From: Luis Chamberlain <mcgrof@kernel.org>
To: Eric Sandeen <sandeen@sandeen.net>
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk,
gregkh@linuxfoundation.org, rostedt@goodmis.org,
mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com,
nstange@suse.de, mhocko@suse.com, linux-block@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Bart Van Assche <bvanassche@acm.org>,
Omar Sandoval <osandov@fb.com>, Hannes Reinecke <hare@suse.com>,
Michal Hocko <mhocko@kernel.org>,
syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com
Subject: Re: [RFC 2/3] blktrace: fix debugfs use after free
Date: Thu, 2 Apr 2020 16:14:04 +0000 [thread overview]
Message-ID: <20200402161404.GD11244@42.do-not-panic.com> (raw)
In-Reply-To: <9a6576cf-b89d-d1af-2d74-652878cb78c8@sandeen.net>
On Wed, Apr 01, 2020 at 08:57:42PM -0500, Eric Sandeen wrote:
> On 4/1/20 7:00 PM, Luis Chamberlain wrote:
> > On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory")
> > Omar fixed the original blktrace code for multiqueue use. This however
> > left in place a possible crash, if you happen to abuse blktrace in a way
> > it was not intended.
> >
> > Namely, if you loop adding a device, setup the blktrace with BLKTRACESETUP,
> > forget to BLKTRACETEARDOWN, and then just remove the device you end up
> > with a panic:
>
> Weird, I swear I tested that and didn't hit it, but ...
The real issue was also the dangling block device, a loop device proves
easy to test that. I'll note that another way to test this as well would
be to have a virtual machine with a block devices that goes in and out
via whatever virsh shenanigans to make a block device appear / disappear.
> > This issue can be reproduced with break-blktrace [2] using:
> >
> > break-blktrace -c 10 -d
>
> + -s, right?
Yeap, sorry about that.
> > This patch fixes this issue. Note that there is also another
> > respective UAF but from the ioctl path [3], this should also fix
> > that issue.
> >
> > This patch then also contends the severity of CVE-2019-19770 as
> > this issue is only possible using root to shoot yourself in the
> > foot by also misuing blktrace.
> >
> > [0] https://bugzilla.kernel.org/show_bug.cgi?id=205713
> > [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770
> > [2] https://github.com/mcgrof/break-blktrace
>
> I verified that this does reproduce the exact same KASAN splat on
> kernel 4.19.83 as reported in the original bug, thanks!
I just codified what Nicolai suspected, we should thank him :)
Luis
next prev parent reply other threads:[~2020-04-02 16:14 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-01 23:59 [RFC 0/3] block: address blktrace use-after-free Luis Chamberlain
2020-04-02 0:00 ` [RFC 1/3] block: move main block debugfs initialization to its own file Luis Chamberlain
2020-04-05 3:12 ` Bart Van Assche
2020-04-06 14:23 ` Luis Chamberlain
2020-04-02 0:00 ` [RFC 2/3] blktrace: fix debugfs use after free Luis Chamberlain
2020-04-02 1:57 ` Eric Sandeen
2020-04-02 16:14 ` Luis Chamberlain [this message]
2020-04-03 14:19 ` kbuild test robot
2020-04-05 3:39 ` Bart Van Assche
2020-04-06 1:27 ` Eric Sandeen
2020-04-06 4:25 ` Bart Van Assche
2020-04-06 9:18 ` Nicolai Stange
2020-04-06 15:19 ` Luis Chamberlain
2020-04-07 8:15 ` Luis Chamberlain
2020-04-06 14:29 ` Eric Sandeen
2020-04-07 8:09 ` Luis Chamberlain
2020-04-06 15:14 ` Luis Chamberlain
2020-04-02 0:00 ` [RFC 3/3] block: avoid deferral of blk_release_queue() work Luis Chamberlain
2020-04-02 3:39 ` Bart Van Assche
2020-04-02 14:49 ` Nicolai Stange
2020-04-06 9:11 ` Nicolai Stange
2020-04-09 18:11 ` Luis Chamberlain
2020-04-02 7:44 ` [RFC 0/3] block: address blktrace use-after-free Greg KH
2020-04-03 8:19 ` Ming Lei
2020-04-03 14:06 ` Luis Chamberlain
2020-04-03 14:13 ` Bart Van Assche
2020-04-03 19:49 ` Luis Chamberlain
2020-04-07 2:47 ` yukuai (C)
2020-04-07 19:00 ` Luis Chamberlain
2020-04-09 20:59 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200402161404.GD11244@42.do-not-panic.com \
--to=mcgrof@kernel.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.com \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=mhocko@suse.com \
--cc=ming.lei@redhat.com \
--cc=mingo@redhat.com \
--cc=nstange@suse.de \
--cc=osandov@fb.com \
--cc=rostedt@goodmis.org \
--cc=sandeen@sandeen.net \
--cc=syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.