lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jul 2022 21:21:21 +0530 From: Siddh Raman Pant <code@...dh.me> To: David Howells <dhowells@...hat.com>, Christophe JAILLET <christophe.jaillet@...adoo.fr>, Eric Dumazet <edumazet@...gle.com>, "Fabio M. De Francesco" <fmdefrancesco@...il.com> Cc: linux-security-modules <linux-security-module@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>, linux-kernel-mentees <linux-kernel-mentees@...ts.linuxfoundation.org>, syzbot+c70d87ac1d001f29a058@...kaller.appspotmail.com Subject: [PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue If not done, a reference to a freed pipe remains in the watch_queue, as this function is called before freeing a pipe in free_pipe_info() (see line 834 of fs/pipe.c). This causes a UAF when post_one_notification() tries to access the pipe on a key update, which is reported by syzbot. We also need to use READ_ONCE() in post_one_notification() to prevent the compiler from optimising and loading a non-NULL value from wqueue->pipe. Bug report: https://syzkaller.appspot.com/bug?id=1870dd7791ba05f2ea7f47f7cbdde701173973fc Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@...kaller.appspotmail.com Signed-off-by: Siddh Raman Pant <code@...dh.me> --- Changes in v3: - Restore the original unlock order, and clear before unlock. - Use READ_ONCE() in post path. This was explained by David Howells <dhowells@...hat.com> in reply to v1. Not added Suggested-by since he didn't reply yet. Changes in v2: - Removed the superfluous ifdef guard. kernel/watch_queue.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index bb9962b33f95..617425e34252 100644 --- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -99,7 +99,7 @@ static bool post_one_notification(struct watch_queue *wqueue, struct watch_notification *n) { void *p; - struct pipe_inode_info *pipe = wqueue->pipe; + struct pipe_inode_info *pipe = READ_ONCE(wqueue->pipe); struct pipe_buffer *buf; struct page *page; unsigned int head, tail, mask, note, offset, len; @@ -637,6 +637,12 @@ void watch_queue_clear(struct watch_queue *wqueue) spin_lock_bh(&wqueue->lock); } + /* Clearing the watch queue, so we should clean the associated pipe. */ + if (wqueue->pipe) { + wqueue->pipe->watch_queue = NULL; + wqueue->pipe = NULL; + } + spin_unlock_bh(&wqueue->lock); rcu_read_unlock(); } -- 2.35.1
Powered by blists - more mailing lists