lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2024083031-jinx-erupt-6780@gregkh>
Date: Fri, 30 Aug 2024 14:56:39 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Shivani Agarwal <shivani.agarwal@...adcom.com>
Cc: stable@...r.kernel.org, longman@...hat.com, lizefan.x@...edance.com,
	tj@...nel.org, hannes@...xchg.org, mkoutny@...e.com,
	adityakali@...gle.com, sergeh@...nel.org, cgroups@...r.kernel.org,
	linux-kernel@...r.kernel.org, ajay.kaher@...adcom.com,
	alexey.makhalov@...adcom.com, vasavi.sirnapalli@...adcom.com,
	Chen Ridong <chenridong@...wei.com>,
	Sasha Levin <sashal@...nel.org>
Subject: Re: [PATCH v5.10-v5.15] cgroup/cpuset: Prevent UAF in
 proc_cpuset_show()

On Thu, Aug 29, 2024 at 10:04:53PM -0700, Shivani Agarwal wrote:
> From: Chen Ridong <chenridong@...wei.com>
> 
> [ Upstream commit 1be59c97c83ccd67a519d8a49486b3a8a73ca28a ]
> 
> An UAF can happen when /proc/cpuset is read as reported in [1].
> 
> This can be reproduced by the following methods:
> 1.add an mdelay(1000) before acquiring the cgroup_lock In the
>  cgroup_path_ns function.
> 2.$cat /proc/<pid>/cpuset   repeatly.
> 3.$mount -t cgroup -o cpuset cpuset /sys/fs/cgroup/cpuset/
> $umount /sys/fs/cgroup/cpuset/   repeatly.
> 
> The race that cause this bug can be shown as below:
> 
> (umount)		|	(cat /proc/<pid>/cpuset)
> css_release		|	proc_cpuset_show
> css_release_work_fn	|	css = task_get_css(tsk, cpuset_cgrp_id);
> css_free_rwork_fn	|	cgroup_path_ns(css->cgroup, ...);
> cgroup_destroy_root	|	mutex_lock(&cgroup_mutex);
> rebind_subsystems	|
> cgroup_free_root	|
> 			|	// cgrp was freed, UAF
> 			|	cgroup_path_ns_locked(cgrp,..);
> 
> When the cpuset is initialized, the root node top_cpuset.css.cgrp
> will point to &cgrp_dfl_root.cgrp. In cgroup v1, the mount operation will
> allocate cgroup_root, and top_cpuset.css.cgrp will point to the allocated
> &cgroup_root.cgrp. When the umount operation is executed,
> top_cpuset.css.cgrp will be rebound to &cgrp_dfl_root.cgrp.
> 
> The problem is that when rebinding to cgrp_dfl_root, there are cases
> where the cgroup_root allocated by setting up the root for cgroup v1
> is cached. This could lead to a Use-After-Free (UAF) if it is
> subsequently freed. The descendant cgroups of cgroup v1 can only be
> freed after the css is released. However, the css of the root will never
> be released, yet the cgroup_root should be freed when it is unmounted.
> This means that obtaining a reference to the css of the root does
> not guarantee that css.cgrp->root will not be freed.
> 
> Fix this problem by using rcu_read_lock in proc_cpuset_show().
> As cgroup_root is kfree_rcu after commit d23b5c577715
> ("cgroup: Make operations on the cgroup root_list RCU safe"),
> css->cgroup won't be freed during the critical section.
> To call cgroup_path_ns_locked, css_set_lock is needed, so it is safe to
> replace task_get_css with task_css.
> 
> [1] https://syzkaller.appspot.com/bug?extid=9b1ff7be974a403aa4cd
> 
> Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
> Signed-off-by: Chen Ridong <chenridong@...wei.com>
> Signed-off-by: Tejun Heo <tj@...nel.org>
> Signed-off-by: Sasha Levin <sashal@...nel.org>
> Signed-off-by: Shivani Agarwal <shivani.agarwal@...adcom.com>
> ---
>  kernel/cgroup/cpuset.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)

Now queued up, thanks.

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ