lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z9xQP0uhBEr3B890@kernel.org>
Date: Thu, 20 Mar 2025 19:28:31 +0200
From: Jarkko Sakkinen <jarkko@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: Kees Cook <kees@...nel.org>, Oleg Nesterov <oleg@...hat.com>,
	Greg KH <gregkh@...uxfoundation.org>,
	Josh Drake <josh@...phoslabs.com>,
	Suraj Sonawane <surajsonawane0215@...il.com>,
	keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
	security@...nel.org, stable@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] keys: Fix UAF in key_put()

On Thu, Mar 20, 2025 at 04:39:11PM +0000, David Howells wrote:
> Jarkko Sakkinen <jarkko@...nel.org> wrote:
> 
> > > +		if (test_bit(KEY_FLAG_FINAL_PUT, &key->flags)) {
> > > +			smp_mb(); /* Clobber key->user after FINAL_PUT seen. */
> > 
> > test_bit() is already atomic.
> 
> Atomiticity doesn't apply to test_bit() - it only matters when it does two (or
> more) accesses that must be perceptually indivisible (e.g. set_bit doing RMW).
> 
> But atomiticity isn't the issue here, hence the barrier.  You need to be
> looking at memory-barriers.txt, not atomic_bitops.txt.
> 
> We have two things to correctly order and set_bit() does not imply sufficient
> barriering; test_and_set_bit() does, but not set_bit(), hence Linus's comment
> about really wanting a set_bit_release().

Oops, I was hallucinating here. And yeah, test_and_set_bit() does
imply full mb as you said.

I was somehow remembering what I did in SGX driver incorrectly and
that led me into misconclusions, sorry.

if (test_and_set_bit(SGX_ENCL_IOCTL, &encl->flags))
	return -EBUSY;

> 
> > > +			smp_mb(); /* key->user before FINAL_PUT set. */
> > > +			set_bit(KEY_FLAG_FINAL_PUT, &key->flags);
> > 
> > Ditto.
> 
> Ditto. ;-)

Duh, no need poke with the stick further (or deeper) ;-)

> 
> > Nit: I'm just thinking should the name imply more like that "now
> > key_put() is actually done". E.g., even something like KEY_FLAG_PUT_DONE
> > would be more self-descriptive.
> 
> KEY_FLAG_PUT_DONE isn't right.  There can be lots of puts on a single key -
> only the one that reduces it to 0 matters for this.  You could call it
> KEY_FLAG_CAN_NOW_GC or KEY_FLAG_GC_ABLE.

Well all alternatives are fine but my thinking was that one that finally
zeros the refcount, "finalizes put" (pick whatever you want anyway).

> 
> David

BR, Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ