From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Vegard Nossum <vegard.nossum@oracle.com>,
Jens Axboe <axboe@fb.com>, Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 3.12 060/100] block: fix use-after-free in seq file
Date: Fri, 19 Aug 2016 09:10:59 +0200 [thread overview]
Message-ID: <ae7e2a82540d2c17cde9d7b094de65826deb9d4b.1471589700.git.jslaby@suse.cz> (raw)
In-Reply-To: <bc76af4e1436406a1f53da243e76bd10327691f2.1471589700.git.jslaby@suse.cz>
In-Reply-To: <cover.1471589700.git.jslaby@suse.cz>
From: Vegard Nossum <vegard.nossum@oracle.com>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/genhd.c b/block/genhd.c
index 9316f5fd416f..38d4ba122a43 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
--
2.9.3
next prev parent reply other threads:[~2016-08-19 7:22 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-19 7:09 [PATCH 3.12 000/100] 3.12.63-stable review Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 001/100] x86/mm: Add barriers and document switch_mm()-vs-flush synchronization Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 002/100] mm: migrate dirty page without clear_page_dirty_for_io etc Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 003/100] panic: release stale console lock to always get the logbuf printed out Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 004/100] printk: do cond_resched() between lines while outputting to consoles Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 005/100] um: Stop abusing __KERNEL__ Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 006/100] um: Fix out-of-tree build Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 007/100] um: Remove copy&paste code from init.h Jiri Slaby
2016-08-19 7:08 ` [PATCH 3.12 008/100] netfilter: x_tables: validate targets of jumps Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 009/100] libceph: set 'exists' flag for newly up osd Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 010/100] libceph: apply new_state before new_up_client on incrementals Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 011/100] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 012/100] tracing: Handle NULL formats in hold_module_trace_bprintk_format() Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 013/100] drm/radeon: fix asic initialization for virtualized environments Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 014/100] drm/i915/ilk: Don't disable SSC source if it's in use Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 015/100] iio: Fix error handling in iio_trigger_attach_poll_func Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 016/100] staging: iio: accel: fix error check Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 017/100] iio: accel: kxsd9: fix the usage of spi_w8r8() Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 018/100] iio:ad7266: Fix broken regulator error handling Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 019/100] iio:ad7266: Fix support for optional regulators Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 020/100] iio:ad7266: Fix probe deferral for vref Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 021/100] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 022/100] ALSA: dummy: Fix a use-after-free at closing Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 023/100] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 024/100] ALSA: ctl: Stop notification after disconnection Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 025/100] scsi: fix race between simultaneous decrements of ->host_failed Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 026/100] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 027/100] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 028/100] tmpfs: don't undo fallocate past its last page Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 029/100] tmpfs: fix regression hang in fallocate undo Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 030/100] s390/seccomp: fix error return for filtered system calls Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 031/100] fs/nilfs2: fix potential underflow in call to crc32_le Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 032/100] arc: unwind: warn only once if DW2_UNWIND is disabled Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 033/100] xen/pciback: Fix conf_space read/write overlap check Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 034/100] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 035/100] Input: xpad - validate USB endpoint count during probe Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 036/100] ext4: verify extent header depth Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 037/100] qeth: delete napi struct when removing a qeth device Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 038/100] mmc: block: fix packed command header endianness Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 039/100] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 040/100] x86, asmlinkage, lguest: Pass in globals into assembler statement Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 041/100] can: at91_can: RX queue could get stuck at high bus load Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 042/100] can: fix handling of unmodifiable configuration options fix Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 043/100] can: fix oops caused by wrong rtnl dellink usage Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 044/100] ipr: Clear interrupt on croc/crocodile when running with LSI Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 045/100] net: mvneta: set real interrupt per packet for tx_done Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 046/100] random32: add prandom_u32_max and convert open coded users Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 047/100] tcp: make challenge acks less predictable Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 048/100] net/irda: fix NULL pointer dereference on memory allocation failure Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 049/100] tcp: consider recv buf for the initial window scale Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 050/100] MIPS: KVM: Fix mapped fault broken commpage handling Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 051/100] MIPS: KVM: Add missing gfn range check Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 052/100] MIPS: KVM: Fix gfn range check in kseg0 tlb faults Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 053/100] MIPS: KVM: Propagate kseg0/mapped tlb fault errors Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 054/100] HID: i2c-hid: set power sleep before shutdown Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 055/100] HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 056/100] x86/mm: Improve switch_mm() barrier comments Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 057/100] arm: oabi compat: add missing access checks Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 058/100] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Jiri Slaby
2016-08-19 7:10 ` [PATCH 3.12 059/100] apparmor: fix ref count leak when profile sha1 hash is read Jiri Slaby
2016-08-19 7:10 ` Jiri Slaby [this message]
2016-08-19 7:11 ` [PATCH 3.12 061/100] sysv, ipc: fix security-layer leaking Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 062/100] fuse: fix wrong assignment of ->flags in fuse_send_init() Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 063/100] crypto: gcm - Filter out async ghash if necessary Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 064/100] crypto: scatterwalk - Fix test in scatterwalk_done Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 065/100] ext4: check for extents that wrap around Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 066/100] ext4: fix deadlock during page writeback Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 067/100] ext4: don't call ext4_should_journal_data() on the journal inode Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 068/100] ext4: short-cut orphan cleanup on error Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 069/100] ext4: fix reference counting bug on block allocation error Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 070/100] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 071/100] USB: serial: option: add support for Telit LE910 PID 0x1206 Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 072/100] gpio: pca953x: Fix NBANK calculation for PCA9536 Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 073/100] s5p-mfc: Set device name for reserved memory region devs Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 074/100] s5p-mfc: Add release callback for " Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 075/100] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 076/100] cifs: Check for existing directory when opening file with O_CREAT Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 077/100] cifs: fix crash due to race in hmac(md5) handling Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 078/100] CIFS: Fix a possible invalid memory access in smb2_query_symlink() Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 079/100] random: properly align get_random_int_hash Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 080/100] nfs: don't create zero-length requests Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 081/100] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 082/100] netlabel: add address family checks to netlbl_{sock,req}_delattr() Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 083/100] drm/radeon: add a delay after ATPX dGPU power off Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 084/100] drm/radeon: Poll for both connect/disconnect on analog connectors Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 085/100] drm/radeon: fix firmware info version checks Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 086/100] drm/radeon: support backlight control for UNIPHY3 Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 087/100] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 088/100] balloon: check the number of available pages in leak balloon Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 089/100] ftrace/recordmcount: Work around for addition of metag magic but not relocations Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 090/100] metag: Fix __cmpxchg_u32 asm constraint for CMP Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 091/100] IB/mlx5: Fix MODIFY_QP command input structure Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 092/100] IB/mlx5: Fix returned values of query QP Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 093/100] IB/mlx5: Fix post send fence logic Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 094/100] IB/IPoIB: Don't update neigh validity for unresolved entries Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 095/100] IB/mlx4: Fix the SQ size of an RC QP Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 096/100] ubi: Make volume resize power cut aware Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 097/100] ubi: Fix race condition between ubi device creation and udev Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 098/100] Input: i8042 - break load dependency between atkbd/psmouse and i8042 Jiri Slaby
2016-08-19 10:06 ` Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 099/100] dm flakey: error READ bios during the down_interval Jiri Slaby
2016-08-19 7:11 ` [PATCH 3.12 100/100] module: Invalidate signatures on force-loaded modules Jiri Slaby
2016-08-19 7:54 ` [PATCH 3.12 009/101] netfilter: x_tables: speed up jump target validation Jiri Slaby
2016-08-19 19:03 ` [PATCH 3.12 000/100] 3.12.63-stable review Guenter Roeck
2016-09-06 13:47 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae7e2a82540d2c17cde9d7b094de65826deb9d4b.1471589700.git.jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=axboe@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).