lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250628094947.6d5d88cc@batman.local.home>
Date: Sat, 28 Jun 2025 09:49:47 -0400
From: Steven Rostedt <rostedt@...dmis.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Masami Hiramatsu
 <mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
 Edward Adam Davis <eadavis@...com>
Subject: [GIT  PULL] tracing: Fixes for v6.16


Linus,

tracing fixes for v6.16:

- Fix possible UAF on error path in filter_free_subsystem_filters()

  When freeing a subsystem filter, the filter for the subsystem is passed in
  to be freed and all the events within the subsystem will have their filter
  freed too. In order to free without waiting for RCU synchronization, list
  items are allocated to hold what is going to be freed to free it via a
  call_rcu(). If the allocation of these items fails, it will call the
  synchronization directly and free after that (causing a bit of delay for
  the user).

  The subsystem filter is first added to this list and then the filters for
  all the events under the subsystem. The bug is if one of the allocations
  of the list items for the event filters fail to allocate, it jumps to the
  "free_now" label which will free the subsystem filter, then all the items
  on the allocated list, and then the event filters that were not added to
  the list yet. But because the subsystem filter was added first, it gets
  freed twice.

  The solution is to add the subsystem filter after the events, and then if
  any of the allocations fail it will not try to free any of them twice


Please pull the latest trace-v6.16-rc3 tree, which can be found at:


  git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.16-rc3

Tag SHA1: 361daeb581d92db7327cbdb0b00bce50057101f8
Head SHA1: 6921d1e07cb5eddec830801087b419194fde0803


Edward Adam Davis (1):
      tracing: Fix filter logic error

----
 kernel/trace/trace_events_filter.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
---------------------------
commit 6921d1e07cb5eddec830801087b419194fde0803
Author: Edward Adam Davis <eadavis@...com>
Date:   Tue Jun 24 14:38:46 2025 +0800

    tracing: Fix filter logic error
    
    If the processing of the tr->events loop fails, the filter that has been
    added to filter_head will be released twice in free_filter_list(&head->rcu)
    and __free_filter(filter).
    
    After adding the filter of tr->events, add the filter to the filter_head
    process to avoid triggering uaf.
    
    Link: https://lore.kernel.org/tencent_4EF87A626D702F816CD0951CE956EC32CD0A@qq.com
    Fixes: a9d0aab5eb33 ("tracing: Fix regression of filter waiting a long time on RCU synchronization")
    Reported-by: syzbot+daba72c4af9915e9c894@...kaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=daba72c4af9915e9c894
    Tested-by: syzbot+daba72c4af9915e9c894@...kaller.appspotmail.com
    Acked-by: Masami Hiramatsu (Google) <mhiramat@...nel.org>
    Signed-off-by: Edward Adam Davis <eadavis@...com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@...dmis.org>

diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 08141f105c95..3885aadc434d 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -1436,13 +1436,6 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
 
 	INIT_LIST_HEAD(&head->list);
 
-	item = kmalloc(sizeof(*item), GFP_KERNEL);
-	if (!item)
-		goto free_now;
-
-	item->filter = filter;
-	list_add_tail(&item->list, &head->list);
-
 	list_for_each_entry(file, &tr->events, list) {
 		if (file->system != dir)
 			continue;
@@ -1454,6 +1447,13 @@ static void filter_free_subsystem_filters(struct trace_subsystem_dir *dir,
 		event_clear_filter(file);
 	}
 
+	item = kmalloc(sizeof(*item), GFP_KERNEL);
+	if (!item)
+		goto free_now;
+
+	item->filter = filter;
+	list_add_tail(&item->list, &head->list);
+
 	delay_free_filter(head);
 	return;
  free_now:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ