lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZdXLgjpUfpwEwAe0@tiehlicka>
Date: Wed, 21 Feb 2024 11:08:02 +0100
From: Michal Hocko <mhocko@...e.com>
To: Gong Ruiqi <gongruiqi1@...wei.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	Johannes Weiner <hannes@...xchg.org>,
	Roman Gushchin <roman.gushchin@...ux.dev>,
	Shakeel Butt <shakeelb@...gle.com>,
	Muchun Song <muchun.song@...ux.dev>, cgroups@...r.kernel.org,
	linux-mm@...ck.org, Wang Weiyang <wangweiyang2@...wei.com>,
	Xiu Jianfeng <xiujianfeng@...wei.com>
Subject: Re: [PATCH stable] memcg: add refcnt for pcpu stock to avoid UAF
 problem in drain_all_stock()

On Wed 21-02-24 17:50:27, Gong Ruiqi wrote:
> 
> On 2024/02/21 16:38, Michal Hocko wrote:
> > On Wed 21-02-24 16:18:01, GONG, Ruiqi wrote:
> >> commit 1a3e1f40962c445b997151a542314f3c6097f8c3 upstream.
> > 
> > I think it would be good to mention that this is only a partial backport
> > and also explain why to do a partial rather than the full one.
> >
> 
> Okay. I think to fix this problem we should add refcnt relation between
> memcg and stock, and since higher versions have achieved this, maybe
> it's better to use the same code and align with them. So I put a "commit
> xxx upstream" here, as requested in kernel docs[1]. So yes it's a
> partial backport as we only need the stock part.

I think it is sufficient to mention that this is a partial backport to
minimize the fix to the bare minimum.

[...]
> > What does prevent from the following?
> > 
> > refill_stock(memcgC)		drain_all_stock(memcgB)
> >   drain_stock(memcgA)		  rcu_read_lock()
> >     css_put(old->css)		  memcgA = stock->cached
> >                                   mem_cgroup_is_descendant(memcgA, memcgB) UAF
> >     stock->cached = NULL
> > 
> 
> I think it's not a problem since refill_stock() has disabled irq before
> calling drain_stock():
> 
> refill_stock(memcgC)
>   local_irq_save
>   drain_stock(memcgA)
>     css_put(old->css)
>     <1>
>     stock->cached = NULL
>   local_irq_restore
>   <2>
> 
> And since css_put(old->css) is an RCU free, memcgA would not be freed at
> <1> as it's still in grace period. The actual release of memcgA could
> happen only after irq is enabled (at <2>).
> 
> And for CPU2, the access to stock->cached in drain_all_stock() is
> protected by rcu_read_lock(), so from stock->cached we get either NULL,
> or a memcgA that is still not freed.
> 
> Please correct me if I have some wrong understanding to RCU.

You are right. Thanks! IRQ disabling is there in one form or the other
since db2ba40c277d ("mm: memcontrol: make per-cpu charge cache IRQ-safe
for socket accounting") so 4.8+ is safe. Backports to older kernels
would nee to pull this one as well.

> >> Cc: stable@...r.kernel.org      # 4.19 5.4
> >> Fixes: cdec2e4265df ("memcg: coalesce charging via percpu storage")
> >> Signed-off-by: GONG, Ruiqi <gongruiqi1@...wei.com>

Acked-by: Michal Hocko <mhocko@...e.com>

Thanks!

-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ