lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <cb71d0f1-c8dd-2bd4-30cf-7fe8531a66e4@suse.cz>
Date:   Wed, 9 Nov 2022 12:16:09 +0100
From:   Vlastimil Babka <vbabka@...e.cz>
To:     Hyeonggon Yoo <42.hyeyoo@...il.com>,
        Liu Shixin <liushixin2@...wei.com>
Cc:     Christoph Lameter <cl@...ux.com>,
        Pekka Enberg <penberg@...nel.org>,
        David Rientjes <rientjes@...gle.com>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Roman Gushchin <roman.gushchin@...ux.dev>, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org,
        Rasmus Villemoes <linux@...musvillemoes.dk>
Subject: Re: [PATCH v2 0/3] Refactor __kmem_cache_create() and fix memory leak

On 11/3/22 14:23, Hyeonggon Yoo wrote:
> On Wed, Nov 02, 2022 at 04:53:08PM +0800, Liu Shixin wrote:
>> On 2022/11/2 15:46, Hyeonggon Yoo wrote:
>> > On Mon, Oct 31, 2022 at 09:47:44PM +0800, Liu Shixin wrote:
>> >> I found a memory leak of kobj->name in sysfs_slab_add() which is introduced
>> >> by 80da026a8e5d ("mm/slub: fix slab double-free in case of duplicate sysfs filename").
>> >> Following the rules stated in the comment for kobject_init_and_add():
>> > Thank you for reporting this! Indeed it seems tried to fix double free but
>> > introduced a leak.
>> >
>> >>  If this function returns an error, kobject_put() must be called to
>> >>  properly clean up the memory associated with the object.
>> >>
>> >> We should use kobject_put() to free kobject.
>> > But what to do if a cache is created early and later sysfs_slab_add() failed?
>> > (Which is unlikely on normal condition)
>> >
>> > With this series it introduces use-after-free if sysfs_slab_add() in
>> > slab_sysfs_init() failed.  Should we just call BUG() or something like that?
>>
>> Thanks for your discovery, what I missed.
> 
> You're welcome.
> 
>> I prefer to panic directly, just as create_boot_cache() does.
> 
> IMHO that should be nothing serious. but let's hear maintainers' opinion.
> 
>> Of couse, if you want the system to continue booting, I think it's possible to distinguish them
>> by slab_state.
> 
> I'm afraid to make it more complex :(

+Cc Rasmus who did a recent patch in this area. Thread starts here:
https://lore.kernel.org/all/20221031134747.3049593-1-liushixin2@huawei.com/

As for me, I don't think we should be addung new BUG() or panic() in
general, and especially not for a failing sysfs add. AFAICS
create_boot_cache() might panic, but not because of sysfs, as that's delayed
until slab_sysfs_init() and we don't panic anymore in the latter.

So yeah, it could work to tell sysfs_slab_add() whether it should not do the
kobject_put() as it's a boot cache. The slab_state should work.

> 
>> Looking forward to your advice.
>> Thanks,
>> >
>> >> But we can't simply add kobject_put() since it will free kmem_cache too.
>> >> If we use kobject_put(), we need to skip other release functions.
>> >>
>> >> In this series, We refactor the code to separate sysfs_slab_add() and
>> >> debugfs_slab_add() from __kmem_cache_create(), and then use kobject_put()
>> >> to free kobject in sysfs_slab_add(). This can fix the memory leak of
>> >> kobject->name.
>> >>
>> >> v1->v2: Fix build error reported by kernel test robot <lkp@...el.com>.
>> >>
>> >> Liu Shixin (3):
>> >>   mm/slab_common: Move cache_name to create_cache()
>> >>   mm/slub: Refactor __kmem_cache_create()
>> >>   mm/slub: Fix memory leak of kobj->name in sysfs_slab_add()
>> >>
>> >>  include/linux/slub_def.h | 11 +++++++++
>> >>  mm/slab_common.c         | 44 ++++++++++++++++++----------------
>> >>  mm/slub.c                | 52 ++++++++++------------------------------
>> >>  3 files changed, 48 insertions(+), 59 deletions(-)
>> >>
>> >> -- 
>> >> 2.25.1
>> >>
>> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ