From: Benjamin LaHaise <ben@communityfibre.ca>
To: Bart Van Assche <bvanassche@acm.org>
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com,
brauner@kernel.org, jack@suse.cz, linux-aio@kvack.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [PATCH] fs/aio: fix uaf in sys_io_cancel
Date: Mon, 4 Mar 2024 12:03:43 -0500 [thread overview]
Message-ID: <20240304170343.GO20455@kvack.org> (raw)
In-Reply-To: <14f85d0c-8303-4710-b8b1-248ce27a6e1f@acm.org>
On Mon, Mar 04, 2024 at 08:15:15AM -0800, Bart Van Assche wrote:
> On 3/3/24 04:21, Edward Adam Davis wrote:
> >The aio poll work aio_poll_complete_work() need to be synchronized with
> >syscall
> >io_cancel(). Otherwise, when poll work executes first, syscall may access
> >the
> >released aio_kiocb object.
> >
> >Fixes: 54cbc058d86b ("fs/aio: Make io_cancel() generate completions again")
> >Reported-and-tested-by:
> >syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com
> >Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> >---
> > fs/aio.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> >diff --git a/fs/aio.c b/fs/aio.c
> >index 28223f511931..0fed22ed9eb8 100644
> >--- a/fs/aio.c
> >+++ b/fs/aio.c
> >@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct
> >work_struct *work)
> > } /* else, POLLFREE has freed the waitqueue, so we must complete */
> > list_del_init(&iocb->ki_list);
> > iocb->ki_res.res = mangle_poll(mask);
> >- spin_unlock_irq(&ctx->ctx_lock);
> >-
> > iocb_put(iocb);
> >+ spin_unlock_irq(&ctx->ctx_lock);
> > }
> >
> > /* assumes we are called with irqs disabled */
> >@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id,
> >struct iocb __user *, iocb,
> > break;
> > }
> > }
> >- spin_unlock_irq(&ctx->ctx_lock);
> >
> > /*
> > * The result argument is no longer used - the io_event is always
> >@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id,
> >struct iocb __user *, iocb,
> > */
> > if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
> > aio_complete_rw(&kiocb->rw, -EINTR);
> >+ spin_unlock_irq(&ctx->ctx_lock);
> >
> > percpu_ref_put(&ctx->users);
This is just so wrong there aren't even words to describe it. I
recommending reverting all of Bart's patches since they were not reviewed
by anyone with a sufficient level of familiarity with fs/aio.c to get it
right.
-ben
> I'm not enthusiast about the above patch because it increases the amount
> of code executed with the ctx_lock held. Wouldn't something like the
> untested patch below be a better solution?
>
> Thanks,
>
> Bart.
>
>
> diff --git a/fs/aio.c b/fs/aio.c
> index 28223f511931..c6fb10321e48 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -2177,6 +2177,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id,
> struct iocb __user *, iocb,
> struct kioctx *ctx;
> struct aio_kiocb *kiocb;
> int ret = -EINVAL;
> + bool is_cancelled_rw = false;
> u32 key;
> u64 obj = (u64)(unsigned long)iocb;
>
> @@ -2193,6 +2194,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id,
> struct iocb __user *, iocb,
> /* TODO: use a hash or array, this sucks. */
> list_for_each_entry(kiocb, &ctx->active_reqs, ki_list) {
> if (kiocb->ki_res.obj == obj) {
> + is_cancelled_rw = kiocb->rw.ki_flags & IOCB_AIO_RW;
> ret = kiocb->ki_cancel(&kiocb->rw);
> list_del_init(&kiocb->ki_list);
> break;
> @@ -2204,7 +2206,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id,
> struct iocb __user *, iocb,
> * The result argument is no longer used - the io_event is always
> * delivered via the ring buffer.
> */
> - if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
> + if (ret == 0 && is_cancelled_rw)
> aio_complete_rw(&kiocb->rw, -EINTR);
>
> percpu_ref_put(&ctx->users);
>
>
--
"Thought is the essence of where you are now."
next prev parent reply other threads:[~2024-03-04 17:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-03 7:29 [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel syzbot
2024-03-03 9:53 ` Edward Adam Davis
2024-03-03 10:22 ` syzbot
2024-03-03 11:33 ` Edward Adam Davis
2024-03-03 11:50 ` syzbot
2024-03-03 12:21 ` [PATCH] fs/aio: fix uaf " Edward Adam Davis
2024-03-04 16:15 ` Bart Van Assche
2024-03-04 17:03 ` Benjamin LaHaise [this message]
2024-03-04 17:15 ` Bart Van Assche
2024-03-04 17:31 ` Benjamin LaHaise
2024-03-04 17:40 ` Bart Van Assche
2024-03-04 17:47 ` Benjamin LaHaise
2024-03-04 17:58 ` Bart Van Assche
2024-03-04 18:02 ` Benjamin LaHaise
2024-03-04 10:44 ` [syzbot] [fs?] KASAN: slab-use-after-free Read " Hillf Danton
2024-03-04 13:33 ` syzbot
2024-03-04 14:07 ` Hillf Danton
2024-03-04 14:57 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240304170343.GO20455@kvack.org \
--to=ben@communityfibre.ca \
--cc=brauner@kernel.org \
--cc=bvanassche@acm.org \
--cc=eadavis@qq.com \
--cc=jack@suse.cz \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.