| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9b0ff6b4-560f-ae7c-25e8-de349a089761@163.com>
Date: Wed, 4 Sep 2024 10:02:09 +0800
From: Chi Zhiling <chizhiling@....com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: mhiramat@...nel.org, mathieu.desnoyers@...icios.com,
linux-trace-kernel@...r.kernel.org, linux-kernel@...r.kernel.org,
Chi Zhiling <chizhiling@...inos.cn>
Subject: Re: [PATCH] eventfs: fix a null pointer access in eventfs_iterate
On 2024/9/4 03:51, Steven Rostedt wrote:
> On Thu, 29 Aug 2024 11:24:36 +0800
> Chi Zhiling <chizhiling@....com> wrote:
>
>> From: Chi Zhiling <chizhiling@...inos.cn>
>>
>> We found a null pointer accessing in tracefs[1], the reason is that
>> the variable 'ei_child' is set to LIST_POISON1, that means the list
>> was removed in eventfs_remove_rec. so when access the ei_child->is_freed,
>> the panic triggered.
>>
>> the linked list is protected by eventfs_mutex in eventfs_remove_rec,
> Only writes of the link list is protected by the mutex. Reads are not.
>
>> so when we access the list of ei_child in eventfs_iterate, we also need
>> a mutex_lock in there to avoid eventfs_remove_rec modify the list.
> Yes you hit a bug, but no this is *not* the solution!
>
>
>> Signed-off-by: Chi Zhiling <chizhiling@...inos.cn>
>> ---
>> fs/tracefs/event_inode.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
>> index 01e99e98457d..4895ed07376b 100644
>> --- a/fs/tracefs/event_inode.c
>> +++ b/fs/tracefs/event_inode.c
>> @@ -642,6 +642,7 @@ static int eventfs_iterate(struct file *file, struct dir_context *ctx)
>> /* Subtract the skipped entries above */
>> c -= min((unsigned int)c, (unsigned int)ei->nr_entries);
>>
>> + mutex_unlock(&eventfs_mutex);
> This list is protected by SRCU (hence the name of the iterator), if you
> need to add a mutex around it, something else is broken.
>
>> list_for_each_entry_srcu(ei_child, &ei->children, list,
>> srcu_read_lock_held(&eventfs_srcu)) {
>>
>> @@ -659,9 +660,12 @@ static int eventfs_iterate(struct file *file, struct dir_context *ctx)
>>
>> ino = eventfs_dir_ino(ei_child);
>>
>> - if (!dir_emit(ctx, name, strlen(name), ino, DT_DIR))
>> + if (!dir_emit(ctx, name, strlen(name), ino, DT_DIR)) {
>> + mutex_unlock(&eventfs_mutex);
>> goto out_dec;
>> + }
>> }
>> + mutex_unlock(&eventfs_mutex);
>> ret = 1;
>> out:
>> srcu_read_unlock(&eventfs_srcu, idx);
> The real fix is:
>
> diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
> index 01e99e98457d..8705c77a9e75 100644
> --- a/fs/tracefs/event_inode.c
> +++ b/fs/tracefs/event_inode.c
> @@ -862,7 +862,7 @@ static void eventfs_remove_rec(struct eventfs_inode *ei, int level)
> list_for_each_entry(ei_child, &ei->children, list)
> eventfs_remove_rec(ei_child, level + 1);
>
> - list_del(&ei->list);
> + list_del_rcu(&ei->list);
> free_ei(ei);
> }
>
> Can you test that and let me know if it fixes your issue. I'll just go
> ahead and apply it as it is an obvious bug.
>
Okay, I've tested it and I haven't seen any errors.
Powered by blists - more mailing lists