| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 01 Aug 2022 18:22:02 +0530
From: Siddh Raman Pant <code@...dh.me>
To: "hdanton" <hdanton@...a.com>
Cc: "linux-kernel" <linux-kernel@...r.kernel.org>,
"linux-mm" <linux-mm@...ck.org>,
"Dipanjan Das" <mail.dipanjan.das@...il.com>,
"David Howells" <dhowells@...hat.com>,
"Greg KH" <gregkh@...uxfoundation.org>,
"Christophe JAILLET" <christophe.jaillet@...adoo.fr>,
"Eric Dumazet" <edumazet@...gle.com>,
"Fabio M. De Francesco" <fmdefrancesco@...il.com>,
"linux-security-modules" <linux-security-module@...r.kernel.org>,
"linux-kernel-mentees"
<linux-kernel-mentees@...ts.linuxfoundation.org>,
"syzbot+c70d87ac1d001f29a058"
<syzbot+c70d87ac1d001f29a058@...kaller.appspotmail.com>,
"Marius Fleischer" <fleischermarius@...glemail.com>,
"Priyanka Bose" <its.priyanka.bose@...il.com>
Subject: Re: [PATCH] kernel/watch_queue: Make pipe NULL while clearing
watch_queue
On Mon, 01 Aug 2022 17:45:13 +0530 Hillf Danton <hdanton@...a.com> wrote:
> What is not clear is what you are fixing, with CVE-2022-1882 put aside,
> given the mainline tree survived the syzbot test [1] irrespective of
> other fixing efforts [2, 3].
>
> Hillf
>
> [1] https://lore.kernel.org/lkml/000000000000c7a83905e52bd127@google.com/
>
> // syzbot has tested the proposed patch and the reproducer did not trigger any issue:
> //
> // Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@...kaller.appspotmail.com
> //
> // Tested on:
> //
> // commit: 3d7cb6b0 Linux 5.19
> // git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> // console output: https://syzkaller.appspot.com/x/log.txt?x=14066d7a080000
> // kernel config: https://syzkaller.appspot.com/x/.config?x=70dd99d568a89e0
> // dashboard link: https://syzkaller.appspot.com/bug?extid=c70d87ac1d001f29a058
> // compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> //
> // Note: no patches were applied.
> // Note: testing is done by a robot and is best-effort only.
>
> [2] https://lore.kernel.org/lkml/0000000000000dac0205e479ea39@google.com/
>
> [3] https://lore.kernel.org/lkml/00000000000014c7ad05e4d535fc@google.com/
>
(Fixed broken formatting)
This bug is about watch_queue still having a reference to a freed pipe,
which was being accessed by post_one_notification() at the time of when
I posted the v1 patch for fixing it on 23rd July, by removing the
reference to the freed pipe in the watch_queue.
Given ref. [3] by you leads to a bug about UAF in __post_watch_notification():
https://syzkaller.appspot.com/bug?extid=03d7b43290037d1f87ca
That bug is fixed by the following commit by David Howells on 28th July:
e64ab2dbd882 ("watch_queue: Fix missing locking in add_watch_to_object()")
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e64ab2dbd882933b65cd82ff6235d705ad65dbb6
Given ref. [2] by you is of a patch tested by you, which can be found below:
https://groups.google.com/g/syzkaller-bugs/c/RbmAFTAIuyY/m/-vMjf-BXAQAJ
This had overlooked the existing serialization of wqueue->defunct, which
you had yourself pointed out in the reply to v2, which can be found below:
https://lore.kernel.org/linux-kernel-mentees/20220724071958.2557-1-hdanton@sina.com/
Given ref. [1] by you is about a syzbot test which was ran today, which no
longer triggers the issue. This probably happens due to the commit by David
Howells referenced earlier by me. While it does cause the reproducer to fail,
it doesn't really fix the particular issue concerned by this patch, which is
that the watch_queue has a reference to a freed pipe, which had caused a UAF.
Hope everything is clear.
Thanks,
Siddh
Powered by blists - more mailing lists