lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Sep 2022 10:39:14 +0200 From: Christian Brauner <brauner@...nel.org> To: Oleksandr Tymoshenko <ovt@...gle.com> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Kees Cook <keescook@...omium.org> Subject: Re: [PATCH] seccomp: fix refcounter leak if fork/clone is terminated On Fri, Sep 02, 2022 at 03:41:35AM +0000, Oleksandr Tymoshenko wrote: > release_task, where the seccomp's filter refcounter is released, is not > called for the case when the fork/clone is terminated midway by a > signal. This leaves an extra reference that prevents filter from being > destroyed even after all processes using it exit leading to a BPF JIT > memory leak. Dereference the refcounter in the failure path of the > copy_process function. > > Fixes: 3a15fb6ed92c ("seccomp: release filter after task is fully dead") > Cc: Christian Brauner <brauner@...nel.org> > Cc: stable@...r.kernel.org > Signed-off-by: Oleksandr Tymoshenko <ovt@...gle.com> > --- Hey Oleksandr, Thanks for the patch! I'm really puzzled as to why we never noticed this and I'm trying to re-architect how this happend. But in any case, there's a patch in the seccomp tree that fixes this: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id=6d17452707ca which is slighly different from your approach in that it moves copy_seccomp() after the point of no return. Let us know if you see any issues with this! Christian
Powered by blists - more mailing lists