lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20230225101129.66648-1-chenzhongjin@huawei.com>
Date:   Sat, 25 Feb 2023 18:11:29 +0800
From:   Chen Zhongjin <chenzhongjin@...wei.com>
To:     <linux-kernel@...r.kernel.org>
CC:     <chenzhongjin@...wei.com>, <akpm@...ux-foundation.org>,
        <wuchi.zero@...il.com>, <ben-linux@...ff.org>,
        <rusty@...tcorp.com.au>
Subject: [PATCH v2] x86: profiling: Check prof_buffer in profile_tick()

KASAN reported a UAF problem in profile_tick():

  BUG: KASAN: use-after-free in profile_tick+0x5c/0x80
  Read of size 8 at addr ffff888100928aa0 by task bash/1108

  CPU: 2 PID: 1108 Comm: bash Not tainted 5.10.0+ #72
  Call Trace:
   <IRQ>
   dump_stack+0x93/0xc5
   print_address_description.constprop.0+0x1c/0x3c0
   kasan_report.cold+0x37/0x74
   check_memory_region+0x161/0x1c0
   profile_tick+0x5c/0x80
   tick_sched_timer+0xcd/0x100
   __hrtimer_run_queues+0x23e/0x480
   hrtimer_interrupt+0x1c2/0x440
   asm_call_irq_on_stack+0xf/0x20
   </IRQ>
  ...

It is beacause in profiling_store(), profile_init() is possible to fail
and free prof_cpu_mask. However prof_cpu_mask is not set to NULL and
cpumask_available(prof_cpu_mask) will return true in profile_tick().
Then cpumask_test_cpu() will dereference prof_cpu_mask and trigger the
KASAN warning.

There is no interface to disable profile_tick() even though profile_init
has been already failed. And when CONFIG_CPUMASK_OFFSTACK=n, cpumask_var_t
is an array pointer which can not be set to NULL. So prof_cpu_mask can be
a freed pointner or uncleaned array here, and cpumask_available() can't
promise it is safe to use it.

To fix this, add check for prof_buffer in profile_tick() before check
cpumask_available(prof_cpu_mask). Because prof_cpu_mask is available only
after prof_buffer is allocated successfully.

Fixes: c309b917cab5 ("cpumask: convert kernel/profile.c")
Signed-off-by: Chen Zhongjin <chenzhongjin@...wei.com>
---
v1 [https://lore.kernel.org/lkml/202302250609.vmze90DB-lkp@intel.com/T/]
-> v2:
	Only check prof_buffer in profile_tick() but not set prof_cpu_mask
	to NULL after free_cpumask_var()
---
 kernel/profile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/profile.c b/kernel/profile.c
index 8a77769bc4b4..cca47dc2b1db 100644
--- a/kernel/profile.c
+++ b/kernel/profile.c
@@ -334,7 +334,7 @@ void profile_tick(int type)
 {
 	struct pt_regs *regs = get_irq_regs();
 
-	if (!user_mode(regs) && cpumask_available(prof_cpu_mask) &&
+	if (!user_mode(regs) && prof_buffer && cpumask_available(prof_cpu_mask) &&
 	    cpumask_test_cpu(smp_processor_id(), prof_cpu_mask))
 		profile_hit(type, (void *)profile_pc(regs));
 }
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ