lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZBNoOE0tMiJZd6r8@kroah.com>
Date:   Thu, 16 Mar 2023 20:04:24 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Fedor Pchelkin <pchelkin@...ras.ru>
Cc:     Jens Axboe <axboe@...nel.dk>, stable@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Alexey Khoroshilov <khoroshilov@...ras.ru>,
        lvc-project@...uxtesting.org
Subject: Re: [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in
 io_arm_poll_handler

On Thu, Mar 16, 2023 at 09:56:16PM +0300, Fedor Pchelkin wrote:
> No upstream commit exists for this commit.
> 
> The issue was introduced with backporting upstream commit c16bda37594f
> ("io_uring/poll: allow some retries for poll triggering spuriously").
> 
> Memory allocation can possibly fail causing invalid pointer be
> dereferenced just before comparing it to NULL value.
> 
> Move the pointer check in proper place (upstream has the similar location
> of the check). In case the request has REQ_F_POLLED flag up, apoll can't
> be NULL so no need to check there.
> 
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
> 
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
> ---
>  io_uring/io_uring.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 445afda927f4..fd799567fc23 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
>  		}
>  	} else {
>  		apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
> +		if (unlikely(!apoll))
> +			return IO_APOLL_ABORTED;

How can you trigger a GFP_ATOMIC memory failure?  If you do, worse
things are about to happen to your system, right?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ