lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240717162536.GH26750@noisy.programming.kicks-ass.net>
Date: Wed, 17 Jul 2024 18:25:36 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Petr Pavlu <petr.pavlu@...e.com>
Cc: Kees Cook <kees@...nel.org>, Will Deacon <will@...nel.org>,
	Boqun Feng <boqun.feng@...il.com>,
	Mark Rutland <mark.rutland@....com>, Arnd Bergmann <arnd@...db.de>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] refcount: Report UAF for refcount_sub_and_test(0) when
 counter==0

On Wed, Jul 17, 2024 at 03:00:23PM +0200, Petr Pavlu wrote:
> When a reference counter is at zero and refcount_sub_and_test() is invoked
> to subtract zero, the function accepts this request without any warning and
> returns true. This behavior does not seem ideal because the counter being
> already at zero indicates a use-after-free. Furthermore, returning true by
> refcount_sub_and_test() in this case potentially results in a double-free
> done by its caller.
> 
> Modify the underlying function __refcount_sub_and_test() to warn about this
> case as a use-after-free and have it return false to avoid the potential
> double-free.
> 
> Signed-off-by: Petr Pavlu <petr.pavlu@...e.com>
> ---
> 
> Motivation for this patch is an earlier kretprobe problem described at:
> https://lore.kernel.org/linux-trace-kernel/92cff289-facb-4e42-b761-6fd2515d6018@suse.com/

Well that's good fun.... :/

The patch seems sane enough to me, I don't think add() has a similar
issue, adding 0 is still daft, but as is I don't think it will actually
misbehave. Notably add_not_zero(0) will fail when 0 and succeed (with
no effect) when !0.

Still, adding or subtracting 0 is pretty stupid, so perhaps we should
more explicitly warn on that?

Anyway, for this patch:

Acked-by: Peter Zijlstra (Intel) <peterz@...radead.org>

>  drivers/misc/lkdtm/refcount.c | 16 ++++++++++++++++
>  include/linux/refcount.h      |  4 ++--
>  2 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/misc/lkdtm/refcount.c b/drivers/misc/lkdtm/refcount.c
> index 5cd488f54cfa..8f744bee6fbd 100644
> --- a/drivers/misc/lkdtm/refcount.c
> +++ b/drivers/misc/lkdtm/refcount.c
> @@ -182,6 +182,21 @@ static void lkdtm_REFCOUNT_SUB_AND_TEST_NEGATIVE(void)
>  	check_negative(&neg, 3);
>  }
>  
> +/*
> + * A refcount_sub_and_test() by zero when the counter is at zero should act like
> + * refcount_sub_and_test() above when going negative.
> + */
> +static void lkdtm_REFCOUNT_SUB_AND_TEST_ZERO(void)
> +{
> +	refcount_t neg = REFCOUNT_INIT(0);
> +
> +	pr_info("attempting bad refcount_sub_and_test() at zero\n");
> +	if (refcount_sub_and_test(0, &neg))
> +		pr_warn("Weird: refcount_sub_and_test() reported zero\n");
> +
> +	check_negative(&neg, 0);
> +}
> +
>  static void check_from_zero(refcount_t *ref)
>  {
>  	switch (refcount_read(ref)) {
> @@ -400,6 +415,7 @@ static struct crashtype crashtypes[] = {
>  	CRASHTYPE(REFCOUNT_DEC_NEGATIVE),
>  	CRASHTYPE(REFCOUNT_DEC_AND_TEST_NEGATIVE),
>  	CRASHTYPE(REFCOUNT_SUB_AND_TEST_NEGATIVE),
> +	CRASHTYPE(REFCOUNT_SUB_AND_TEST_ZERO),
>  	CRASHTYPE(REFCOUNT_INC_ZERO),
>  	CRASHTYPE(REFCOUNT_ADD_ZERO),
>  	CRASHTYPE(REFCOUNT_INC_SATURATED),
> diff --git a/include/linux/refcount.h b/include/linux/refcount.h
> index 59b3b752394d..35f039ecb272 100644
> --- a/include/linux/refcount.h
> +++ b/include/linux/refcount.h
> @@ -266,12 +266,12 @@ bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp)
>  	if (oldp)
>  		*oldp = old;
>  
> -	if (old == i) {
> +	if (old > 0 && old == i) {
>  		smp_acquire__after_ctrl_dep();
>  		return true;
>  	}
>  
> -	if (unlikely(old < 0 || old - i < 0))
> +	if (unlikely(old <= 0 || old - i < 0))
>  		refcount_warn_saturate(r, REFCOUNT_SUB_UAF);
>  
>  	return false;
> 
> base-commit: 2df0193e62cf887f373995fb8a91068562784adc
> -- 
> 2.35.3
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ