From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, CAI Qian <caiqian@redhat.com>,
Yang Shukui <yangshukui@huawei.com>,
Zhou Chengming <zhouchengming1@huawei.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 4.9 072/120] sysctl: Drop reference added by grab_header in proc_sys_readdir
Date: Wed, 18 Jan 2017 11:46:30 +0100 [thread overview]
Message-ID: <20170118104651.053186379@linuxfoundation.org> (raw)
In-Reply-To: <20170118104648.120216880@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhou Chengming <zhouchengming1@huawei.com>
commit 93362fa47fe98b62e4a34ab408c4a418432e7939 upstream.
Fixes CVE-2016-9191, proc_sys_readdir doesn't drop reference
added by grab_header when return from !dir_emit_dots path.
It can cause any path called unregister_sysctl_table will
wait forever.
The calltrace of CVE-2016-9191:
[ 5535.960522] Call Trace:
[ 5535.963265] [<ffffffff817cdaaf>] schedule+0x3f/0xa0
[ 5535.968817] [<ffffffff817d33fb>] schedule_timeout+0x3db/0x6f0
[ 5535.975346] [<ffffffff817cf055>] ? wait_for_completion+0x45/0x130
[ 5535.982256] [<ffffffff817cf0d3>] wait_for_completion+0xc3/0x130
[ 5535.988972] [<ffffffff810d1fd0>] ? wake_up_q+0x80/0x80
[ 5535.994804] [<ffffffff8130de64>] drop_sysctl_table+0xc4/0xe0
[ 5536.001227] [<ffffffff8130de17>] drop_sysctl_table+0x77/0xe0
[ 5536.007648] [<ffffffff8130decd>] unregister_sysctl_table+0x4d/0xa0
[ 5536.014654] [<ffffffff8130deff>] unregister_sysctl_table+0x7f/0xa0
[ 5536.021657] [<ffffffff810f57f5>] unregister_sched_domain_sysctl+0x15/0x40
[ 5536.029344] [<ffffffff810d7704>] partition_sched_domains+0x44/0x450
[ 5536.036447] [<ffffffff817d0761>] ? __mutex_unlock_slowpath+0x111/0x1f0
[ 5536.043844] [<ffffffff81167684>] rebuild_sched_domains_locked+0x64/0xb0
[ 5536.051336] [<ffffffff8116789d>] update_flag+0x11d/0x210
[ 5536.057373] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
[ 5536.064186] [<ffffffff81167acb>] ? cpuset_css_offline+0x1b/0x60
[ 5536.070899] [<ffffffff810fce3d>] ? trace_hardirqs_on+0xd/0x10
[ 5536.077420] [<ffffffff817cf61f>] ? mutex_lock_nested+0x2df/0x450
[ 5536.084234] [<ffffffff8115a9f5>] ? css_killed_work_fn+0x25/0x220
[ 5536.091049] [<ffffffff81167ae5>] cpuset_css_offline+0x35/0x60
[ 5536.097571] [<ffffffff8115aa2c>] css_killed_work_fn+0x5c/0x220
[ 5536.104207] [<ffffffff810bc83f>] process_one_work+0x1df/0x710
[ 5536.110736] [<ffffffff810bc7c0>] ? process_one_work+0x160/0x710
[ 5536.117461] [<ffffffff810bce9b>] worker_thread+0x12b/0x4a0
[ 5536.123697] [<ffffffff810bcd70>] ? process_one_work+0x710/0x710
[ 5536.130426] [<ffffffff810c3f7e>] kthread+0xfe/0x120
[ 5536.135991] [<ffffffff817d4baf>] ret_from_fork+0x1f/0x40
[ 5536.142041] [<ffffffff810c3e80>] ? kthread_create_on_node+0x230/0x230
One cgroup maintainer mentioned that "cgroup is trying to offline
a cpuset css, which takes place under cgroup_mutex. The offlining
ends up trying to drain active usages of a sysctl table which apprently
is not happening."
The real reason is that proc_sys_readdir doesn't drop reference added
by grab_header when return from !dir_emit_dots path. So this cpuset
offline path will wait here forever.
See here for details: http://www.openwall.com/lists/oss-security/2016/11/04/13
Fixes: f0c3b5093add ("[readdir] convert procfs")
Reported-by: CAI Qian <caiqian@redhat.com>
Tested-by: Yang Shukui <yangshukui@huawei.com>
Signed-off-by: Zhou Chengming <zhouchengming1@huawei.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/proc/proc_sysctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -709,7 +709,7 @@ static int proc_sys_readdir(struct file
ctl_dir = container_of(head, struct ctl_dir, header);
if (!dir_emit_dots(file, ctx))
- return 0;
+ goto out;
pos = 2;
@@ -719,6 +719,7 @@ static int proc_sys_readdir(struct file
break;
}
}
+out:
sysctl_head_finish(head);
return 0;
}
next prev parent reply other threads:[~2017-01-18 10:54 UTC|newest]
Thread overview: 124+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170118105210epcas1p4840f421605eedf74bbde441d7e96f084@epcas1p4.samsung.com>
2017-01-18 10:45 ` [PATCH 4.9 000/120] 4.9.5-stable review Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 001/120] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 002/120] Input: i8042 - add Pegatron touchpad to noloop table Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 003/120] pinctrl: imx: fix imx_pinctrl_desc initialization Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 006/120] regulator: tps65086: Fix 25mV ranges for BUCK regulators Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 007/120] regulator: axp20x: Fix axp809 ldo_io registration error on cold boot Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 008/120] drm/tegra: dpaux: Fix error handling Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 009/120] drm/vc4: Fix a couple error codes in vc4_cl_lookup_bos() Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 010/120] drm/savage: dereferencing an error pointer Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 011/120] selftests: do not require bash to run netsocktests testcase Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 012/120] selftests: do not require bash for the generated test Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 013/120] zram: revalidate disk under init_lock Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 014/120] zram: support BDI_CAP_STABLE_WRITES Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 015/120] dax: fix deadlock with DAX 4k holes Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 016/120] mm: pmd dirty emulation in page fault handler Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 017/120] mm: fix devm_memremap_pages crash, use mem_hotplug_{begin, done} Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 018/120] ocfs2: fix crash caused by stale lvb with fsdlm plugin Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 019/120] mm, memcg: fix the active list aging for lowmem requests when memcg is enabled Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 020/120] mm: support anonymous stable page Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 021/120] mm/slab.c: fix SLAB freelist randomization duplicate entries Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 022/120] mm/hugetlb.c: fix reservation race when freeing surplus pages Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 023/120] KVM: x86: fix emulation of "MOV SS, null selector" Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 025/120] jump_labels: API for flushing deferred jump label updates Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 026/120] KVM: x86: flush pending lapic jump label updates on module unload Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 031/120] KVM: x86: Introduce segmented_write_std Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 032/120] efi/libstub/arm*: Pass latest memory map to the kernel Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 033/120] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code Greg Kroah-Hartman
2017-01-18 14:38 ` Prarit Bhargava
2017-01-18 16:33 ` Greg Kroah-Hartman
2017-01-18 16:55 ` Prarit Bhargava
2017-01-18 17:20 ` Greg Kroah-Hartman
2017-01-19 12:18 ` Prarit Bhargava
2017-01-18 22:25 ` Ingo Molnar
2017-01-19 10:32 ` Prarit Bhargava
2017-01-19 11:49 ` Greg Kroah-Hartman
2017-01-19 12:05 ` Prarit Bhargava
2017-01-19 13:49 ` Greg Kroah-Hartman
2017-01-19 13:21 ` Ingo Molnar
2017-01-19 13:49 ` Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 034/120] efi/x86: Prune invalid memory map entries and fix boot regression Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 036/120] nl80211: fix sched scan netlink socket owner destruction Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 037/120] gpio: Move freeing of GPIO hogs before numbing of the device Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 039/120] bridge: netfilter: Fix dropping packets that moving through bridge interface Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 040/120] x86/cpu/AMD: Clean up cpu_llc_id assignment per topology feature Greg Kroah-Hartman
2017-01-18 10:45 ` [PATCH 4.9 041/120] x86/bugs: Separate AMD E400 erratum and C1E bug Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 042/120] x86/CPU/AMD: Fix Bulldozer topology Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 043/120] wusbcore: Fix one more crypto-on-the-stack bug Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 044/120] usb: musb: fix runtime PM in debugfs Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 045/120] USB: serial: kl5kusb105: fix line-state error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 046/120] USB: serial: ch341: fix initial modem-control state Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 047/120] USB: serial: ch341: fix resume after reset Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 048/120] USB: serial: ch341: fix open error handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 049/120] USB: serial: ch341: fix control-message " Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 050/120] USB: serial: ch341: fix open and resume after B0 Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 051/120] Input: elants_i2c - avoid divide by 0 errors on bad touchscreen data Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 052/120] i2c: print correct device invalid address Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 053/120] i2c: fix kernel memory disclosure in dev interface Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 054/120] fix a fencepost error in pipe_advance() Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 055/120] xhci: fix deadlock at host remove by running watchdog correctly Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 056/120] btrfs: fix crash when tracepoint arguments are freed by wq callbacks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 057/120] ASoC: hdmi-codec: use unsigned type to structure members with bit-field Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 058/120] Revert "tty: serial: 8250: add CON_CONSDEV to flags" Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 060/120] pid: fix lockdep deadlock warning due to ucount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 061/120] mnt: Protect the mountpoint hashtable with mount_lock Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 062/120] drivers: char: mem: Fix thinkos in kmem address checks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 063/120] dmaengine: omap-dma: Fix dynamic lch_map allocation Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 064/120] virtio_blk: avoid DMA to stack for the sense buffer Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 065/120] tty/serial: atmel: RS485 half duplex w/DMA: enable RX after TX is done Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 066/120] tty/serial: atmel_serial: BUG: stop DMA from transmitting in stop_tx Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 067/120] ibmvscsis: Fix srp_transfer_data fail return code Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 068/120] orinoco: Use shash instead of ahash for MIC calculations Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 069/120] sysrq: attach sysrq handler correctly for 32-bit kernel Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 070/120] extcon: return error code on failure Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 071/120] Clearing FIFOs in RS485 emulation mode causes subsequent transmits to break Greg Kroah-Hartman
2017-01-18 10:46 ` Greg Kroah-Hartman [this message]
2017-01-18 10:46 ` [PATCH 4.9 073/120] net/af_iucv: dont use paged skbs for TX on HiperSockets Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 074/120] drm/i915/gen9: Fix PCODE polling timeout in stable backport Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 075/120] drm: Clean up planes in atomic commit helper failure path Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 076/120] drm/radeon: update smc firmware selection for SI Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 077/120] drm/radeon: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 078/120] drm/amdgpu: update si kicker smc firmware Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 079/120] drm/amdgpu: drop verde dpm quirks Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 080/120] USB: serial: ch341: fix modem-control and B0 handling Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 081/120] net/mlx5: Only cancel recovery work when cleaning up device Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 082/120] i2c: piix4: Avoid race conditions with IMC Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 083/120] x86/cpu: Fix bootup crashes by sanitizing the argument of the clearcpuid= command-line option Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 084/120] nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 085/120] btrfs: fix locking when we put back a delayed ref thats too new Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 086/120] btrfs: fix error handling when run_delayed_extent_op fails Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 087/120] pinctrl: meson: fix gpio request disabling other modes Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 088/120] NFS: fix typo in parameter description Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 089/120] pNFS: Fix race in pnfs_wait_on_layoutreturn Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 090/120] NFS: Fix a performance regression in readdir Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 091/120] NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 092/120] i2c: mux: pca954x: fix i2c mux selection caching Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 094/120] drm: avoid uninitialized timestamp use in wait_vblank Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 095/120] drm/panel: simple: Check against num_timings when setting preferred for timing Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 097/120] drm: Initialise drm_mm.head_node.allocated Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 099/120] remoteproc: st: Fix error return code in st_rproc_probe() Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 100/120] powerpc/64: Simplify adaptation to new ISA v3.00 HPTE format Greg Kroah-Hartman
2017-01-18 10:46 ` [PATCH 4.9 101/120] cpufreq: powernv: Disable preemption while checking CPU throttling state Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 102/120] regulators: helpers: Fix handling of bypass_val_on in get_bypass_regmap Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 103/120] ACPI / CPPC: set an error code on probe error path Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 104/120] block: Change extern inline to static inline Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 105/120] block: cfq_cpd_alloc() should use @gfp Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 106/120] ACPI / APEI: Fix NMI notification handling Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 107/120] powercap/intel_rapl: fix and tidy up error handling Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 108/120] iw_cxgb4: Fix error return code in c4iw_rdev_open() Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 109/120] bq24190_charger: Fix PM runtime use for bq24190_battery_set_property Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 110/120] power: supply: bq27xxx_battery: Fix register map for BQ27510 and BQ27520 Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 111/120] blk-mq: Always schedule hctx->next_cpu Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 112/120] bus: vexpress-config: fix device reference leak Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 113/120] powerpc/mm: Correct process and partition table max size Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 114/120] powerpc/ibmebus: Fix further device reference leaks Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 115/120] powerpc/ibmebus: Fix device reference leaks in sysfs interface Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 116/120] powerpc/powernv: Dont warn on PE init if unfreeze is unsupported Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 117/120] arm64: hugetlb: fix the wrong address for several functions Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 118/120] arm64: hugetlb: remove the wrong pmd check in find_num_contig() Greg Kroah-Hartman
2017-01-18 10:47 ` [PATCH 4.9 119/120] arm64: hugetlb: fix the wrong return value for huge_ptep_set_access_flags Greg Kroah-Hartman
2017-01-18 18:44 ` [PATCH 4.9 000/120] 4.9.5-stable review Guenter Roeck
2017-01-18 20:22 ` Greg Kroah-Hartman
2017-01-19 18:07 ` Shuah Khan
2017-01-19 18:17 ` Greg Kroah-Hartman
[not found] ` <58802cd1.c3161c0a.43eb6.d94b@mx.google.com>
[not found] ` <m2tw8t2u08.fsf@baylibre.com>
2017-01-21 8:57 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170118104651.053186379@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=caiqian@redhat.com \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=yangshukui@huawei.com \
--cc=zhouchengming1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).