lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Y9wT8At0MF1S5v0k@slm.duckdns.org>
Date:   Thu, 2 Feb 2023 09:50:08 -1000
From:   "tj@...nel.org" <tj@...nel.org>
To:     Lixiong Liu (刘利雄) 
        <Lixiong.Liu@...iatek.com>
Cc:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-mediatek@...ts.infradead.org" 
        <linux-mediatek@...ts.infradead.org>,
        "cgroups@...r.kernel.org" <cgroups@...r.kernel.org>,
        Wenju Xu (许文举) <Wenju.Xu@...iatek.com>,
        wsd_upstream <wsd_upstream@...iatek.com>,
        Jing-Ting Wu (吳靜婷) 
        <Jing-Ting.Wu@...iatek.com>,
        "hannes@...xchg.org" <hannes@...xchg.org>,
        WJ Wang (王军) <wj.wang@...iatek.com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        Andress Kuo (郭孟修) 
        <Andress.Kuo@...iatek.com>,
        "matthias.bgg@...il.com" <matthias.bgg@...il.com>
Subject: Re: cgroup user-after-free

On Wed, Feb 01, 2023 at 06:04:04AM +0000, Lixiong Liu (刘利雄) wrote:
> On Fri, 2023-01-13 at 13:40 +0800, lixiong liu wrote:
> > > > Root cause: 
> > > > cgroup_migrate_finish free cset’s cgroup,
> > > > 
> > > > but cgroup_sk_alloc use the freed cgroup,
> > > > 
> > > > then use-after-free happened.
> > > 
> > > Sounds similar to the problem fixed by 07fd5b6cdf3c ("cgroup: Use
> > > separate
> > > src/dst nodes when preloading css_sets for migration"). Can you try
> > > it out?
> > > 
> > > Thanks.
> > > 
> > 
> > 
> > Thanks for your quick feedback.
> > 
> > 
> >   
> > But we encountered use-after-free version
> > 
> > already contains this patch.
> > 
> > 
> > 
> > So, with this patch will also encounter
> > 
> > this use-after-free.
> > 
> > Thanks!
> > 
> > 
>   Do you have any suggestion for this issue?

Unfortunately, there isn't a lot to latch onto. It's on an older kernel and
there's no reproducer. Refcnting in the path is tricky and it wouldn't be
too surprising for some bugs to be there. If you can repro on a recent
kernel, that'd help a lot.

Thanks.

-- 
tejun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ