lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed,  8 Dec 2021 17:04:50 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     Alexander Viro <viro@...iv.linux.org.uk>,
        Benjamin LaHaise <bcrl@...ck.org>
Cc:     linux-aio@...ck.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, Ramji Jiyani <ramjiyani@...gle.com>,
        Christoph Hellwig <hch@....de>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Oleg Nesterov <oleg@...hat.com>, Jens Axboe <axboe@...nel.dk>,
        Martijn Coenen <maco@...roid.com>, stable@...r.kernel.org
Subject: [PATCH v3 0/5] aio: fix use-after-free and missing wakeups

This series fixes two bugs in aio poll, and one issue with POLLFREE more
broadly.  This is intended to replace
"[PATCH v5] aio: Add support for the POLLFREE"
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
which has some bugs.

Careful review is appreciated; the aio poll code is very hard to work
with, and it doesn't appear to have many tests.  I've verified that it
passes the libaio test suite, which provides some coverage of poll.

Note, it looks like io_uring has the same bugs as aio poll.  I haven't
tried to fix io_uring.

This series applies to v5.16-rc4.

Changed v2 => v3:
  - Fixed a few commit messages and comments.
  - Mention that libaio test suite still passes.

Changed v1 => v2:
  - Added wake_up_pollfree().
  - Various fixes to the aio poll fixes.
  - Improved some comments in aio poll.

Eric Biggers (5):
  wait: add wake_up_pollfree()
  binder: use wake_up_pollfree()
  signalfd: use wake_up_pollfree()
  aio: keep poll requests on waitqueue until completed
  aio: fix use-after-free due to missing POLLFREE handling

 drivers/android/binder.c        |  21 ++--
 fs/aio.c                        | 184 ++++++++++++++++++++++++++------
 fs/signalfd.c                   |  12 +--
 include/linux/wait.h            |  26 +++++
 include/uapi/asm-generic/poll.h |   2 +-
 kernel/sched/wait.c             |   7 ++
 6 files changed, 195 insertions(+), 57 deletions(-)

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ