lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250316131827.4d989e91@batman.local.home>
Date: Sun, 16 Mar 2025 13:18:27 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Masami Hiramatsu
 <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
 Tengda Wu <wutengda@...weicloud.com>
Subject: [GIT PULL] tracing: Fix for v6.14


Linus,

Fix ref count of trace_array in error path of histogram file open

Tracing instances have a ref count to keep them around while files within
their directories are open. This prevents them from being deleted while
they are used. The histogram code had some files that needed to take the
ref count and that was added, but the error paths did not decrement the
ref counts. This caused the instances from ever being removed if a
histogram file failed to open due to some error.


Please pull the latest trace-v6.14-rc5 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.14-rc5

Tag SHA1: 81862092868cd7b5ee12ffe7cc52fcc97978d891
Head SHA1: 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04


Tengda Wu (1):
      tracing: Correct the refcount if the hist/hist_debug file fails to open

----
 kernel/trace/trace_events_hist.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)
---------------------------
commit 0b4ffbe4888a2c71185eaf5c1a02dd3586a9bc04
Author: Tengda Wu <wutengda@...weicloud.com>
Date:   Fri Mar 14 06:53:35 2025 +0000

    tracing: Correct the refcount if the hist/hist_debug file fails to open
    
    The function event_{hist,hist_debug}_open() maintains the refcount of
    'file->tr' and 'file' through tracing_open_file_tr(). However, it does
    not roll back these counts on subsequent failure paths, resulting in a
    refcount leak.
    
    A very obvious case is that if the hist/hist_debug file belongs to a
    specific instance, the refcount leak will prevent the deletion of that
    instance, as it relies on the condition 'tr->ref == 1' within
    __remove_instance().
    
    Fix this by calling tracing_release_file_tr() on all failure paths in
    event_{hist,hist_debug}_open() to correct the refcount.
    
    Cc: stable@...r.kernel.org
    Cc: Masami Hiramatsu <mhiramat@...nel.org>
    Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
    Cc: Zheng Yejian <zhengyejian1@...wei.com>
    Link: https://lore.kernel.org/20250314065335.1202817-1-wutengda@huaweicloud.com
    Fixes: 1cc111b9cddc ("tracing: Fix uaf issue when open the hist or hist_debug file")
    Signed-off-by: Tengda Wu <wutengda@...weicloud.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@...dmis.org>

diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index ad7419e24055..53dc6719181e 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -5689,12 +5689,16 @@ static int event_hist_open(struct inode *inode, struct file *file)
 	guard(mutex)(&event_mutex);
 
 	event_file = event_file_data(file);
-	if (!event_file)
-		return -ENODEV;
+	if (!event_file) {
+		ret = -ENODEV;
+		goto err;
+	}
 
 	hist_file = kzalloc(sizeof(*hist_file), GFP_KERNEL);
-	if (!hist_file)
-		return -ENOMEM;
+	if (!hist_file) {
+		ret = -ENOMEM;
+		goto err;
+	}
 
 	hist_file->file = file;
 	hist_file->last_act = get_hist_hit_count(event_file);
@@ -5702,9 +5706,14 @@ static int event_hist_open(struct inode *inode, struct file *file)
 	/* Clear private_data to avoid warning in single_open() */
 	file->private_data = NULL;
 	ret = single_open(file, hist_show, hist_file);
-	if (ret)
+	if (ret) {
 		kfree(hist_file);
+		goto err;
+	}
 
+	return 0;
+err:
+	tracing_release_file_tr(inode, file);
 	return ret;
 }
 
@@ -5979,7 +5988,10 @@ static int event_hist_debug_open(struct inode *inode, struct file *file)
 
 	/* Clear private_data to avoid warning in single_open() */
 	file->private_data = NULL;
-	return single_open(file, hist_debug_show, file);
+	ret = single_open(file, hist_debug_show, file);
+	if (ret)
+		tracing_release_file_tr(inode, file);
+	return ret;
 }
 
 const struct file_operations event_hist_debug_fops = {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ