| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240516094137.GI22557@noisy.programming.kicks-ass.net>
Date: Thu, 16 May 2024 11:41:37 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Frederic Weisbecker <frederic@...nel.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Namhyung Kim <namhyung@...nel.org>,
Mark Rutland <mark.rutland@....com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>, Ian Rogers <irogers@...gle.com>,
Adrian Hunter <adrian.hunter@...el.com>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Subject: Re: [PATCH 4/4] perf: Fix event leak upon exec and file release
On Wed, May 15, 2024 at 04:43:11PM +0200, Frederic Weisbecker wrote:
> The perf pending task work is never waited upon the matching event
> release. In the case of a child event, released via free_event()
> directly, this can potentially result in a leaked event, such as in the
> following scenario that doesn't even require a weak IRQ work
> implementation to trigger:
>
> schedule()
> prepare_task_switch()
> =======> <NMI>
> perf_event_overflow()
> event->pending_sigtrap = ...
> irq_work_queue(&event->pending_irq)
> <======= </NMI>
> perf_event_task_sched_out()
> event_sched_out()
> event->pending_sigtrap = 0;
> atomic_long_inc_not_zero(&event->refcount)
> task_work_add(&event->pending_task)
> finish_lock_switch()
> =======> <IRQ>
> perf_pending_irq()
> //do nothing, rely on pending task work
> <======= </IRQ>
>
> begin_new_exec()
> perf_event_exit_task()
> perf_event_exit_event()
> // If is child event
> free_event()
> WARN(atomic_long_cmpxchg(&event->refcount, 1, 0) != 1)
> // event is leaked
>
> Similar scenarios can also happen with perf_event_remove_on_exec() or
> simply against concurrent perf_event_release().
>
> Fix this with synchonizing against the possibly remaining pending task
> work while freeing the event, just like is done with remaining pending
> IRQ work. This means that the pending task callback neither need nor
> should hold a reference to the event, preventing it from ever beeing
> freed.
>
> Fixes: 517e6a301f34 ("perf: Fix perf_pending_task() UaF")
> Signed-off-by: Frederic Weisbecker <frederic@...nel.org>
Yeah, I suppose this'll do. Thanks!
Powered by blists - more mailing lists