lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Yd3RClhoz24rrU04@sol.localdomain>
Date:   Tue, 11 Jan 2022 10:48:42 -0800
From:   Eric Biggers <ebiggers@...nel.org>
To:     Suren Baghdasaryan <surenb@...gle.com>
Cc:     hannes@...xchg.org, torvalds@...ux-foundation.org, tj@...nel.org,
        lizefan.x@...edance.com, mingo@...hat.com, peterz@...radead.org,
        juri.lelli@...hat.com, vincent.guittot@...aro.org,
        dietmar.eggemann@....com, rostedt@...dmis.org, bsegall@...gle.com,
        mgorman@...e.de, bristot@...hat.com, corbet@....net,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        cgroups@...r.kernel.org, stable@...r.kernel.org,
        kernel-team@...roid.com,
        syzbot+cdb5dd11c97cc532efad@...kaller.appspotmail.com
Subject: Re: [PATCH v2 1/1] psi: Fix uaf issue when psi trigger is destroyed
 while being polled

On Mon, Jan 10, 2022 at 11:12:12PM -0800, Suren Baghdasaryan wrote:
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index cafb8c114a21..93b51a2104f7 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -3642,6 +3642,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
>  	cgroup_get(cgrp);
>  	cgroup_kn_unlock(of->kn);
>  
> +	/* Allow only one trigger per file descriptor */
> +	if (ctx->psi.trigger) {
> +		cgroup_put(cgrp);
> +		return -EBUSY;
> +	}
> +
>  	psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
>  	new = psi_trigger_create(psi, buf, nbytes, res);
>  	if (IS_ERR(new)) {
> @@ -3649,8 +3655,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
>  		return PTR_ERR(new);
>  	}
>  
> -	psi_trigger_replace(&ctx->psi.trigger, new);
> -
> +	ctx->psi.trigger = new;
>  	cgroup_put(cgrp);

The write here needs to use smp_store_release(), since it is paired with the
concurrent READ_ONCE() in psi_trigger_poll().

> @@ -1305,14 +1287,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
>  
>  	buf[buf_size - 1] = '\0';
>  
> -	new = psi_trigger_create(&psi_system, buf, nbytes, res);
> -	if (IS_ERR(new))
> -		return PTR_ERR(new);
> -
>  	seq = file->private_data;
> +
>  	/* Take seq->lock to protect seq->private from concurrent writes */
>  	mutex_lock(&seq->lock);
> -	psi_trigger_replace(&seq->private, new);
> +
> +	/* Allow only one trigger per file descriptor */
> +	if (seq->private) {
> +		mutex_unlock(&seq->lock);
> +		return -EBUSY;
> +	}
> +
> +	new = psi_trigger_create(&psi_system, buf, nbytes, res);
> +	if (IS_ERR(new)) {
> +		mutex_unlock(&seq->lock);
> +		return PTR_ERR(new);
> +	}
> +
> +	seq->private = new;

Likewise here.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ