lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2ee61a18-595e-4dda-a8c4-061c5a4803e0@kernel.dk>
Date: Fri, 19 Jul 2024 13:03:31 -0600
From: Jens Axboe <axboe@...nel.dk>
To: Wang Zhaolong <wangzhaolong1@...wei.com>, cve@...nel.org,
 linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, io-uring@...r.kernel.org
Subject: Re: CVE-2024-41001: io_uring/sqpoll: work around a potential audit
 memory leak

On 7/18/24 8:41 AM, Wang Zhaolong wrote:
> Hello,
> 
> I think a possible reason for the leak scenario is:
> 
> When `audit_context->dummy` is 0. __audit_sockaddr() allocates sockaddr.
> 
> In the below process, audit_reset_context() return early. ctx->sockaddr
> is not released.
> 
>   io_issue_sqe
>     audit_uring_entry
>       __audit_uring_entry
>         ctx->dummy -- set dummy as non-zero
>     def->issue()
>     audit_uring_exit
>       __audit_uring_exit
>         audit_reset_context
> 
> static void audit_reset_context(struct audit_context *ctx)
> {
>     ......
>     /* if ctx is non-null, reset the "ctx->context" regardless */
>     ctx->context = AUDIT_CTX_UNUSED;
>     if (ctx->dummy)
>         return;
> 
>     ......
>     kfree(ctx->sockaddr);
>     ......
> }
> 
> The `audit_uring_entry(IORING_OP_NOP);` statement initializes the 'dummy' once at the
> beginning to ensure that ctx->sockaddr is allocated and deallocated in pairs later
> in the process.
> 
> According to the above analysis, I think the fixes tag should be
> 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")

It was introduced with the changes to the above commit, where you could
end up calling prep (which does the move_addr_to_kernel()) before audit
was ready for it. This is the call trace shown in the commit as well.
Which I _think_ is:

Fixes: f482aa986527 ("audit, io_uring, io-wq: Fix memory leak in io_sq_thread() and io_wqe_worker()")

but I'd have to double check. In any case, it's a leak on the audit
side.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ