lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <elixwhbyatkcaw7djpzfa6nodhxh4b4hg263ito5o5ibzewamx@nuux3sfh2g4h>
Date: Tue, 5 Aug 2025 18:03:05 -0400
From: Seyediman Seyedarab <imandevel@...il.com>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: minchan@...nel.org, axboe@...nel.dk, linux-kernel@...r.kernel.org, 
	linux-block@...r.kernel.org, syzbot+1a281a451fd8c0945d07@...kaller.appspotmail.com
Subject: Re: [PATCH] zram: fix NULL pointer dereference in
 zcomp_available_show()

On 25/08/05 10:43AM, Seyediman Seyedarab wrote:
> On 25/08/05 09:38AM, Seyediman Seyedarab wrote:
> > On 25/08/05 07:22PM, Sergey Senozhatsky wrote:
> > > On (25/08/03 02:25), Seyediman Seyedarab wrote:
> > > > Temporarily add a NULL check in zcomp_available_show() to prevent the
> > > > crash. The use-after-free issue requires a more comprehensive fix using
> > > > proper reference counting to ensure the zram structure isn't freed while
> > > > still in use.
> > > 
> > > Not without a reproducer, sorry.  Per my limited experience, attempts
> > > to fix syzkaller reports w/o reproducers often lead to regressions or
> > > just more problems.
> > 
> > It can be reproduced with the following code:
> > #include <stdlib.h>
> > #include <stdio.h>
> > #include <fcntl.h>
> > #include <unistd.h>
> > 
> > int main()
> > {
> >     int hot_remove_fd, comp_alg_fd, disksize_fd;
> >     char buf[256];
> >     
> >     system("modprobe -r zram");
> >     system("modprobe zram");
> >     
> >     disksize_fd = open("/sys/block/zram0/disksize", O_WRONLY);
> >     if (disksize_fd >= 0) {
> >         write(disksize_fd, "1073741824", 10);
> >         close(disksize_fd);
> >     }
> > 
> >     hot_remove_fd = open("/sys/class/zram-control/hot_remove", O_WRONLY);
> >     comp_alg_fd = open("/sys/block/zram0/comp_algorithm", O_RDONLY);
> >     
> >     write(hot_remove_fd, "0", 1);
> >     
> >     for (int i = 0; i < 1000000; i++) {
> >         lseek(comp_alg_fd, 0, SEEK_SET);
> >         read(comp_alg_fd, buf, sizeof(buf));
> >         printf("comp_algorithm: %s", buf);
> >     }
> > }
> > 
> > Which produces corrupted output sometimes. (it's a race condition, so it
> > doesn't happen all the time...)
> 
> To clarify: the reproducer I provided shows only the use-after-free 
> issue where zram structure is freed while sysfs reads are ongoing.
> 
> The NULL dereference (which syzbot reported) has a much tighter race 
> window: it requires catching the brief moment during zram_reset_device() 
> where comp_algs[prio] is NULL between zram_destroy_comps() and 
> comp_algorithm_set(). This 'can' be triggered by racing concurrent:
> - writes to /sys/block/zram0/reset 
> - reads from /sys/block/zram0/comp_algorithm
> The window is only a few instructions wide under write lock, so it is 
> significantly harder to reproduce than the use-after-free.
> 
> Your patch [1] should fixes the NULL deref, but the use-after-free remains.
> 
> [1] https://lore.kernel.org/r/20250805101946.1774112-1-senozhatsky@chromium.org

I need to correct my previous statement about the use-after-free issue.

My reproducer was wrong. The garbage output I reported was actually from
an uninitialized buffer in  my test code, not from reading freed memory! 
When the device is removed, the kernel correctly returns -ENODEV
rather than accessing freed memory:

#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

int main()
{
	int hot_remove_fd, comp_alg_fd, disksize_fd;
	ssize_t nBytes = 0;
	char buf[256] = {0};

	system("modprobe -r zram");
	system("modprobe zram");

	disksize_fd = open("/sys/block/zram0/disksize", O_WRONLY);
	if (disksize_fd >= 0) {
		write(disksize_fd, "1G", 2);
		close(disksize_fd);
	}

	hot_remove_fd = open("/sys/class/zram-control/hot_remove", O_WRONLY);
	comp_alg_fd = open("/sys/block/zram0/comp_algorithm", O_RDONLY);

	write(hot_remove_fd, "0", 1);

	for (int i = 0; i < 1000000; i++) {
		lseek(comp_alg_fd, 0, SEEK_SET);
		nBytes = read(comp_alg_fd, buf, sizeof(buf));
		if (nBytes <= 0) {
			perror("read");
			break;
		}
		printf("comp_alg: %s", buf);
	}
}

Output:
read: No such device

The kernel properly protects against use-after-free in this path. I 
apologize for the confusion.

Kindest Regards,
Seyediman


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ