lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3176471.1742488751@warthog.procyon.org.uk>
Date: Thu, 20 Mar 2025 16:39:11 +0000
From: David Howells <dhowells@...hat.com>
To: Jarkko Sakkinen <jarkko@...nel.org>
Cc: dhowells@...hat.com, Kees Cook <kees@...nel.org>,
    Oleg Nesterov <oleg@...hat.com>,
    Greg KH <gregkh@...uxfoundation.org>,
    Josh Drake <josh@...phoslabs.com>,
    Suraj Sonawane <surajsonawane0215@...il.com>,
    keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
    security@...nel.org, stable@...r.kernel.org,
    linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] keys: Fix UAF in key_put()

Jarkko Sakkinen <jarkko@...nel.org> wrote:

> > +		if (test_bit(KEY_FLAG_FINAL_PUT, &key->flags)) {
> > +			smp_mb(); /* Clobber key->user after FINAL_PUT seen. */
> 
> test_bit() is already atomic.

Atomiticity doesn't apply to test_bit() - it only matters when it does two (or
more) accesses that must be perceptually indivisible (e.g. set_bit doing RMW).

But atomiticity isn't the issue here, hence the barrier.  You need to be
looking at memory-barriers.txt, not atomic_bitops.txt.

We have two things to correctly order and set_bit() does not imply sufficient
barriering; test_and_set_bit() does, but not set_bit(), hence Linus's comment
about really wanting a set_bit_release().

> > +			smp_mb(); /* key->user before FINAL_PUT set. */
> > +			set_bit(KEY_FLAG_FINAL_PUT, &key->flags);
> 
> Ditto.

Ditto. ;-)

> Nit: I'm just thinking should the name imply more like that "now
> key_put() is actually done". E.g., even something like KEY_FLAG_PUT_DONE
> would be more self-descriptive.

KEY_FLAG_PUT_DONE isn't right.  There can be lots of puts on a single key -
only the one that reduces it to 0 matters for this.  You could call it
KEY_FLAG_CAN_NOW_GC or KEY_FLAG_GC_ABLE.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ