| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Feb 2024 11:08:02 +0100
From: Michal Hocko <mhocko@...e.com>
To: Gong Ruiqi <gongruiqi1@...wei.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Johannes Weiner <hannes@...xchg.org>,
Roman Gushchin <roman.gushchin@...ux.dev>,
Shakeel Butt <shakeelb@...gle.com>,
Muchun Song <muchun.song@...ux.dev>, cgroups@...r.kernel.org,
linux-mm@...ck.org, Wang Weiyang <wangweiyang2@...wei.com>,
Xiu Jianfeng <xiujianfeng@...wei.com>
Subject: Re: [PATCH stable] memcg: add refcnt for pcpu stock to avoid UAF
problem in drain_all_stock()
On Wed 21-02-24 17:50:27, Gong Ruiqi wrote:
>
> On 2024/02/21 16:38, Michal Hocko wrote:
> > On Wed 21-02-24 16:18:01, GONG, Ruiqi wrote:
> >> commit 1a3e1f40962c445b997151a542314f3c6097f8c3 upstream.
> >
> > I think it would be good to mention that this is only a partial backport
> > and also explain why to do a partial rather than the full one.
> >
>
> Okay. I think to fix this problem we should add refcnt relation between
> memcg and stock, and since higher versions have achieved this, maybe
> it's better to use the same code and align with them. So I put a "commit
> xxx upstream" here, as requested in kernel docs[1]. So yes it's a
> partial backport as we only need the stock part.
I think it is sufficient to mention that this is a partial backport to
minimize the fix to the bare minimum.
[...]
> > What does prevent from the following?
> >
> > refill_stock(memcgC) drain_all_stock(memcgB)
> > drain_stock(memcgA) rcu_read_lock()
> > css_put(old->css) memcgA = stock->cached
> > mem_cgroup_is_descendant(memcgA, memcgB) UAF
> > stock->cached = NULL
> >
>
> I think it's not a problem since refill_stock() has disabled irq before
> calling drain_stock():
>
> refill_stock(memcgC)
> local_irq_save
> drain_stock(memcgA)
> css_put(old->css)
> <1>
> stock->cached = NULL
> local_irq_restore
> <2>
>
> And since css_put(old->css) is an RCU free, memcgA would not be freed at
> <1> as it's still in grace period. The actual release of memcgA could
> happen only after irq is enabled (at <2>).
>
> And for CPU2, the access to stock->cached in drain_all_stock() is
> protected by rcu_read_lock(), so from stock->cached we get either NULL,
> or a memcgA that is still not freed.
>
> Please correct me if I have some wrong understanding to RCU.
You are right. Thanks! IRQ disabling is there in one form or the other
since db2ba40c277d ("mm: memcontrol: make per-cpu charge cache IRQ-safe
for socket accounting") so 4.8+ is safe. Backports to older kernels
would nee to pull this one as well.
> >> Cc: stable@...r.kernel.org # 4.19 5.4
> >> Fixes: cdec2e4265df ("memcg: coalesce charging via percpu storage")
> >> Signed-off-by: GONG, Ruiqi <gongruiqi1@...wei.com>
Acked-by: Michal Hocko <mhocko@...e.com>
Thanks!
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists