| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Aug 2022 08:32:27 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Paul Moore <paul@...l-moore.com>, Peilin Ye <yepeilin.cs@...il.com>
Cc: Pavel Begunkov <asml.silence@...il.com>,
Eric Paris <eparis@...hat.com>,
Peilin Ye <peilin.ye@...edance.com>, io-uring@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-audit@...hat.com
Subject: Re: [PATCH v2] audit, io_uring, io-wq: Fix memory leak in
io_sq_thread() and io_wqe_worker()
On 8/4/22 7:51 AM, Paul Moore wrote:
> On Wed, Aug 3, 2022 at 6:24 PM Peilin Ye <yepeilin.cs@...il.com> wrote:
>>
>> From: Peilin Ye <peilin.ye@...edance.com>
>>
>> Currently @audit_context is allocated twice for io_uring workers:
>>
>> 1. copy_process() calls audit_alloc();
>> 2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which
>> is effectively audit_alloc()) and overwrites @audit_context,
>> causing:
>>
>> BUG: memory leak
>> unreferenced object 0xffff888144547400 (size 1024):
>> <...>
>> hex dump (first 32 bytes):
>> 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [<ffffffff8135cfc3>] audit_alloc+0x133/0x210
>> [<ffffffff81239e63>] copy_process+0xcd3/0x2340
>> [<ffffffff8123b5f3>] create_io_thread+0x63/0x90
>> [<ffffffff81686604>] create_io_worker+0xb4/0x230
>> [<ffffffff81686f68>] io_wqe_enqueue+0x248/0x3b0
>> [<ffffffff8167663a>] io_queue_iowq+0xba/0x200
>> [<ffffffff816768b3>] io_queue_async+0x113/0x180
>> [<ffffffff816840df>] io_req_task_submit+0x18f/0x1a0
>> [<ffffffff816841cd>] io_apoll_task_func+0xdd/0x120
>> [<ffffffff8167d49f>] tctx_task_work+0x11f/0x570
>> [<ffffffff81272c4e>] task_work_run+0x7e/0xc0
>> [<ffffffff8125a688>] get_signal+0xc18/0xf10
>> [<ffffffff8111645b>] arch_do_signal_or_restart+0x2b/0x730
>> [<ffffffff812ea44e>] exit_to_user_mode_prepare+0x5e/0x180
>> [<ffffffff844ae1b2>] syscall_exit_to_user_mode+0x12/0x20
>> [<ffffffff844a7e80>] do_syscall_64+0x40/0x80
>>
>> Then,
>>
>> 3. io_sq_thread() or io_wqe_worker() frees @audit_context using
>> audit_free();
>> 4. do_exit() eventually calls audit_free() again, which is okay
>> because audit_free() does a NULL check.
>>
>> As suggested by Paul Moore, fix it by deleting audit_alloc_kernel() and
>> redundant audit_free() calls.
>>
>> Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
>> Suggested-by: Paul Moore <paul@...l-moore.com>
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Peilin Ye <peilin.ye@...edance.com>
>> ---
>> Change since v1:
>> - Delete audit_alloc_kernel() (Paul Moore)
>>
>> fs/io-wq.c | 3 ---
>> fs/io_uring.c | 4 ----
>> include/linux/audit.h | 5 -----
>> kernel/auditsc.c | 25 -------------------------
>> 4 files changed, 37 deletions(-)
>
> This looks good to me, thanks! Although it looks like the io_uring
> related changes will need to be applied by hand as they are pointing
> to the old layout under fs/ as opposed to the newer layout in
> io_uring/ introduced during this merge window.
>
> Jens, did you want to take this via the io_uring tree or should I take
> it via the audit tree? If the latter, an ACK would be appreciated, if
> the former my ACK is below.
>
> Acked-by: Paul Moore <paul@...l-moore.com>
Probably better if I take it, since I need to massage it into the
current tree anyway. We can then use this one as the base for the stable
backports that are going to be required.
--
Jens Axboe
Powered by blists - more mailing lists