lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cff51d4b-80eb-4587-b4ad-bfe7d7361b19@grsecurity.net>
Date: Thu, 25 Jul 2024 20:12:33 +0200
From: Mathias Krause <minipli@...ecurity.net>
To: Steven Rostedt <rostedt@...dmis.org>, Ajay Kaher <ajay.kaher@...adcom.com>
Cc: Masami Hiramatsu <mhiramat@...nel.org>,
 Ilkka Naulapää <digirigawa@...il.com>,
 Linus Torvalds <torvalds@...ux-foundation.org>,
 Al Viro <viro@...iv.linux.org.uk>, linux-trace-kernel@...r.kernel.org,
 linux-kernel@...r.kernel.org, regressions@...mhuis.info,
 Dan Carpenter <dan.carpenter@...aro.org>,
 Vasavi Sirnapalli <vasavi.sirnapalli@...adcom.com>,
 Alexey Makhalov <alexey.makhalov@...adcom.com>,
 Florian Fainelli <florian.fainelli@...adcom.com>
Subject: Re: tracing: user events UAF crash report

On 25.07.24 19:16, Steven Rostedt wrote:
> On Thu, 25 Jul 2024 13:10:21 -0400
> Steven Rostedt <rostedt@...dmis.org> wrote:
>>
>> diff --git a/kernel/trace/trace_events_user.c b/kernel/trace/trace_events_user.c
>> index 3a2b46847c8b..e9ed2826ff46 100644
>> --- a/kernel/trace/trace_events_user.c
>> +++ b/kernel/trace/trace_events_user.c
>> @@ -321,6 +321,8 @@ static void user_event_put(struct user_event *user, bool locked)
>>  	 */
>>  	refcount_set(&user->refcnt, 1);
>>  
>> +	user->call.data = NULL;
> 
> Hmm, it may be possible to just have:
> 
> 	user->call.get_fields = NULL;
> 
> and then it will just use the call->class->fields instead and that should
> be initialized to empty.

Uhm, it's 'user' that has been free'd which makes all of the above
reading/writing already free'd memory. So no, I don't think that'll fly.

In fact, in our test environment with memory sanitation features enabled
we saw that dereferencing 'class' in trace_get_fields() trapping
(because the underlying object was free'd).

> 
> -- Steve
> 

> 
>> +
>>  	if (WARN_ON_ONCE(!schedule_work(&user->put_work))) {
>>  		/*
>>  		 * If we fail we must wait for an admin to attempt delete or
>> @@ -973,6 +975,11 @@ size_t copy_nofault(void *addr, size_t bytes, struct iov_iter *i)
>>  static struct list_head *user_event_get_fields(struct trace_event_call *call)
>>  {
>>  	struct user_event *user = (struct user_event *)call->data;

Dereferencing a potentially free'd object, so 'user' is now "random" data.

>> +	static LIST_HEAD(head);
>> +
>> +	/* If the user event is about to be deleted, return no fields */
>> +	if (!user)
>> +		return &head;
>>  
>>  	return &user->fields;
>>  }
> 

Thanks,
Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ