| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <697032f2331a92eec0e03e85e46cb78bd975a788.camel@mediatek.com>
Date: Thu, 12 Jan 2023 09:48:55 +0000
From: Lixiong Liu (刘利雄)
<Lixiong.Liu@...iatek.com>
To: "tj@...nel.org" <tj@...nel.org>,
"lizefan@...wei.com" <lizefan@...wei.com>,
"hannes@...xchg.org" <hannes@...xchg.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-mediatek@...ts.infradead.org"
<linux-mediatek@...ts.infradead.org>,
Lixiong Liu (刘利雄)
<Lixiong.Liu@...iatek.com>,
"cgroups@...r.kernel.org" <cgroups@...r.kernel.org>,
Wenju Xu (许文举) <Wenju.Xu@...iatek.com>,
wsd_upstream <wsd_upstream@...iatek.com>,
Jing-Ting Wu (吳靜婷)
<Jing-Ting.Wu@...iatek.com>,
WJ Wang (王军) <wj.wang@...iatek.com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
Andress Kuo (郭孟修)
<Andress.Kuo@...iatek.com>,
"matthias.bgg@...il.com" <matthias.bgg@...il.com>
Subject: cgroup user-after-free
Hi,
We meet cgroup use-after-free happened in T SW version with
kernel-5.15.
Root cause:
cgroup_migrate_finish free cset’s cgroup,
but cgroup_sk_alloc use the freed cgroup,
then use-after-free happened.
Detail:
[name:report&]BUG: KASAN: use-after-free in cgroup_sk_alloc
[name:report&]Read of size 8 at addr ffffff80d6d2a048 by task
ChromiumNet/5259
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
print_address_description
__kasan_report
kasan_report
__asan_report_load8_noabort
cgroup_sk_alloc
sk_alloc
unix_create1
unix_create
__sock_create
__sys_socket
__arm64_sys_socket
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
[name:report&]Allocated by task 1380:
____kasan_kmalloc
__kasan_kmalloc
kmem_cache_alloc_trace
find_css_set
cgroup_migrate_prepare_dst
cgroup_attach_task
__cgroup1_procs_write
cgroup1_procs_write
cgroup_file_write
kernfs_fop_write_iter
vfs_write
ksys_write
__arm64_sys_write
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
[name:report&]Freed by task 4530:
kasan_set_track
kasan_set_free_info
____kasan_slab_free
__kasan_slab_free
slab_free_freelist_hook
kmem_cache_free_bulk
kfree_rcu_work
process_one_work
worker_thread
kthread
ret_from_fork
[name:report&]Last potentially related work creation:
kasan_save_stack
__kasan_record_aux_stack
kasan_record_aux_stack_noalloc
kvfree_call_rcu
put_css_set_locked
cgroup_migrate_finish
cgroup_attach_task
__cgroup1_procs_write
cgroup1_procs_write
cgroup_file_write
kernfs_fop_write_iter
vfs_write
ksys_write
__arm64_sys_write
invoke_syscall
el0_svc_common
do_el0_svc
el0_svc
el0t_64_sync_handle
el0t_64_sync
[name:report&]The buggy address belongs to the object at
ffffff80d6d2a000 which belongs to the cache kmalloc-512 of size 512
[name:report&]The buggy address is located 72 bytes inside of
512-byte region
[name:debug&]page dumped because: kasan: bad access detected
"cgroup_sk_alloc", kernel-5.15/kernel/cgroup/cgroup.c"
cset = task_css_set(current);
if (likely(cgroup_tryget(cset->dfl_cgrp))) {
cgroup = cset->dfl_cgrp;
}
(gdb) p/x &((struct css_set *)0)->dfl_cgrp
$2 = 0x48
Do you have any suggestion for this issue?
Can we workaround this issue just by hold
css_set_lock before access cset->dfl_cgrp
in cgroup_sk_alloc?
Thanks!
Best regards,
Lixiong Liu
Powered by blists - more mailing lists