From: Linus Torvalds <torvalds@linux-foundation.org>
To: Hillf Danton <hdanton@sina.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Alexey Gladkov <legion@kernel.org>
Subject: Re: [GIT PULL] ucount fix for v5.14-rc
Date: Sat, 7 Aug 2021 08:10:53 -0700 [thread overview]
Message-ID: <CAHk-=wh+z6ePDWhCX-EfypR-9VyHf8j_cQyOETOHtSzC6LPNAQ@mail.gmail.com> (raw)
In-Reply-To: <20210807091128.1862-1-hdanton@sina.com>
On Sat, Aug 7, 2021 at 2:11 AM Hillf Danton <hdanton@sina.com> wrote:
>
>
> CPU0 CPU1 CPU2
> ---- ---- ----
> given count == 2
> put uc
> put uc
> get uc
> UAF
No.
The thread on CPU0 must have had a reference to the ucount.
So if CPU1 and CPU2 are doing a put at the same time (and they held a
ref to it too), then the starting count must have been at least 3.
In other words, the above would be a bug - and not because of the UAF,
but because somebody had screwed up their reference counts.
You might as well had said "given count = 2, do 99x put_ucounts() ->
UAF". True, but immaterial from the standpoint of "put_ucounts()"
correctness.
Get it? You can't do a "get_ucounts()" on something that you don't
already have a reference to (and similarly, you obviously cannot do a
"put_ucounts()" on something you don't hold a reference to).
You *can* do a "find_ucount()" to find a ucount that you don't yet
have a reference to, but that's why you have to hold the lock (and why
anybody who does that has to increment the reference to it after
finding it before they drop the lock).
Linus
next prev parent reply other threads:[~2021-08-07 15:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-05 17:15 [GIT PULL] ucount fix for v5.14-rc Eric W. Biederman
2021-08-05 19:26 ` pr-tracker-bot
[not found] ` <20210806021052.3013-1-hdanton@sina.com>
2021-08-06 3:38 ` Eric W. Biederman
[not found] ` <20210806061458.3075-1-hdanton@sina.com>
2021-08-06 17:37 ` Linus Torvalds
[not found] ` <20210807050314.1807-1-hdanton@sina.com>
2021-08-07 8:23 ` Linus Torvalds
[not found] ` <20210807091128.1862-1-hdanton@sina.com>
2021-08-07 15:10 ` Linus Torvalds [this message]
[not found] ` <20210808004243.2007-1-hdanton@sina.com>
2021-08-08 1:00 ` Linus Torvalds
[not found] ` <20210808012056.2067-1-hdanton@sina.com>
2021-08-08 1:45 ` Linus Torvalds
2021-08-08 2:05 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wh+z6ePDWhCX-EfypR-9VyHf8j_cQyOETOHtSzC6LPNAQ@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hdanton@sina.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).