| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZmM7FovMyez71TcC@slm.duckdns.org>
Date: Fri, 7 Jun 2024 06:53:42 -1000
From: Tejun Heo <tj@...nel.org>
To: Tim Van Patten <timvp@...omium.org>
Cc: LKML <linux-kernel@...r.kernel.org>, druth@...omium.org,
Tim Van Patten <timvp@...gle.com>,
Lai Jiangshan <jiangshanlai@...il.com>
Subject: Re: [PATCH] workqueue: Prevent delayed work UAF kernel panic
Hello,
On Fri, Jun 07, 2024 at 10:46:11AM -0600, Tim Van Patten wrote:
...
> Commit 33e3f0a3358b ("workqueue: Add a new flag to spot the potential
> UAF error")added the flag __WQ_DESTROYING to help avoid this. However,
> this solution still allows work to be queued if it's from the same
> workqueue, even if the workqueue has been fully destroyed, which is
> possible with queue_delayed_work().
>
> 1. queue_delayed_work()
> 2. destroy_workqueue()
> 3. [delayed work timer expires]: delayed_work_timer_fn()
>
> To prevent kernel panics, check if the pwq and pwq->pool pointers are
> valid before derefencing them, and discard the work if they're not.
Nothing guarantees that they'd stay NULL after wq destruction, right?
> Discarding all work once __WQ_DESTROYING has been set (including from
> the same workqueue) causes breakage, so we must check the pointers
> directly.
There's only so much protection we can offer for buggy code and I'd much
prefer an approach where the overhead is in the destruction path rather than
the queueing path.
Thanks.
--
tejun
Powered by blists - more mailing lists