lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211117181922.3e9a2329@gandalf.local.home>
Date:   Wed, 17 Nov 2021 18:19:22 -0500
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Kalesh Singh <kaleshsingh@...gle.com>
Subject: [GIT PULL] tracing: Fix double free bug

Linus,

Fix double free bug in tracing histograms

On error, the operands and the histogram expression are destroyed,
but since the destruction is recursive, do not destroy the operands
if they already belong to the expression that is about to be destroyed.


Please pull the latest trace-v5.16-rc1 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git
trace-v5.16-rc1

Tag SHA1: a34f97bfa65691c91eed55ce5f09cfaa78e05908
Head SHA1: b0cb20110d4562bcc39f49f2de4020f0caa84bdd


Kalesh Singh (1):
      tracing/histogram: Fix UAF in destroy_hist_field()

----
 kernel/trace/trace_events_hist.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
---------------------------
commit b0cb20110d4562bcc39f49f2de4020f0caa84bdd
Author: Kalesh Singh <kaleshsingh@...gle.com>
Date:   Tue Nov 16 23:34:14 2021 -0800

    tracing/histogram: Fix UAF in destroy_hist_field()
    
    Calling destroy_hist_field() on an expression will recursively free
    any operands associated with the expression. If during expression
    parsing the operands of the expression are already set when an error
    is encountered, there is no need to explicity free the operands. Doing
    so will result in destroy_hist_field() being called twice for the
    operands and lead to a use-after-free (UAF) error.
    
    Fix this by only calling destroy_hist_field() for the operands if they
    are not associated with the expression hist_field.
    
    Link: https://lkml.kernel.org/r/20211117073415.2584751-1-kaleshsingh@google.com
    
    Signed-off-by: Kalesh Singh <kaleshsingh@...gle.com>
    Fixes: 8b5d46fd7a38 ("tracing/histogram: Optimize division by constants")
    Reported-by: kernel test robot <oliver.sang@...el.com>
    Signed-off-by: Steven Rostedt (VMware) <rostedt@...dmis.org>

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index 5ea2c9ec54a6..b53ee8d566f6 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2717,8 +2717,10 @@ static struct hist_field *parse_expr(struct hist_trigger_data *hist_data,
 
 	return expr;
 free:
-	destroy_hist_field(operand1, 0);
-	destroy_hist_field(operand2, 0);
+	if (!expr || expr->operands[0] != operand1)
+		destroy_hist_field(operand1, 0);
+	if (!expr || expr->operands[1] != operand2)
+		destroy_hist_field(operand2, 0);
 	destroy_hist_field(expr, 0);
 
 	return ERR_PTR(ret);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ