lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221202101835.GA29522@willie-the-truck>
Date:   Fri, 2 Dec 2022 10:18:35 +0000
From:   Will Deacon <will@...nel.org>
To:     Waiman Long <longman@...hat.com>
Cc:     Ingo Molnar <mingo@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Juri Lelli <juri.lelli@...hat.com>,
        Vincent Guittot <vincent.guittot@...aro.org>,
        Dietmar Eggemann <dietmar.eggemann@....com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Ben Segall <bsegall@...gle.com>, Mel Gorman <mgorman@...e.de>,
        Daniel Bristot de Oliveira <bristot@...hat.com>,
        Phil Auld <pauld@...hat.com>,
        Wenjie Li <wenjieli@....qualcomm.com>,
        David Wang 王标 <wangbiao3@...omi.com>,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH-tip] sched: Fix use-after-free bug in dup_user_cpus_ptr()

On Thu, Dec 01, 2022 at 12:03:39PM -0500, Waiman Long wrote:
> On 12/1/22 08:44, Will Deacon wrote:
> > On Sun, Nov 27, 2022 at 08:44:41PM -0500, Waiman Long wrote:
> > > Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
> > > restricted on asymmetric systems"), the setting and clearing of
> > > user_cpus_ptr are done under pi_lock for arm64 architecture. However,
> > > dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
> > > protection. When racing with the clearing of user_cpus_ptr in
> > > __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
> > > double-free in arm64 kernel.
> > > 
> > > Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
> > > cpumask") fixes this problem as user_cpus_ptr, once set, will never
> > > be cleared in a task's lifetime. However, this bug was re-introduced
> > > in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
> > > do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
> > > do_set_cpus_allowed(). This time, it will affect all arches.
> > > 
> > > Fix this bug by always clearing the user_cpus_ptr of the newly
> > > cloned/forked task before the copying process starts and check the
> > > user_cpus_ptr state of the source task under pi_lock.
> > > 
> > > Note to stable, this patch won't be applicable to stable releases.
> > > Just copy the new dup_user_cpus_ptr() function over.
> > > 
> > > Fixes: 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems")
> > > Fixes: 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()")
> > > CC: stable@...r.kernel.org
> > > Reported-by: David Wang 王标 <wangbiao3@...omi.com>
> > > Signed-off-by: Waiman Long <longman@...hat.com>
> > > ---
> > >   kernel/sched/core.c | 32 ++++++++++++++++++++++++++++----
> > >   1 file changed, 28 insertions(+), 4 deletions(-)
> > As per my comments on the previous version of this patch:
> > 
> > https://lore.kernel.org/lkml/20221201133602.GB28489@willie-the-truck/T/#t
> > 
> > I think there are other issues to fix when racing affinity changes with
> > fork() too.
> It is certainly possible that there are other bugs hiding somewhere:-)

Right, but I actually took the time to hit the same race for the other
affinity mask field so it seems a bit narrow-minded for us just to fix the
one issue.

> > > diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> > > index 8df51b08bb38..f2b75faaf71a 100644
> > > --- a/kernel/sched/core.c
> > > +++ b/kernel/sched/core.c
> > > @@ -2624,19 +2624,43 @@ void do_set_cpus_allowed(struct task_struct *p, const struct cpumask *new_mask)
> > >   int dup_user_cpus_ptr(struct task_struct *dst, struct task_struct *src,
> > >   		      int node)
> > >   {
> > > +	cpumask_t *user_mask;
> > >   	unsigned long flags;
> > > +	/*
> > > +	 * Always clear dst->user_cpus_ptr first as their user_cpus_ptr's
> > > +	 * may differ by now due to racing.
> > > +	 */
> > > +	dst->user_cpus_ptr = NULL;
> > > +
> > > +	/*
> > > +	 * This check is racy and losing the race is a valid situation.
> > > +	 * It is not worth the extra overhead of taking the pi_lock on
> > > +	 * every fork/clone.
> > > +	 */
> > >   	if (!src->user_cpus_ptr)
> > >   		return 0;
> > data_race() ?
> Race is certainly possible, but the clearing of user_cpus_ptr before will
> mitigate any risk.

Sorry, I meant let's wrap this access in the data_race() macro and add a
comment so that KCSAN won't report the false positive.

> > > -	dst->user_cpus_ptr = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
> > > -	if (!dst->user_cpus_ptr)
> > > +	user_mask = kmalloc_node(cpumask_size(), GFP_KERNEL, node);
> > > +	if (!user_mask)
> > >   		return -ENOMEM;
> > > -	/* Use pi_lock to protect content of user_cpus_ptr */
> > > +	/*
> > > +	 * Use pi_lock to protect content of user_cpus_ptr
> > > +	 *
> > > +	 * Though unlikely, user_cpus_ptr can be reset to NULL by a concurrent
> > > +	 * do_set_cpus_allowed().
> > > +	 */
> > >   	raw_spin_lock_irqsave(&src->pi_lock, flags);
> > > -	cpumask_copy(dst->user_cpus_ptr, src->user_cpus_ptr);
> > > +	if (src->user_cpus_ptr) {
> > > +		swap(dst->user_cpus_ptr, user_mask);
> > Isn't 'dst->user_cpus_ptr' always NULL here? Why do we need the swap()
> > instead of just assigning the thing directly?
> 
> True. We still need to clear user_mask. So I used swap() instead of 2
> assignment statements. I am fine to go with either way.

I found it a bit bizarre at first, but on reflection it makes sense.

Will

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ