| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43a47dfd-d0c8-3d1d-d9f9-0332434a84f2@huaweicloud.com> Date: Tue, 10 Jun 2025 14:12:14 +0800 From: Yu Kuai <yukuai1@...weicloud.com> To: Wang Jinchao <wangjinchao600@...il.com>, Yu Kuai <yukuai1@...weicloud.com>, Song Liu <song@...nel.org> Cc: linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org, "yukuai (C)" <yukuai3@...wei.com> Subject: Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue Hi, 在 2025/06/10 12:51, Wang Jinchao 写道: > [ 921.784898] [ C2] BUG: kernel NULL pointer dereference, address: > 0000000000000002 > [ 921.784907] [ C2] #PF: supervisor instruction fetch in kernel mode > [ 921.784910] [ C2] #PF: error_code(0x0010) - not-present page > [ 921.784912] [ C2] PGD 0 P4D 0 > [ 921.784915] [ C2] Oops: 0010 [#1] PREEMPT SMP NOPTI > [ 921.784919] [ C2] CPU: 2 PID: 1659 Comm: zds Kdump: loaded > Tainted: G U W E 6.8.1-debug-0519 #49 > [ 921.784922] [ C2] Hardware name: Default string Default > string/Default string, BIOS DNS9V011 12/24/2024 > [ 921.784923] [ C2] RIP: 0010:0x2 > [ 921.784929] [ C2] Code: Unable to access opcode bytes at > 0xffffffffffffffd8. > [ 921.784931] [ C2] RSP: 0000:ffffa3fac0220c70 EFLAGS: 00010087 > [ 921.784933] [ C2] RAX: 0000000000000002 RBX: ffff8890539070d8 > RCX: 0000000000000000 > [ 921.784935] [ C2] RDX: 0000000000000000 RSI: 0000000000000003 > RDI: ffffa3fac07dfc90 > [ 921.784936] [ C2] RBP: ffffa3fac0220ca8 R08: 2557c7cc905cff00 > R09: 0000000000000000 > [ 921.784938] [ C2] R10: 0000000000000000 R11: 0000000000000000 > R12: 000000008fa158a0 > [ 921.784939] [ C2] R13: 2557c7cc905cfee8 R14: 0000000000000000 > R15: 0000000000000000 > [ 921.784941] [ C2] FS: 00007d8b034006c0(0000) > GS:ffff8891bf900000(0000) knlGS:0000000000000000 > [ 921.784943] [ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 921.784945] [ C2] CR2: ffffffffffffffd8 CR3: 00000001097be000 > CR4: 0000000000f50ef0 > [ 921.784946] [ C2] PKRU: 55555554 > [ 921.784948] [ C2] Call Trace: > [ 921.784949] [ C2] <IRQ> > [ 921.784950] [ C2] ? show_regs+0x6d/0x80 > [ 921.784957] [ C2] ? __die+0x24/0x80 > [ 921.784960] [ C2] ? page_fault_oops+0x156/0x4b0 > [ 921.784964] [ C2] ? mempool_free_slab+0x17/0x30 > [ 921.784968] [ C2] ? __slab_free+0x15d/0x2e0 > [ 921.784971] [ C2] ? do_user_addr_fault+0x2ee/0x6b0 > [ 921.784975] [ C2] ? exc_page_fault+0x83/0x1b0 > [ 921.784979] [ C2] ? asm_exc_page_fault+0x27/0x30 > [ 921.784984] [ C2] ? __wake_up_common+0x76/0xb0 > [ 921.784987] [ C2] __wake_up+0x37/0x70 > [ 921.784990] [ C2] mempool_free+0xaa/0xc0 > [ 921.784993] [ C2] raid_end_bio_io+0x97/0x130 [raid1] This is NULL pointer dereference, not the same as UAF, please attach the log in the next version(and probably remove the useless info like timestamp and stack started with ?). (...) > This fix is simple enough. > Alternatively, we could initialize conf->r1bio_pool directly, but that > would also require > handling rollback in case the initialization fails. > What would you suggest? I'll suggest to use mempool_resize() and get rid of the werid assigment. Thanks, Kuai
Powered by blists - more mailing lists