lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 9 Dec 2021 11:42:35 -0800
From:   Beau Belgrave <beaub@...ux.microsoft.com>
To:     Steven Rostedt <rostedt@...dmis.org>
Cc:     mhiramat@...nel.org, linux-trace-devel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v6 02/13] user_events: Add minimal support for
 trace_event into ftrace

On Thu, Dec 09, 2021 at 12:47:35PM -0500, Steven Rostedt wrote:
> On Thu, 9 Dec 2021 09:40:50 -0800
> Beau Belgrave <beaub@...ux.microsoft.com> wrote:
> 
> > No, this is not a fast path, and I don't have a problem moving to a
> > mutex if you feel that is better. I've likely become too close to this
> > code to know when things are confusing for others.
> 
> Yeah. I really dislike the "protection by algorithms" then protection by
> locking unless it is a fast path.
> 
> If this was a fast path then I'd be more concerned. I dislike global locks
> as well, but unless contention becomes a concern, I don't think we should
> worry about it.

Sure thing.

> 
> Also, for this comment:
> 
> +static int user_events_release(struct inode *node, struct file *file)
> +{
> +	struct user_event_refs *refs;
> +	struct user_event *user;
> +	int i;
> +
> +	/*
> +	 * refs is protected by RCU and could in theory change immediately
> +	 * before this call on another core. To ensure we read the latest
> +	 * version of refs we acquire the RCU read lock again.
> +	 */
> +	rcu_read_lock_sched();
> +	refs = rcu_dereference_sched(file->private_data);
> +	rcu_read_unlock_sched();
> 
> How do you see refs changing on another core if this can only be called
> when nothing has a reference to it?
> 
> I think this comment and grabbing the rcu locks is what is causing me
> concern.
> 
> -- Steve

User program task:
CPU0: ioctl(fd, REG)
CPU1: close(fd)

IE: Some program registers and then immediately calls close on the file.
If the CPU migrates right between the 2 and the close swaps, it is
possible this could occur.

This could be attempted in tight loops maliciously as well.

I assume with a mutex there that some barrier is imposed to ensure
correct reads in this condition? (By virtue of the mutex acquire/check)

Thanks,
-Beau

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ