| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aec9e115ab4302711625387b3116c7fd1d326f3d.camel@mediatek.com>
Date: Tue, 21 Mar 2023 11:23:32 +0000
From: Tze-nan Wu (吳澤南)
<Tze-nan.Wu@...iatek.com>
To: Cheng-Jui Wang (王正睿)
<Cheng-Jui.Wang@...iatek.com>,
"rostedt@...dmis.org" <rostedt@...dmis.org>
CC: "zanussi@...nel.org" <zanussi@...nel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-trace-kernel@...r.kernel.org"
<linux-trace-kernel@...r.kernel.org>,
"linux-mediatek@...ts.infradead.org"
<linux-mediatek@...ts.infradead.org>,
wsd_upstream <wsd_upstream@...iatek.com>,
Bobule Chang (張弘義)
<bobule.chang@...iatek.com>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"mhiramat@...nel.org" <mhiramat@...nel.org>,
"matthias.bgg@...il.com" <matthias.bgg@...il.com>,
"angelogioacchino.delregno@...labora.com"
<angelogioacchino.delregno@...labora.com>
Subject: Re: [PATCH] tracing: Fix use-after-free and double-free on last_cmd
On Sat, 2023-03-18 at 14:35 -0400, Steven Rostedt wrote:
> On Fri, 17 Mar 2023 13:30:44 +0800
> Cheng-Jui Wang <cheng-jui.wang@...iatek.com> wrote:
>
> > From: "Tze-nan Wu" <Tze-nan.Wu@...iatek.com>
>
> Hi!
>
> Thanks for the report and the patch. Some nits below.
>
> Also change the subject to:
>
> tracing/synthetic: Fix races on freeing last_cmd
>
> > ---
> > kernel/trace/trace_events_synth.c | 23 +++++++++++++++++++----
> > 1 file changed, 19 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/trace/trace_events_synth.c
> > b/kernel/trace/trace_events_synth.c
> > index 46d0abb32d0f..ce438eccab2e 100644
> > --- a/kernel/trace/trace_events_synth.c
> > +++ b/kernel/trace/trace_events_synth.c
> > @@ -42,16 +42,25 @@ enum { ERRORS };
> > #undef C
> > #define C(a, b) b
> >
> > +static DEFINE_MUTEX(lastcmd_mutex);
> > +
> > static const char *err_text[] = { ERRORS };
> >
> > static char *last_cmd;
>
> Please keep the mutex and the variable it protects next to each
> other:
>
> static DEFINE_MUTEX(lastcmd_mutex);
> static char *last_cmd;
>
> >
> > static int errpos(const char *str)
> > {
> > - if (!str || !last_cmd)
> > - return 0;
> > + int ret = 0;
> > +
> > + mutex_lock(&lastcmd_mutex);
> > + if (!str || !last_cmd) {
>
> Change this to just:
>
> if (!str || !last_cmd)
> goto out;
>
> > + mutex_unlock(&lastcmd_mutex);
> > + return ret;
> > + }
> >
> > - return err_pos(last_cmd, str);
> > + ret = err_pos(last_cmd, str);
>
> Add:
>
> out:
>
> > + mutex_unlock(&lastcmd_mutex);
> > + return ret;
> > }
> >
> > static void last_cmd_set(const char *str)
> > @@ -59,18 +68,24 @@ static void last_cmd_set(const char *str)
> > if (!str)
> > return;
> >
> > + mutex_lock(&lastcmd_mutex);
> > kfree(last_cmd);
> >
>
> In this case, you can remove the space:
>
> mutex_lock(&lastcmd_mutex);
> kfree(last_cmd);
> last_cmd = kstrdup(str, GFP_KERNEL);
> mutex_unlock(&lastcmd_mutex);
>
> > last_cmd = kstrdup(str, GFP_KERNEL);
> > + mutex_unlock(&lastcmd_mutex);
> > }
> >
> > static void synth_err(u8 err_type, u16 err_pos)
> > {
> > - if (!last_cmd)
> > + mutex_lock(&lastcmd_mutex);
> > + if (!last_cmd) {
>
> This should be:
>
> if (!last_cmd)
> goto out;
>
> > + mutex_unlock(&lastcmd_mutex);
> > return;
> > + }
> >
> > tracing_log_err(NULL, "synthetic_events", last_cmd, err_text,
> > err_type, err_pos);
>
> out:
>
> > + mutex_unlock(&lastcmd_mutex);
> > }
> >
> > static int create_synth_event(const char *raw_command);
>
> Thanks,
>
> -- Steve
Hi Steve,
Thanks for the comments,
the new patch with cleaner code is now ready.
Since the topic has been changed, I created a new thread for the new
patch:
https://lore.kernel.org/lkml/20230321110444.1587-1-Tze-nan.Wu@mediatek.com/
-- Tze-nan
Powered by blists - more mailing lists