lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAHC9VhTKtNFLG-2NGrnR0xHnj09WR_100C75aD73+mmn0CKkCA@mail.gmail.com>
Date:   Thu, 4 Aug 2022 10:44:58 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Jens Axboe <axboe@...nel.dk>
Cc:     Peilin Ye <yepeilin.cs@...il.com>,
        Pavel Begunkov <asml.silence@...il.com>,
        Eric Paris <eparis@...hat.com>,
        Peilin Ye <peilin.ye@...edance.com>, io-uring@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-audit@...hat.com
Subject: Re: [PATCH v2] audit, io_uring, io-wq: Fix memory leak in
 io_sq_thread() and io_wqe_worker()

On Thu, Aug 4, 2022 at 10:32 AM Jens Axboe <axboe@...nel.dk> wrote:
> On 8/4/22 7:51 AM, Paul Moore wrote:
> > On Wed, Aug 3, 2022 at 6:24 PM Peilin Ye <yepeilin.cs@...il.com> wrote:
> >>
> >> From: Peilin Ye <peilin.ye@...edance.com>
> >>
> >> Currently @audit_context is allocated twice for io_uring workers:
> >>
> >>   1. copy_process() calls audit_alloc();
> >>   2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which
> >>      is effectively audit_alloc()) and overwrites @audit_context,
> >>      causing:
> >>
> >>   BUG: memory leak
> >>   unreferenced object 0xffff888144547400 (size 1024):
> >> <...>
> >>     hex dump (first 32 bytes):
> >>       00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
> >>       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >>     backtrace:
> >>       [<ffffffff8135cfc3>] audit_alloc+0x133/0x210
> >>       [<ffffffff81239e63>] copy_process+0xcd3/0x2340
> >>       [<ffffffff8123b5f3>] create_io_thread+0x63/0x90
> >>       [<ffffffff81686604>] create_io_worker+0xb4/0x230
> >>       [<ffffffff81686f68>] io_wqe_enqueue+0x248/0x3b0
> >>       [<ffffffff8167663a>] io_queue_iowq+0xba/0x200
> >>       [<ffffffff816768b3>] io_queue_async+0x113/0x180
> >>       [<ffffffff816840df>] io_req_task_submit+0x18f/0x1a0
> >>       [<ffffffff816841cd>] io_apoll_task_func+0xdd/0x120
> >>       [<ffffffff8167d49f>] tctx_task_work+0x11f/0x570
> >>       [<ffffffff81272c4e>] task_work_run+0x7e/0xc0
> >>       [<ffffffff8125a688>] get_signal+0xc18/0xf10
> >>       [<ffffffff8111645b>] arch_do_signal_or_restart+0x2b/0x730
> >>       [<ffffffff812ea44e>] exit_to_user_mode_prepare+0x5e/0x180
> >>       [<ffffffff844ae1b2>] syscall_exit_to_user_mode+0x12/0x20
> >>       [<ffffffff844a7e80>] do_syscall_64+0x40/0x80
> >>
> >> Then,
> >>
> >>   3. io_sq_thread() or io_wqe_worker() frees @audit_context using
> >>      audit_free();
> >>   4. do_exit() eventually calls audit_free() again, which is okay
> >>      because audit_free() does a NULL check.
> >>
> >> As suggested by Paul Moore, fix it by deleting audit_alloc_kernel() and
> >> redundant audit_free() calls.
> >>
> >> Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
> >> Suggested-by: Paul Moore <paul@...l-moore.com>
> >> Cc: stable@...r.kernel.org
> >> Signed-off-by: Peilin Ye <peilin.ye@...edance.com>
> >> ---
> >> Change since v1:
> >>   - Delete audit_alloc_kernel() (Paul Moore)
> >>
> >>  fs/io-wq.c            |  3 ---
> >>  fs/io_uring.c         |  4 ----
> >>  include/linux/audit.h |  5 -----
> >>  kernel/auditsc.c      | 25 -------------------------
> >>  4 files changed, 37 deletions(-)
> >
> > This looks good to me, thanks!  Although it looks like the io_uring
> > related changes will need to be applied by hand as they are pointing
> > to the old layout under fs/ as opposed to the newer layout in
> > io_uring/ introduced during this merge window.
> >
> > Jens, did you want to take this via the io_uring tree or should I take
> > it via the audit tree?  If the latter, an ACK would be appreciated, if
> > the former my ACK is below.
> >
> > Acked-by: Paul Moore <paul@...l-moore.com>
>
> Probably better if I take it, since I need to massage it into the
> current tree anyway. We can then use this one as the base for the stable
> backports that are going to be required.

Sounds good to me, thanks everyone.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ