| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <89416a2d-8a9b-f225-3c2a-16210df25e61@gmail.com>
Date: Thu, 5 Nov 2020 13:49:03 +0100
From: Eric Dumazet <eric.dumazet@...il.com>
To: Jamie Iles <jamie@...iainc.com>, netdev@...r.kernel.org
Cc: Qiushi Wu <wu000273@....edu>, Jay Vosburgh <j.vosburgh@...il.com>,
Veaceslav Falico <vfalico@...il.com>,
Andy Gospodarek <andy@...yhouse.net>
Subject: Re: [RESEND PATCH] bonding: wait for sysfs kobject destruction before
freeing struct slave
On 11/5/20 9:41 AM, Jamie Iles wrote:
> syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, releasing a
> struct slave device could result in the following splat:
>
>
> This is a potential use-after-free if the sysfs nodes are being accessed
> whilst removing the struct slave, so wait for the object destruction to
> complete before freeing the struct slave itself.
>
> Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.")
> Fixes: a068aab42258 ("bonding: Fix reference count leak in bond_sysfs_slave_add.")
> Cc: Qiushi Wu <wu000273@....edu>
> Cc: Jay Vosburgh <j.vosburgh@...il.com>
> Cc: Veaceslav Falico <vfalico@...il.com>
> Cc: Andy Gospodarek <andy@...yhouse.net>
> Signed-off-by: Jamie Iles <jamie@...iainc.com>
> ---
> drivers/net/bonding/bond_sysfs_slave.c | 12 ++++++++++++
> include/net/bonding.h | 2 ++
> 2 files changed, 14 insertions(+)
>
> diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c
> index 9b8346638f69..2fdbcf9692c5 100644
> --- a/drivers/net/bonding/bond_sysfs_slave.c
> +++ b/drivers/net/bonding/bond_sysfs_slave.c
> @@ -136,7 +136,15 @@ static const struct sysfs_ops slave_sysfs_ops = {
> .show = slave_show,
> };
>
> +static void slave_release(struct kobject *kobj)
> +{
> + struct slave *slave = to_slave(kobj);
> +
> + complete(&slave->kobj_unregister_done);
> +}
> +
> static struct kobj_type slave_ktype = {
> + .release = slave_release,
> #ifdef CONFIG_SYSFS
> .sysfs_ops = &slave_sysfs_ops,
> #endif
> @@ -147,10 +155,12 @@ int bond_sysfs_slave_add(struct slave *slave)
> const struct slave_attribute **a;
> int err;
>
> + init_completion(&slave->kobj_unregister_done);
> err = kobject_init_and_add(&slave->kobj, &slave_ktype,
> &(slave->dev->dev.kobj), "bonding_slave");
> if (err) {
> kobject_put(&slave->kobj);
> + wait_for_completion(&slave->kobj_unregister_done);
> return err;
> }
>
> @@ -158,6 +168,7 @@ int bond_sysfs_slave_add(struct slave *slave)
> err = sysfs_create_file(&slave->kobj, &((*a)->attr));
> if (err) {
> kobject_put(&slave->kobj);
> + wait_for_completion(&slave->kobj_unregister_done);
> return err;
> }
> }
> @@ -173,4 +184,5 @@ void bond_sysfs_slave_del(struct slave *slave)
> sysfs_remove_file(&slave->kobj, &((*a)->attr));
>
> kobject_put(&slave->kobj);
> + wait_for_completion(&slave->kobj_unregister_done);
> }
> diff --git a/include/net/bonding.h b/include/net/bonding.h
> index 7d132cc1e584..78d771d2ffd3 100644
> --- a/include/net/bonding.h
> +++ b/include/net/bonding.h
> @@ -25,6 +25,7 @@
> #include <linux/etherdevice.h>
> #include <linux/reciprocal_div.h>
> #include <linux/if_link.h>
> +#include <linux/completion.h>
>
> #include <net/bond_3ad.h>
> #include <net/bond_alb.h>
> @@ -182,6 +183,7 @@ struct slave {
> #endif
> struct delayed_work notify_work;
> struct kobject kobj;
> + struct completion kobj_unregister_done;
> struct rtnl_link_stats64 slave_stats;
> };
This seems weird, are we going to wait for a completion while RTNL is held ?
I am pretty sure this could be exploited by malicious user/syzbot.
The .release() handler could instead perform a refcounted
bond_free_slave() action.
Powered by blists - more mailing lists