From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Vegard Nossum <vegard.nossum@oracle.com>,
Tejun Heo <tj@kernel.org>, Jens Axboe <axboe@fb.com>
Subject: [PATCH 4.6 37/56] block: fix use-after-free in seq file
Date: Sun, 14 Aug 2016 22:37:41 +0200 [thread overview]
Message-ID: <20160814202506.460906214@linuxfoundation.org> (raw)
In-Reply-To: <20160814202504.908694181@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vegard Nossum <vegard.nossum@oracle.com>
commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -856,6 +856,7 @@ static void disk_seqf_stop(struct seq_fi
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
next prev parent reply other threads:[~2016-08-14 20:42 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160814203815uscas1p2549802c8af27d2aa233de8bce43fe3ee@uscas1p2.samsung.com>
2016-08-14 20:37 ` [PATCH 4.6 00/56] 4.6.7-stable review Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 01/56] libnvdimm, dax: record the specified alignment of a dax-device instance Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 02/56] libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 03/56] ppp: defer netns reference release for ppp channel Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 04/56] tcp: make challenge acks less predictable Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 05/56] tcp: enable per-socket rate limiting of all challenge acks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 06/56] bonding: set carrier off for devices created through netlink Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 07/56] net: bgmac: Fix infinite loop in bgmac_dma_tx_add() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 08/56] vlan: use a valid default mtu value for vlan over macsec Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 09/56] bridge: Fix incorrect re-injection of LLDP packets Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 10/56] net: ipv6: Always leave anycast and multicast groups on link down Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 11/56] net/irda: fix NULL pointer dereference on memory allocation failure Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 12/56] qed: Fix setting/clearing bit in completion bitmap Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 13/56] macsec: ensure rx_sa is set when validation is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 14/56] tcp: consider recv buf for the initial window scale Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 16/56] arm: oabi compat: add missing access checks Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 17/56] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 18/56] IB/hfi1: Correct issues with sc5 computation Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 19/56] IB/hfi1: Fix deadlock with txreq allocation slow path Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 20/56] apparmor: fix ref count leak when profile sha1 hash is read Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 21/56] regulator: qcom_smd: Remove list_voltage callback for rpm_smps_ldo_ops_fixed Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 22/56] random: strengthen input validation for RNDADDTOENTCNT Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 23/56] x86/mm/pat: Add support of non-default PAT MSR setting Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 24/56] x86/mm/pat: Add pat_disable() interface Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 25/56] x86/mm/pat: Replace cpu_has_pat with boot_cpu_has() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 26/56] x86/mtrr: Fix Xorg crashes in Qemu sessions Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 27/56] x86/mtrr: Fix PAT init handling when MTRR is disabled Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 28/56] x86/xen, pat: Remove PAT table init code from Xen Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 29/56] x86/pat: Document the PAT initialization sequence Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 30/56] x86/mm/pat: Fix BUG_ON() in mmap_mem() on QEMU/i386 Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 31/56] udf: Prevent stack overflow on corrupted filesystem mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 32/56] powerpc/eeh: Fix invalid cached PE primary bus Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 33/56] powerpc/bpf/jit: Disable classic BPF JIT on ppc64le Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 34/56] mm: memcontrol: fix swap counter leak on swapout from offline cgroup Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 35/56] mm: memcontrol: fix memcg id ref counter on swap charge move Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 36/56] x86/syscalls/64: Add compat_sys_keyctl for 32-bit userspace Greg Kroah-Hartman
2016-08-14 20:37 ` Greg Kroah-Hartman [this message]
2016-08-14 20:37 ` [PATCH 4.6 38/56] sysv, ipc: fix security-layer leaking Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 39/56] radix-tree: account nodes to memcg only if explicitly requested Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 40/56] x86/microcode: Fix suspend to RAM with builtin microcode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 41/56] x86/power/64: Fix hibernation return address corruption Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 42/56] fuse: fsync() did not return IO errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 43/56] fuse: fuse_flush must check mapping->flags for errors Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 44/56] fuse: fix wrong assignment of ->flags in fuse_send_init() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 45/56] Revert "mm, mempool: only set __GFP_NOMEMALLOC if there are free elements" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 46/56] fs/dcache.c: avoid soft-lockup in dput() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 47/56] Revert "cpufreq: pcc-cpufreq: update default value of cpuinfo_transition_latency" Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 48/56] crypto: gcm - Filter out async ghash if necessary Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 49/56] crypto: scatterwalk - Fix test in scatterwalk_done Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 50/56] serial: mvebu-uart: free the IRQ in ->shutdown() Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 51/56] ext4: check for extents that wrap around Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 52/56] ext4: fix deadlock during page writeback Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 53/56] ext4: dont call ext4_should_journal_data() on the journal inode Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 54/56] ext4: validate s_reserved_gdt_blocks on mount Greg Kroah-Hartman
2016-08-14 20:37 ` [PATCH 4.6 55/56] ext4: short-cut orphan cleanup on error Greg Kroah-Hartman
2016-08-14 20:38 ` [PATCH 4.6 56/56] ext4: fix reference counting bug on block allocation error Greg Kroah-Hartman
2016-08-15 13:07 ` [PATCH 4.6 00/56] 4.6.7-stable review Guenter Roeck
2016-08-16 4:02 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160814202506.460906214@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=vegard.nossum@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).