lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 27 Oct 2023 18:50:44 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     WangJinchao <wangjinchao@...sion.com>
Cc:     steffen.klassert@...unet.com, daniel.m.jordan@...cle.com,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        stone.xulei@...sion.com
Subject: Re: [PATCH v4] padata: Fix refcnt handling in padata_free_shell()

WangJinchao <wangjinchao@...sion.com> wrote:
> In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead
> to system UAF (Use-After-Free) issues. Due to the lengthy analysis of
> the pcrypt_aead01 function call, I'll describe the problem scenario
> using a simplified model:
> 
> Suppose there's a user of padata named `user_function` that adheres to
> the padata requirement of calling `padata_free_shell` after `serial()`
> has been invoked, as demonstrated in the following code:
> 
> ```c
> struct request {
>    struct padata_priv padata;
>    struct completion *done;
> };
> 
> void parallel(struct padata_priv *padata) {
>    do_something();
> }
> 
> void serial(struct padata_priv *padata) {
>    struct request *request = container_of(padata,
>                                struct request,
>                                padata);
>    complete(request->done);
> }
> 
> void user_function() {
>    DECLARE_COMPLETION(done)
>    padata->parallel = parallel;
>    padata->serial = serial;
>    padata_do_parallel();
>    wait_for_completion(&done);
>    padata_free_shell();
> }
> ```
> 
> In the corresponding padata.c file, there's the following code:
> 
> ```c
> static void padata_serial_worker(struct work_struct *serial_work) {
>    ...
>    cnt = 0;
> 
>    while (!list_empty(&local_list)) {
>        ...
>        padata->serial(padata);
>        cnt++;
>    }
> 
>    local_bh_enable();
> 
>    if (refcount_sub_and_test(cnt, &pd->refcnt))
>        padata_free_pd(pd);
> }
> ```
> 
> Because of the high system load and the accumulation of unexecuted
> softirq at this moment, `local_bh_enable()` in padata takes longer
> to execute than usual. Subsequently, when accessing `pd->refcnt`,
> `pd` has already been released by `padata_free_shell()`, resulting
> in a UAF issue with `pd->refcnt`.
> 
> The fix is straightforward: add `refcount_dec_and_test` before calling
> `padata_free_pd` in `padata_free_shell`.
> 
> Fixes: 07928d9bfc81 ("padata: Remove broken queue flushing")
> 
> Signed-off-by: WangJinchao <wangjinchao@...sion.com>
> Acked-by: Daniel Jordan <daniel.m.jordan@...cle.com>
> ---
> V4:
>    Included Daniel's ack
>    Included Herbert's ack
> V3: https://lore.kernel.org/all/ZSDWAcUxXcwD4YUZ@fedora/
>    Included Daniel's ack
>    introduced wrong patch 
> V2: https://lore.kernel.org/all/ZRTLHY5A+VqIKhA2@fedora/
>    To satisfy Sparse, use rcu_dereference_protected.
>    Reported-by: kernel test robot <lkp@...el.com>
>    Closes: https://lore.kernel.org/oe-kbuild-all/202309270829.xHgTOMKw-lkp@intel.com/
> 
> V1: https://lore.kernel.org/all/ZRE4XvOOhz4HSOgR@fedora/
> kernel/padata.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ