mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 07:13:34 +00:00
Code Issues Releases Wiki Activity
No description
1268065 commits 105 branches 5124 tags 5.7 GiB
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%
Find a file
Baokun Li 1d902d9a3a cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() 
[ Upstream commit de3e26f9e5 ]

We got the following issue in a fuzz test of randomly issuing the restore
command:

==================================================================
BUG: KASAN: slab-use-after-free in cachefiles_ondemand_daemon_read+0x609/0xab0
Write of size 4 at addr ffff888109164a80 by task ondemand-04-dae/4962

CPU: 11 PID: 4962 Comm: ondemand-04-dae Not tainted 6.8.0-rc7-dirty #542
Call Trace:
 kasan_report+0x94/0xc0
 cachefiles_ondemand_daemon_read+0x609/0xab0
 vfs_read+0x169/0xb50
 ksys_read+0xf5/0x1e0

Allocated by task 626:
 __kmalloc+0x1df/0x4b0
 cachefiles_ondemand_send_req+0x24d/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]

Freed by task 626:
 kfree+0xf1/0x2c0
 cachefiles_ondemand_send_req+0x568/0x690
 cachefiles_create_tmpfile+0x249/0xb30
 cachefiles_create_file+0x6f/0x140
 cachefiles_look_up_object+0x29c/0xa60
 cachefiles_lookup_cookie+0x37d/0xca0
 fscache_cookie_state_machine+0x43c/0x1230
 [...]
==================================================================

Following is the process that triggers the issue:

     mount  |   daemon_thread1    |    daemon_thread2
------------------------------------------------------------
 cachefiles_ondemand_init_object
  cachefiles_ondemand_send_req
   REQ_A = kzalloc(sizeof(*req) + data_len)
   wait_for_completion(&REQ_A->done)

            cachefiles_daemon_read
             cachefiles_ondemand_daemon_read
              REQ_A = cachefiles_ondemand_select_req
              cachefiles_ondemand_get_fd
              copy_to_user(_buffer, msg, n)
            process_open_req(REQ_A)
                                  ------ restore ------
                                  cachefiles_ondemand_restore
                                  xas_for_each(&xas, req, ULONG_MAX)
                                   xas_set_mark(&xas, CACHEFILES_REQ_NEW);

                                  cachefiles_daemon_read
                                   cachefiles_ondemand_daemon_read
                                    REQ_A = cachefiles_ondemand_select_req

             write(devfd, ("copen %u,%llu", msg->msg_id, size));
             cachefiles_ondemand_copen
              xa_erase(&cache->reqs, id)
              complete(&REQ_A->done)
   kfree(REQ_A)
                                    cachefiles_ondemand_get_fd(REQ_A)
                                     fd = get_unused_fd_flags
                                     file = anon_inode_getfile
                                     fd_install(fd, file)
                                     load = (void *)REQ_A->msg.data;
                                     load->fd = fd;
                                     // load UAF !!!

This issue is caused by issuing a restore command when the daemon is still
alive, which results in a request being processed multiple times thus
triggering a UAF. So to avoid this problem, add an additional reference
count to cachefiles_req, which is held while waiting and reading, and then
released when the waiting and reading is over.

Note that since there is only one reference count for waiting, we need to
avoid the same request being completed multiple times, so we can only
complete the request if it is successfully removed from the xarray.

Fixes: e73fa11a35 ("cachefiles: add restore command to recover inflight ondemand read requests")
Suggested-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240522114308.2402121-4-libaokun@huaweicloud.com
Acked-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-06-21 14:40:15 +02:00
arch powerpc/uaccess: Fix build errors seen with GCC 13/14 2024-06-21 14:40:15 +02:00
block block: stack max_user_sectors 2024-06-12 11:39:52 +02:00
certs This update includes the following changes: 2023-11-02 16:15:30 -10:00
crypto crypto: ecrdsa - Fix module auto-load on add_key 2024-06-16 13:51:03 +02:00
Documentation Revert "xsk: Document ability to redirect to any socket bound to the same umem" 2024-06-16 13:51:10 +02:00
drivers cxl/region: Fix memregion leaks in devm_cxl_add_region() 2024-06-21 14:40:15 +02:00
fs cachefiles: fix slab-use-after-free in cachefiles_ondemand_get_fd() 2024-06-21 14:40:15 +02:00
include cachefiles: add output string to cachefiles_obj_[get|put]_ondemand_fd 2024-06-21 14:40:15 +02:00
init printk: Fix LOG_CPU_MAX_BUF_SHIFT when BASE_SMALL is enabled 2024-06-12 11:39:35 +02:00
io_uring io_uring: fix cancellation overwriting req->flags 2024-06-21 14:40:11 +02:00
ipc sysctl changes for v6.9-rc1 2024-03-18 14:59:13 -07:00
kernel bpf: Fix a potential use-after-free in bpf_link_free() 2024-06-21 14:40:04 +02:00
lib ubsan: Restore dependency on ARCH_HAS_UBSAN 2024-06-12 11:39:38 +02:00
LICENSES LICENSES: Add the copyleft-next-0.3.1 license 2022-11-08 15:44:01 +01:00
mm mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL 2024-06-16 13:51:08 +02:00
net net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() 2024-06-21 14:40:10 +02:00
rust rust: remove params from module macro example 2024-04-25 17:34:33 +02:00
samples samples/landlock: Fix incorrect free in populate_ruleset_net 2024-05-30 09:45:01 +02:00
scripts kconfig: fix comparison to constant symbols, 'm', 'n' 2024-06-12 11:39:54 +02:00
security landlock: Fix d_parent walk 2024-06-21 14:40:12 +02:00
sound ALSA: seq: Fix incorrect UMP type for system messages 2024-06-16 13:51:15 +02:00
tools cxl/test: Add missing vmalloc.h for tools/testing/cxl/test/mem.c 2024-06-21 14:40:15 +02:00
usr Kbuild updates for v6.8 2024-01-18 17:57:07 -08:00
virt KVM: Drop unused @may_block param from gfn_to_pfn_cache_invalidate_start() 2024-04-11 12:58:53 -07:00
.clang-format clang-format: Update with v6.7-rc4's for_each macro list 2023-12-08 23:54:38 +01:00
.cocciconfig
.editorconfig .editorconfig: remove trim_trailing_whitespace option 2024-06-21 14:40:11 +02:00
.get_maintainer.ignore Add Jeff Kirsher to .get_maintainer.ignore 2024-03-08 11:36:54 +00:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore kbuild: create a list of all built DTB files 2024-02-19 18:20:39 +09:00
.mailmap 18 hotfixes, 7 of which are cc:stable. 2024-05-10 14:16:03 -07:00
.rustfmt.toml rust: add .rustfmt.toml 2022-09-28 09:02:20 +02:00
COPYING
CREDITS MAINTAINERS: Drop Gustavo Pimentel as PCI DWC Maintainer 2024-03-27 13:41:02 -05:00
Kbuild Kbuild updates for v6.1 2022-10-10 12:00:45 -07:00
Kconfig
MAINTAINERS cpufreq: amd-pstate: remove global header file 2024-06-21 14:40:00 +02:00
Makefile Linux 6.9.5 2024-06-16 13:51:16 +02:00
README README: Fix spelling 2024-03-18 03:36:32 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.