All of lore.kernel.org
 help / color / mirror / Atom feed
* [dm-devel] [bug report] dm crypt: conditionally enable code needed for tasklet usecases
@ 2023-03-09 14:35 Dan Carpenter
  2023-03-09 14:42 ` Dan Carpenter
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2023-03-09 14:35 UTC (permalink / raw)
  To: snitzer; +Cc: dm-devel

Hello Mike Snitzer,

The patch ae75a25bd83f: "dm crypt: conditionally enable code needed
for tasklet usecases" from Mar 6, 2023, leads to the following Smatch
static checker warning:

	drivers/md/dm-crypt.c:2758 crypt_dtr()
	warn: 'cc' was already freed.

drivers/md/dm-crypt.c
    2739         if (cc->dev)
    2740                 dm_put_device(ti, cc->dev);
    2741 
    2742         kfree_sensitive(cc->cipher_string);
    2743         kfree_sensitive(cc->key_string);
    2744         kfree_sensitive(cc->cipher_auth);
    2745         kfree_sensitive(cc->authenc_key);
    2746 
    2747         mutex_destroy(&cc->bio_alloc_lock);
    2748 
    2749         /* Must zero key material before freeing */
    2750         kfree_sensitive(cc);
                                 ^^

    2751 
    2752         spin_lock(&dm_crypt_clients_lock);
    2753         WARN_ON(!dm_crypt_clients_n);
    2754         dm_crypt_clients_n--;
    2755         crypt_calculate_pages_per_client();
    2756         spin_unlock(&dm_crypt_clients_lock);
    2757 
--> 2758         if (test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags) ||
                                                           ^^^^^^^^^
    2759             test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags))
                                                            ^^^^^^^^^
UAF.  This wasn't tested, right?  If this passes testing then it means
kfree_sensitive() is broken.  (Normally UAF bugs can only be detected
with KASan, but kfree_sensitive() should poison the data I thought).

    2760                 static_branch_dec(&use_tasklet_enabled);
    2761 
    2762         dm_audit_log_dtr(DM_MSG_PREFIX, ti, 1);
    2763 }

regards,
dan carpenter

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [dm-devel] [bug report] dm crypt: conditionally enable code needed for tasklet usecases
  2023-03-09 14:35 [dm-devel] [bug report] dm crypt: conditionally enable code needed for tasklet usecases Dan Carpenter
@ 2023-03-09 14:42 ` Dan Carpenter
  2023-03-09 15:08   ` Mike Snitzer
  0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2023-03-09 14:42 UTC (permalink / raw)
  To: snitzer; +Cc: dm-devel

On Thu, Mar 09, 2023 at 05:35:20PM +0300, Dan Carpenter wrote:
> --> 2758         if (test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags) ||
>                                                            ^^^^^^^^^
>     2759             test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags))
>                                                             ^^^^^^^^^
> UAF.  This wasn't tested, right?  If this passes testing then it means
> kfree_sensitive() is broken.  (Normally UAF bugs can only be detected
> with KASan, but kfree_sensitive() should poison the data I thought).
> 

Nope.  This is thing where you need KASan to detect the bug.  I'm wrong
and continually demonstrate how even twenty years in to it I still don't
understand pointers.

regards,
dan carpenter

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [dm-devel] [bug report] dm crypt: conditionally enable code needed for tasklet usecases
  2023-03-09 14:42 ` Dan Carpenter
@ 2023-03-09 15:08   ` Mike Snitzer
  0 siblings, 0 replies; 3+ messages in thread
From: Mike Snitzer @ 2023-03-09 15:08 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: dm-devel

On Thu, Mar 09 2023 at  9:42P -0500,
Dan Carpenter <error27@gmail.com> wrote:

> On Thu, Mar 09, 2023 at 05:35:20PM +0300, Dan Carpenter wrote:
> > --> 2758         if (test_bit(DM_CRYPT_NO_READ_WORKQUEUE, &cc->flags) ||
> >                                                            ^^^^^^^^^
> >     2759             test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags))
> >                                                             ^^^^^^^^^
> > UAF.  This wasn't tested, right?  If this passes testing then it means
> > kfree_sensitive() is broken.  (Normally UAF bugs can only be detected
> > with KASan, but kfree_sensitive() should poison the data I thought).
> > 
> 
> Nope.  This is thing where you need KASan to detect the bug.  I'm wrong
> and continually demonstrate how even twenty years in to it I still don't
> understand pointers.

Thanks for the report, really appreciate it. Sorry for the oversight
(and lack of testing). But we decided to fix a different way and
linux-next was updated accordingly, I just tweaked it but here is the
final:

https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=for-next&id=d9a02e016aaf5a57fb44e9a5e6da8ccd3b9e2e70

Mike

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-09 15:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-09 14:35 [dm-devel] [bug report] dm crypt: conditionally enable code needed for tasklet usecases Dan Carpenter
2023-03-09 14:42 ` Dan Carpenter
2023-03-09 15:08   ` Mike Snitzer

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.