| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Dec 2019 19:49:07 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Vladis Dronov <vdronov@...hat.com>
Cc: Richard Cochran <richardcochran@...il.com>,
linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs: fix use-after-free in __fput() when a chardev is
removed but a file is still open
On Mon, Nov 25, 2019 at 01:53:42PM +0100, Vladis Dronov wrote:
> In a case when a chardev file (like /dev/ptp0) is open but an underlying
> device is removed, closing this file leads to a use-after-free. This
> reproduces easily in a KVM virtual machine:
>
> # cat openptp0.c
> int main() { ... fp = fopen("/dev/ptp0", "r"); ... sleep(10); }
> static void __fput(struct file *file)
> { ...
> if (file->f_op->release)
> file->f_op->release(inode, file); <<< cdev is kfree'd here
> if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL &&
> !(mode & FMODE_PATH))) {
> cdev_put(inode->i_cdev); <<< cdev fields are accessed here
>
> because of:
>
> __fput()
> posix_clock_release()
> kref_put(&clk->kref, delete_clock) <<< the last reference
> delete_clock()
> delete_ptp_clock()
> kfree(ptp) <<< cdev is embedded in ptp
> cdev_put
> module_put(p->owner) <<< *p is kfree'd
>
> The fix is to call cdev_put() before file->f_op->release(). This fix the
> class of bugs when a chardev device is removed when its file is open, for
> example:
And what's to prevent rmmod coming and freeing ->release code right as you
are executing it?
Powered by blists - more mailing lists