From: Jiri Olsa <jolsa@redhat.com>
To: peterz@infradead.org
Cc: Namhyung Kim <namhyung@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
lkml <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Wade Mealing <wmealing@redhat.com>
Subject: Re: [PATCHv2] perf: Fix race in perf_mmap_close function
Date: Wed, 16 Sep 2020 16:38:19 +0200 [thread overview]
Message-ID: <20200916143819.GF2301783@krava> (raw)
In-Reply-To: <20200916135402.GZ1362448@hirez.programming.kicks-ass.net>
On Wed, Sep 16, 2020 at 03:54:02PM +0200, peterz@infradead.org wrote:
> On Wed, Sep 16, 2020 at 01:53:11PM +0200, Jiri Olsa wrote:
> > There's a possible race in perf_mmap_close when checking ring buffer's
> > mmap_count refcount value. The problem is that the mmap_count check is
> > not atomic because we call atomic_dec and atomic_read separately.
> >
> > perf_mmap_close:
> > ...
> > atomic_dec(&rb->mmap_count);
> > ...
> > if (atomic_read(&rb->mmap_count))
> > goto out_put;
> >
> > <ring buffer detach>
> > free_uid
> >
> > out_put:
> > ring_buffer_put(rb); /* could be last */
> >
> > The race can happen when we have two (or more) events sharing same ring
> > buffer and they go through atomic_dec and then they both see 0 as refcount
> > value later in atomic_read. Then both will go on and execute code which
> > is meant to be run just once.
> >
> > The code that detaches ring buffer is probably fine to be executed more
> > than once, but the problem is in calling free_uid, which will later on
> > demonstrate in related crashes and refcount warnings, like:
> >
> > refcount_t: addition on 0; use-after-free.
> > ...
> > RIP: 0010:refcount_warn_saturate+0x6d/0xf
> > ...
> > Call Trace:
> > prepare_creds+0x190/0x1e0
> > copy_creds+0x35/0x172
> > copy_process+0x471/0x1a80
> > _do_fork+0x83/0x3a0
> > __do_sys_wait4+0x83/0x90
> > __do_sys_clone+0x85/0xa0
> > do_syscall_64+0x5b/0x1e0
> > entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >
> > Using atomic decrease and check instead of separated calls.
> > This fixes CVE-2020-14351.
>
> I'm tempted to remove that line; I can never seem to find anything
> useful in a CVE.
I was asked by security guys to add this, Wade?
>
> Fixes: ?
right, sry..
Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole");
thanks,
jirka
>
> > Acked-by: Namhyung Kim <namhyung@kernel.org>
> > Tested-by: Michael Petlan <mpetlan@redhat.com>
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
>
next prev parent reply other threads:[~2020-09-16 20:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-10 10:41 [PATCH] perf: Fix race in perf_mmap_close function Jiri Olsa
2020-09-10 13:48 ` Namhyung Kim
2020-09-10 14:47 ` Jiri Olsa
2020-09-11 3:05 ` Namhyung Kim
2020-09-11 7:49 ` Jiri Olsa
2020-09-14 12:48 ` Namhyung Kim
2020-09-14 20:59 ` Jiri Olsa
2020-09-15 15:35 ` Michael Petlan
2020-09-16 11:53 ` [PATCHv2] " Jiri Olsa
2020-09-16 13:54 ` peterz
2020-09-16 14:38 ` Jiri Olsa [this message]
2020-09-16 14:05 ` peterz
2020-10-12 11:45 ` [tip: perf/core] perf/core: Fix race in the perf_mmap_close() function tip-bot2 for Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200916143819.GF2301783@krava \
--to=jolsa@redhat.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=jolsa@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=wmealing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).