From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
Jamie Iles <jamie.iles@oracle.com>,
Thomas Gleixner <tglx@linutronix.de>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.9 06/70] kthread: Fix use-after-free if kthread fork fails
Date: Tue, 18 Sep 2018 00:41:39 +0200 [thread overview]
Message-ID: <20180917211649.718199590@linuxfoundation.org> (raw)
In-Reply-To: <20180917211649.099135838@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream.
If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but
fails in copy_process() between calling dup_task_struct() and setting
p->set_child_tid, then the value of p->set_child_tid will be inherited
from the parent and get prematurely freed by free_kthread_struct().
kthread()
- worker_thread()
- process_one_work()
| - call_usermodehelper_exec_work()
| - kernel_thread()
| - _do_fork()
| - copy_process()
| - dup_task_struct()
| - arch_dup_task_struct()
| - tsk->set_child_tid = current->set_child_tid // implied
| - ...
| - goto bad_fork_*
| - ...
| - free_task(tsk)
| - free_kthread_struct(tsk)
| - kfree(tsk->set_child_tid)
- ...
- schedule()
- __schedule()
- wq_worker_sleeping()
- kthread_data(task)->flags // UAF
The problem started showing up with commit 1da5c46fa965 since it reused
->set_child_tid for the kthread worker data.
A better long-term solution might be to get rid of the ->set_child_tid
abuse. The comment in set_kthread_struct() also looks slightly wrong.
Debugged-by: Jamie Iles <jamie.iles@oracle.com>
Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed")
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jamie Iles <jamie.iles@oracle.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/fork.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1532,6 +1532,18 @@ static __latent_entropy struct task_stru
if (!p)
goto fork_out;
+ /*
+ * This _must_ happen before we call free_task(), i.e. before we jump
+ * to any of the bad_fork_* labels. This is to avoid freeing
+ * p->set_child_tid which is (ab)used as a kthread's data pointer for
+ * kernel threads (PF_KTHREAD).
+ */
+ p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
+ /*
+ * Clear TID on mm_release()?
+ */
+ p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
+
ftrace_graph_init_task(p);
rt_mutex_init_task(p);
@@ -1693,11 +1705,6 @@ static __latent_entropy struct task_stru
}
}
- p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
- /*
- * Clear TID on mm_release()?
- */
- p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
#ifdef CONFIG_BLOCK
p->plug = NULL;
#endif
next prev parent reply other threads:[~2018-09-17 22:58 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-17 22:41 [PATCH 4.9 00/70] 4.9.128-stable review Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 01/70] i2c: xiic: Make the start and the byte count write atomic Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 02/70] i2c: i801: fix DNVs SMBCTRL register offset Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 03/70] KVM: s390: vsie: copy wrapping keys to right place Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 04/70] ALSA: hda - Fix cancel_work_sync() stall from jackpoll work Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 05/70] cfq: Give a chance for arming slice idle timer in case of group_idle Greg Kroah-Hartman
2018-09-17 22:41 ` Greg Kroah-Hartman [this message]
2018-09-17 22:41 ` [PATCH 4.9 07/70] kthread: fix boot hang (regression) on MIPS/OpenRISC Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 08/70] staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 09/70] staging/rts5208: Fix read overflow in memcpy Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 10/70] IB/rxe: do not copy extra stack memory to skb Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 11/70] block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 12/70] nl80211: fix null-ptr dereference on invalid mesh configuration Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 13/70] locking/rwsem-xadd: Fix missed wakeup due to reordering of load Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 14/70] selinux: use GFP_NOWAIT in the AVC kmem_caches Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 15/70] locking/osq_lock: Fix osq_lock queue corruption Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 16/70] mm, vmscan: clear PGDAT_WRITEBACK when zone is balanced Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 17/70] mm: remove seemingly spurious reclaimability check from laptop_mode gating Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 18/70] ARC: [plat-axs*]: Enable SWAP Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 19/70] misc: mic: SCIF Fix scif_get_new_port() error handling Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 20/70] ethtool: Remove trailing semicolon for static inline Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 21/70] Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 22/70] gpio: tegra: Move driver registration to subsys_init level Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 23/70] net: phy: Fix the register offsets in Broadcom iProc mdio mux driver Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 24/70] scsi: target: fix __transport_register_session locking Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 25/70] md/raid5: fix data corruption of replacements after originals dropped Greg Kroah-Hartman
2018-09-17 22:41 ` [PATCH 4.9 26/70] timers: Clear timer_base::must_forward_clk with timer_base::lock held Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 27/70] misc: ti-st: Fix memory leak in the error path of probe() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 28/70] uio: potential double frees if __uio_register_device() fails Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 29/70] tty: rocket: Fix possible buffer overwrite on register_PCI Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 30/70] f2fs: do not set free of current section Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 31/70] perf tools: Allow overriding MAX_NR_CPUS at compile time Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 32/70] NFSv4.0 fix client reference leak in callback Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 33/70] macintosh/via-pmu: Add missing mmio accessors Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 34/70] ath9k: report tx status on EOSP Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 35/70] ath9k_hw: fix channel maximum power level test Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 36/70] ath10k: prevent active scans on potential unusable channels Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 37/70] wlcore: Set rx_status boottime_ns field on rx Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 38/70] MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 39/70] ata: libahci: Correct setting of DEVSLP register Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 40/70] scsi: 3ware: fix return 0 on the error path of probe Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 41/70] ath10k: disable bundle mgmt tx completion event support Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 42/70] Bluetooth: hidp: Fix handling of strncpy for hid->name information Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 43/70] x86/mm: Remove in_nmi() warning from vmalloc_fault() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 44/70] gpio: ml-ioh: Fix buffer underwrite on probe error path Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 45/70] net: mvneta: fix mtu change on port without link Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 46/70] f2fs: try grabbing node page lock aggressively in sync scenario Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 47/70] f2fs: fix to skip GC if type in SSA and SIT is inconsistent Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 48/70] tpm_tis_spi: Pass the SPI IRQ down to the driver Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 49/70] tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 50/70] f2fs: fix to do sanity check with reserved blkaddr of inline inode Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 51/70] MIPS: Octeon: add missing of_node_put() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 52/70] MIPS: generic: fix " Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 53/70] net: dcb: For wild-card lookups, use priority -1, not 0 Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 54/70] Input: atmel_mxt_ts - only use first T9 instance Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 55/70] media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 56/70] partitions/aix: append null character to print data from disk Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 57/70] partitions/aix: fix usage of uninitialized lv_info and lvname structures Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 58/70] media: helene: fix xtal frequency setting at power on Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 59/70] f2fs: Fix uninitialized return in f2fs_ioc_shutdown() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 60/70] iommu/ipmmu-vmsa: Fix allocation in atomic context Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 61/70] mfd: ti_am335x_tscadc: Fix struct clk memory leak Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 62/70] f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 63/70] NFSv4.1: Fix a potential layoutget/layoutrecall deadlock Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 64/70] MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 65/70] RDMA/cma: Do not ignore net namespace for unbound cm_id Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 66/70] xhci: Fix use-after-free in xhci_free_virt_device Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 67/70] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 68/70] mtd: ubi: wl: Fix error return code in ubi_wl_init() Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 69/70] autofs: fix autofs_sbi() does not check super block type Greg Kroah-Hartman
2018-09-17 22:42 ` [PATCH 4.9 70/70] mm: get rid of vmacache_flush_all() entirely Greg Kroah-Hartman
2018-09-17 23:59 ` [PATCH 4.9 00/70] 4.9.128-stable review Nathan Chancellor
2018-09-18 16:20 ` Guenter Roeck
2018-09-18 16:54 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180917211649.718199590@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=fweisbec@gmail.com \
--cc=jamie.iles@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).