| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 3 Aug 2022 09:16:02 -0400
From: Paul Moore <paul@...l-moore.com>
To: Peilin Ye <yepeilin.cs@...il.com>
Cc: Jens Axboe <axboe@...nel.dk>,
Pavel Begunkov <asml.silence@...il.com>,
Eric Paris <eparis@...hat.com>,
Peilin Ye <peilin.ye@...edance.com>, io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-audit@...hat.com
Subject: Re: [PATCH] audit, io_uring, io-wq: Fix memory leak in io_sq_thread()
and io_wqe_worker()
On Wed, Aug 3, 2022 at 1:03 AM Peilin Ye <yepeilin.cs@...il.com> wrote:
>
> From: Peilin Ye <peilin.ye@...edance.com>
>
> Currently @audit_context is allocated twice for io_uring workers:
>
> 1. copy_process() calls audit_alloc();
> 2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which
> is effectively audit_alloc()) and overwrites @audit_context,
> causing:
>
> BUG: memory leak
> unreferenced object 0xffff888144547400 (size 1024):
> <...>
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff8135cfc3>] audit_alloc+0x133/0x210
> [<ffffffff81239e63>] copy_process+0xcd3/0x2340
> [<ffffffff8123b5f3>] create_io_thread+0x63/0x90
> [<ffffffff81686604>] create_io_worker+0xb4/0x230
> [<ffffffff81686f68>] io_wqe_enqueue+0x248/0x3b0
> [<ffffffff8167663a>] io_queue_iowq+0xba/0x200
> [<ffffffff816768b3>] io_queue_async+0x113/0x180
> [<ffffffff816840df>] io_req_task_submit+0x18f/0x1a0
> [<ffffffff816841cd>] io_apoll_task_func+0xdd/0x120
> [<ffffffff8167d49f>] tctx_task_work+0x11f/0x570
> [<ffffffff81272c4e>] task_work_run+0x7e/0xc0
> [<ffffffff8125a688>] get_signal+0xc18/0xf10
> [<ffffffff8111645b>] arch_do_signal_or_restart+0x2b/0x730
> [<ffffffff812ea44e>] exit_to_user_mode_prepare+0x5e/0x180
> [<ffffffff844ae1b2>] syscall_exit_to_user_mode+0x12/0x20
> [<ffffffff844a7e80>] do_syscall_64+0x40/0x80
>
> Then,
>
> 3. io_sq_thread() or io_wqe_worker() frees @audit_context using
> audit_free();
> 4. do_exit() eventually calls audit_free() again, which is okay
> because audit_free() does a NULL check.
>
> Free the old @audit_context first in audit_alloc_kernel(), and delete
> the redundant calls to audit_free() for less confusion.
>
> Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
> Cc: stable@...r.kernel.org
> Signed-off-by: Peilin Ye <peilin.ye@...edance.com>
> ---
> Hi all,
>
> A better way to fix this memleak would probably be checking
> @args->io_thread in copy_process()? Something like:
>
> if (args->io_thread)
> retval = audit_alloc_kernel();
> else
> retval = audit_alloc();
>
> But I didn't want to add another if to copy_process() for this bugfix.
> Please suggest, thanks!
Thanks for the report and patch! I'll take a closer look at this
today and get back to you.
> fs/io-wq.c | 1 -
> fs/io_uring.c | 2 --
> kernel/auditsc.c | 1 +
> 3 files changed, 1 insertion(+), 3 deletions(-)
--
paul-moore.com
Powered by blists - more mailing lists