lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRXypjNgDAwdARZz-md_DaSTs+9BpMik8AzWojG7ChexA@mail.gmail.com>
Date:   Wed, 3 Aug 2022 09:16:02 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Peilin Ye <yepeilin.cs@...il.com>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Pavel Begunkov <asml.silence@...il.com>,
        Eric Paris <eparis@...hat.com>,
        Peilin Ye <peilin.ye@...edance.com>, io-uring@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-audit@...hat.com
Subject: Re: [PATCH] audit, io_uring, io-wq: Fix memory leak in io_sq_thread()
 and io_wqe_worker()

On Wed, Aug 3, 2022 at 1:03 AM Peilin Ye <yepeilin.cs@...il.com> wrote:
>
> From: Peilin Ye <peilin.ye@...edance.com>
>
> Currently @audit_context is allocated twice for io_uring workers:
>
>   1. copy_process() calls audit_alloc();
>   2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which
>      is effectively audit_alloc()) and overwrites @audit_context,
>      causing:
>
>   BUG: memory leak
>   unreferenced object 0xffff888144547400 (size 1024):
> <...>
>     hex dump (first 32 bytes):
>       00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
>       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     backtrace:
>       [<ffffffff8135cfc3>] audit_alloc+0x133/0x210
>       [<ffffffff81239e63>] copy_process+0xcd3/0x2340
>       [<ffffffff8123b5f3>] create_io_thread+0x63/0x90
>       [<ffffffff81686604>] create_io_worker+0xb4/0x230
>       [<ffffffff81686f68>] io_wqe_enqueue+0x248/0x3b0
>       [<ffffffff8167663a>] io_queue_iowq+0xba/0x200
>       [<ffffffff816768b3>] io_queue_async+0x113/0x180
>       [<ffffffff816840df>] io_req_task_submit+0x18f/0x1a0
>       [<ffffffff816841cd>] io_apoll_task_func+0xdd/0x120
>       [<ffffffff8167d49f>] tctx_task_work+0x11f/0x570
>       [<ffffffff81272c4e>] task_work_run+0x7e/0xc0
>       [<ffffffff8125a688>] get_signal+0xc18/0xf10
>       [<ffffffff8111645b>] arch_do_signal_or_restart+0x2b/0x730
>       [<ffffffff812ea44e>] exit_to_user_mode_prepare+0x5e/0x180
>       [<ffffffff844ae1b2>] syscall_exit_to_user_mode+0x12/0x20
>       [<ffffffff844a7e80>] do_syscall_64+0x40/0x80
>
> Then,
>
>   3. io_sq_thread() or io_wqe_worker() frees @audit_context using
>      audit_free();
>   4. do_exit() eventually calls audit_free() again, which is okay
>      because audit_free() does a NULL check.
>
> Free the old @audit_context first in audit_alloc_kernel(), and delete
> the redundant calls to audit_free() for less confusion.
>
> Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
> Cc: stable@...r.kernel.org
> Signed-off-by: Peilin Ye <peilin.ye@...edance.com>
> ---
> Hi all,
>
> A better way to fix this memleak would probably be checking
> @args->io_thread in copy_process()?  Something like:
>
>     if (args->io_thread)
>         retval = audit_alloc_kernel();
>     else
>         retval = audit_alloc();
>
> But I didn't want to add another if to copy_process() for this bugfix.
> Please suggest, thanks!

Thanks for the report and patch!  I'll take a closer look at this
today and get back to you.

>  fs/io-wq.c       | 1 -
>  fs/io_uring.c    | 2 --
>  kernel/auditsc.c | 1 +
>  3 files changed, 1 insertion(+), 3 deletions(-)

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ