From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Cc: syzkaller <syzkaller-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Jan Kara <jack-AlSwsSmVLrQ@public.gmane.org>,
JongHwan Kim <zzoru007-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: ucount: use-after-free read in inc_ucount & dec_ucount
Date: Sun, 05 Mar 2017 12:41:16 -0600 [thread overview]
Message-ID: <87y3wjlg6r.fsf@xmission.com> (raw)
In-Reply-To: <CACT4Y+bYAbsxsRWA2o+c7x25f1JPSqZKX-8a8NJq4nab-PyYig-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Dmitry Vyukov's message of "Sun, 5 Mar 2017 11:53:14 +0100")
Dmitry Vyukov <dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org> writes:
>
> Nice. I think it should work.
>
> I would also do:
>
> diff --git a/kernel/ucount.c b/kernel/ucount.c
> index 8a11fc0cb459..233c8e46acd5 100644
> --- a/kernel/ucount.c
> +++ b/kernel/ucount.c
> @@ -143,19 +143,18 @@ static struct ucounts *get_ucounts(struct
> user_namespace *ns, kuid_t uid)
>
> new->ns = ns;
> new->uid = uid;
> - atomic_set(&new->count, 0);
> + atomic_set(&new->count, 1);
>
> spin_lock_irq(&ucounts_lock);
> ucounts = find_ucounts(ns, uid, hashent);
> if (ucounts) {
> + atomic_inc(&ucounts->count);
> kfree(new);
> } else {
> hlist_add_head(&new->node, hashent);
> ucounts = new;
> }
> }
> - if (!atomic_add_unless(&ucounts->count, 1, INT_MAX))
> - ucounts = NULL;
> spin_unlock_irq(&ucounts_lock);
> return ucounts;
> }
No. As that allows ucounts->count to be incremented to the point
it goes negative. Counter wrap-around is just as bad as imperfect
locking if you can trigger it, and has been a cause of use-after-free
errors etc.
So it is a feature that if the count is maxed out for a given kuid that
get_ucounts will fail.
Eric
next prev parent reply other threads:[~2017-03-05 18:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <C4CB953C-4712-43F3-9E75-1A12C14B8A4B@gmail.com>
[not found] ` <C4CB953C-4712-43F3-9E75-1A12C14B8A4B-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-03 15:37 ` ucount: use-after-free read in inc_ucount & dec_ucount Nikolay Borisov
[not found] ` <180fb7dc-790e-8e82-0cc1-c6e15ddcd20b-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-03 16:30 ` Eric W. Biederman
[not found] ` <87pohy1fx6.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-03 16:45 ` Nikolay Borisov
[not found] ` <d0a23a9c-65a6-063f-748b-e399bed6dacd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-03 16:46 ` Eric W. Biederman
2017-03-04 10:58 ` Nikolay Borisov
[not found] ` <1aafd5e9-d9de-e5d9-a77d-cf245c5a5c6a-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-04 11:44 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+a043_qFN=2uzvYhDFwF4JS9_p3jnOykpMk=RcpqQfKGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-04 11:50 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+Yev63VXYm+kZdii5kheV_ACBn2cehFcFdz6LBVam3Q2g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-04 11:57 ` Dmitry Vyukov via Containers
2017-03-04 12:01 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+b7YXnoOkdYTjp6D6XH-zuYRx063hMayOVMyJVc735dtQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-04 12:10 ` Nikolay Borisov
[not found] ` <c69f8f03-4324-f934-eed2-643c91d703c0-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-04 12:15 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+avCy8Susvb09DLHkGym0K_15+EeZ8yBH7tcgjvnb3Yhw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-04 12:35 ` 쪼르
[not found] ` <CALRZ7Ut=bAgX+XwS3h8-V-zGqiUFkuSCi_C=j6uN_=OptU-+RQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-05 21:00 ` Eric W. Biederman
[not found] ` <87efybfnh2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-06 9:13 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+aZmSY3rmV7+iC7i6Ov2Of4N5YTpjz5Tk8XCki-CyAY5w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-06 16:33 ` Eric W. Biederman
[not found] ` <87a88y4b78.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-06 18:43 ` Dmitry Vyukov via Containers
2017-03-04 12:38 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+YWEq66QXbTMR4yGtgc0ULN+TurAnRzcDASaja1z5XNjA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-04 23:58 ` Eric W. Biederman
[not found] ` <87shmsoar7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-05 10:53 ` Dmitry Vyukov via Containers
[not found] ` <CACT4Y+bYAbsxsRWA2o+c7x25f1JPSqZKX-8a8NJq4nab-PyYig-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-03-05 18:41 ` Eric W. Biederman [this message]
[not found] ` <87y3wjlg6r.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-05 21:41 ` [REVIEW][PATCH] ucount: Remove the atomicity from ucount->count Eric W. Biederman
[not found] ` <87tw77csgd.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2017-03-06 20:39 ` Andrei Vagin
[not found] ` <20170306203919.GA17874-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2017-03-06 21:26 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y3wjlg6r.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dvyukov-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=jack-AlSwsSmVLrQ@public.gmane.org \
--cc=syzkaller-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org \
--cc=zzoru007-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.