| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHk-=wgd=MdzRHO=bV=g0G0mMV+7ek-q2WnQ8P5sxwJdau-t=g@mail.gmail.com>
Date: Wed, 18 Jun 2025 19:33:37 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Dave Airlie <airlied@...il.com>
Cc: LKML <linux-kernel@...r.kernel.org>, Ingo Molnar <mingo@...nel.org>,
Peter Zijlstra <peterz@...radead.org>, nik.borisov@...e.com,
Mike Rapoport <rppt@...nel.org>
Subject: Re: double free in alternatives/retpoline
[ Adding Mike Rapoport ]
On Wed, 18 Jun 2025 at 19:08, Dave Airlie <airlied@...il.com> wrote:
>
> I've just tried to boot Linux master with KASAN enabled on a laptop here, and it showing a slab UAF for apply_retpolines.
>
> I haven't had a chance to bisect yet, and unfortunately I only have a photo of the oops.
Hmm.
I think it's due to commit a82b26451de1 ("x86/its: explicitly manage
permissions for ITS pages").
Maybe I'm mis-reading it entirely, but I think that "its_fini_core()"
thing is entirely bogus. It does that
kfree(its_pages.pages);
but as far as I can tell, that thing is happily used later by module
initialization.
Freeing the pages that have been used and marked ROX sounds like it
should be fine, but I think it should also do
its_pages.pages = NULL;
its_pages->num = 0;
so that any subsequent user that comes along due to modules or
whatever and does __its_alloc() will DTRT wrt the realloc().
But I might be completely barking up the wrong tree and mis-reading
things entirely. PeterZ? Mike?
Linus
Powered by blists - more mailing lists