lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 14 Jul 2020 07:15:46 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     qiang.zhang@...driver.com, jmaloy@...hat.com, davem@...emloft.net,
        kuba@...nel.org, tuong.t.lien@...tech.com.au,
        eric.dumazet@...il.com, ying.xue@...driver.com
Cc:     netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] tipc: Don't using smp_processor_id() in preemptible
 code



On 7/14/20 1:05 AM, qiang.zhang@...driver.com wrote:
> From: Zhang Qiang <qiang.zhang@...driver.com>
> 
> CPU: 0 PID: 6801 Comm: syz-executor201 Not tainted 5.8.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine,
> BIOS Google 01/01/2011
> 
> Fixes: fc1b6d6de2208 ("tipc: introduce TIPC encryption & authentication")
> Reported-by: syzbot+263f8c0d007dc09b2dda@...kaller.appspotmail.com
> Signed-off-by: Zhang Qiang <qiang.zhang@...driver.com>
> ---
>  v1->v2:
>  add fixes tags.
> 
>  net/tipc/crypto.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
> index 8c47ded2edb6..520af0afe1b3 100644
> --- a/net/tipc/crypto.c
> +++ b/net/tipc/crypto.c
> @@ -399,9 +399,10 @@ static void tipc_aead_users_set(struct tipc_aead __rcu *aead, int val)
>   */
>  static struct crypto_aead *tipc_aead_tfm_next(struct tipc_aead *aead)
>  {
> -	struct tipc_tfm **tfm_entry = this_cpu_ptr(aead->tfm_entry);
> +	struct tipc_tfm **tfm_entry = get_cpu_ptr(aead->tfm_entry);
>  
>  	*tfm_entry = list_next_entry(*tfm_entry, list);
> +	put_cpu_ptr(tfm_entry);
>  	return (*tfm_entry)->tfm;
>  }
>  
> 

You have not explained why this was safe.

This seems to hide a real bug.

Presumably callers of this function should have disable preemption, and maybe interrupts as well.

Right after put_cpu_ptr(tfm_entry), this thread could migrate to another cpu, and still access
data owned by the old cpu.


Powered by blists - more mailing lists