call.c
> index 43ba0b1e0edb..c3f8ffc5a52f 100644
> --- a/kernel/static_call.c
> +++ b/kernel/static_call.c
> @@ -400,7 +400,7 @@ static void static_call_del_module(struct module *mod)
>  
>  	for (site = start; site < stop; site++) {
>  		key = static_call_key(site);
> -		if (key == prev_key)
> +		if (key == prev_key || !static_call_key_has_mods(key))
>  			continue;
>  
>  		prev_key = key;

Should you not update prev_key in that case? Also have you looked at
jump_label_del_module() which is very similar in construction?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ