| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Dec 2022 21:59:21 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: Chengming Zhou <zhouchengming@...edance.com>
Cc: syzbot <syzbot+b8e8c01c8ade4fe6e48f@...kaller.appspotmail.com>,
acme@...nel.org, alexander.shishkin@...ux.intel.com,
bpf@...r.kernel.org, jolsa@...nel.org,
linux-kernel@...r.kernel.org, linux-perf-users@...r.kernel.org,
mark.rutland@....com, mingo@...hat.com, namhyung@...nel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] KASAN: use-after-free Read in put_pmu_ctx
On Wed, Dec 21, 2022 at 10:42:39AM +0800, Chengming Zhou wrote:
> > Does this help?
> >
> > diff --git a/kernel/events/core.c b/kernel/events/core.c
> > index e47914ac8732..bbff551783e1 100644
> > --- a/kernel/events/core.c
> > +++ b/kernel/events/core.c
> > @@ -12689,7 +12689,8 @@ SYSCALL_DEFINE5(perf_event_open,
> > return event_fd;
> >
> > err_context:
> > - /* event->pmu_ctx freed by free_event() */
> > + put_pmu_ctx(event->pmu_ctx);
> > + event->pmu_ctx = NULL; /* _free_event() */
> > err_locked:
> > mutex_unlock(&ctx->mutex);
> > perf_unpin_context(ctx);
>
> Tested-by: Chengming Zhou <zhouchengming@...edance.com>
>
> While reviewing the code, I found perf_event_create_kernel_counter()
> has the similar problem in the "err_pmu_ctx" error handling path:
Right you are, updated the patch, thanks!
> CPU0 CPU1
> perf_event_create_kernel_counter()
> // inc ctx refcnt
> find_get_context(task, event) (1)
>
> // inc pmu_ctx refcnt
> pmu_ctx = find_get_pmu_context()
>
> event->pmu_ctx = pmu_ctx
> ...
> goto err_pmu_ctx:
> // dec pmu_ctx refcnt
> put_pmu_ctx(pmu_ctx) (2)
>
> mutex_unlock(&ctx->mutex)
> // dec ctx refcnt
> put_ctx(ctx)
> perf_event_exit_task_context()
> mutex_lock()
> mutex_unlock()
> // last refcnt put
> put_ctx()
> free_event(event)
> if (event->pmu_ctx) // True
> put_pmu_ctx() (3)
> // will access freed pmu_ctx or ctx
>
> if (event->ctx) // False
> put_ctx()
This doesn't look right; iirc you can hit this without concurrency,
something like so:
// note that when getting here, we've not passed
// perf_install_in_context() and event->ctx == NULL.
err_pmu_ctx:
put_pmu_ctx();
put_ctx(); // last, actually frees ctx
..
err_alloc:
free_event()
_free_event()
if (event->pmu_ctx) // true, because we forgot to clear
put_pmu_ctx() // hits 0 because double put
// goes and touch epc->ctx and UaF
Powered by blists - more mailing lists