lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2023042347-vaguely-monsieur-63ed@gregkh>
Date:   Sun, 23 Apr 2023 16:03:28 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        syzbot <syzbot+b7c3ba8cdc2f6cf83c21@...kaller.appspotmail.com>,
        Jiri Slaby <jirislaby@...nel.org>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [kernel?] KCSAN: data-race in __fput / __tty_hangup (4)

On Sun, Apr 23, 2023 at 10:28:58PM +0900, Tetsuo Handa wrote:
> On 2023/04/21 17:21, Dmitry Vyukov wrote:
> > On Fri, 21 Apr 2023 at 10:18, syzbot
> > <syzbot+b7c3ba8cdc2f6cf83c21@...kaller.appspotmail.com> wrote:
> >>
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit:    fcd476ea6a88 Merge tag 'urgent-rcu.2023.03.28a' of git://g..
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=146618b9c80000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=f7350c77b8056a38
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=b7c3ba8cdc2f6cf83c21
> >> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> >>
> >> Unfortunately, I don't have any reproducer for this issue yet.
> >>
> >> Downloadable assets:
> >> disk image: https://storage.googleapis.com/syzbot-assets/f3d8ce4faab0/disk-fcd476ea.raw.xz
> >> vmlinux: https://storage.googleapis.com/syzbot-assets/fc53d9dee279/vmlinux-fcd476ea.xz
> >> kernel image: https://storage.googleapis.com/syzbot-assets/22ad755d39b2/bzImage-fcd476ea.xz
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+b7c3ba8cdc2f6cf83c21@...kaller.appspotmail.com
> > 
> > If I am reading this correctly, this race can lead to NULL derefs
> > among other things.
> > hung_up_tty_fops does not have splice_read, while other fops have.
> > 
> > So the following code in splice can execute NULL callback:
> > 
> > if (unlikely(!in->f_op->splice_read))
> >     return warn_unsupported(in, "read");
> > return in->f_op->splice_read(in, ppos, pipe, len, flags);
> 
> Hmm, it seems to me that we need multiple patches (which would become too big to
> backport) for fixing this bug.
> 
> First step (which Dmitry mentioned) is to avoid potential NULL pointer dereferences
> caused by
> 
>   if (!f_op->$callbackname) {
>     return error;
>   }
>   return f_op->$callbackname($args);
> 
> pattern, for the next step will touch too many locations to change all at once whereas
> the first step could be handled by implementing dummy function for all missing $callbackname.

I do not understand, what "callbackname" is the problem here?  Just
splice_read?  Something else?  And where would it need to be modified
and why can't we do it in one place only (i.e. install a default handler
instead.)

Also, pointer function operations like this are dirt slow, be wary of
adding additional ones if possible, on fast paths.

> Next step is to convert from
> 
>   if (!f_op->$callbackname) {
>     return error;
>   }
>   return f_op->$callbackname($args);
> 
> to
> 
>   fn = READ_ONCE(f_op->$callbackname);
>   if (!fn) {
>     return error;
>   }
>   return fn($args);
> 
> pattern.

Why?  What does this solve differently than the first one?  What can
change the fops pointer between the check and call path?  If something
can change it, then do NOT make that type of check in the first place
(or put a proper lock in place.)

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ