lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221017071832.yy7oyhatdszlg3l2@wittgenstein>
Date:   Mon, 17 Oct 2022 09:18:32 +0200
From:   Christian Brauner <brauner@...nel.org>
To:     Gaosheng Cui <cuigaosheng1@...wei.com>
Cc:     akpm@...ux-foundation.org, tglx@...utronix.de,
        ebiederm@...ssion.com, luto@...nel.org, bigeasy@...utronix.de,
        Liam.Howlett@...cle.com, fenghua.yu@...el.com,
        peterz@...radead.org, viro@...iv.linux.org.uk, jannh@...gle.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] copy_process(): fix a memleak in copy_process()

On Mon, Oct 17, 2022 at 02:34:06PM +0800, Gaosheng Cui wrote:
> If CLONE_PIDFD is set in clone_flags, pidfile will hold the reference
> count of pid by getpid(pid), In the error path bad_fork_put_pidfd, the
> reference of pid needs to be released, otherwise there will be a
> memleak issue, fix it.
> 
> unreferenced object 0xffff888164aed400 (size 224):
>   comm "sh", pid 75274, jiffies 4295717290 (age 2955.536s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de  .............N..
>     ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff  ................
>   backtrace:
>     [<00000000bcb9eebb>] kmem_cache_alloc+0x16a/0x7f0
>     [<00000000340cf9ad>] alloc_pid+0xc5/0xce0
>     [<000000002387362c>] copy_process+0x29ef/0x6c90
>     [<00000000bf7d7efc>] kernel_clone+0xd9/0xc70
>     [<0000000047b1a04f>] __do_sys_clone+0xe1/0x120
>     [<0000000000f1aa25>] __x64_sys_clone+0xc3/0x150
>     [<00000000250a19f1>] do_syscall_64+0x5c/0x90
>     [<000000007e0ac417>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> Fixes: 6fd2fe494b17 ("copy_process(): don't use ksys_close() on cleanups")
> Signed-off-by: Gaosheng Cui <cuigaosheng1@...wei.com>
> ---
>  kernel/fork.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 08969f5aa38d..8706c06be8af 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -2499,6 +2499,7 @@ static __latent_entropy struct task_struct *copy_process(
>  	cgroup_cancel_fork(p, args);
>  bad_fork_put_pidfd:
>  	if (clone_flags & CLONE_PIDFD) {
> +		put_pid(pid);

This will be released during __fput() when ->release() ==
pidfd_release() is called so calling put_pid() here will result in UAF
later on. What syzbot instance does this report come from?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ