[PATCH 4.4 13/41] blktrace: Fix uaf in blk_trace access after removing by sysfs

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Zhihao Cheng <chengzhihao1@huawei.com>,
	Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 13/41] blktrace: Fix uaf in blk_trace access after removing by sysfs
Date: Mon,  4 Oct 2021 14:52:04 +0200	[thread overview]
Message-ID: <20211004125027.010673526@linuxfoundation.org> (raw)
In-Reply-To: <20211004125026.597501645@linuxfoundation.org>

From: Zhihao Cheng <chengzhihao1@huawei.com>

[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]

There is an use-after-free problem triggered by following process:

      P1(sda)				P2(sdb)
			echo 0 > /sys/block/sdb/trace/enable
			  blk_trace_remove_queue
			    synchronize_rcu
			    blk_trace_free
			      relay_close
rcu_read_lock
__blk_add_trace
  trace_note_tsk
  (Iterate running_trace_list)
			        relay_close_buf
				  relay_destroy_buf
				    kfree(buf)
    trace_note(sdb's bt)
      relay_reserve
        buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[  502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[  502.715260] #PF: supervisor read access in kernel mode
[  502.715903] #PF: error_code(0x0000) - not-present page
[  502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[  502.717252] Oops: 0000 [#1] SMP
[  502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[  502.732872] Call Trace:
[  502.733193]  __blk_add_trace.cold+0x137/0x1a3
[  502.733734]  blk_add_trace_rq+0x7b/0xd0
[  502.734207]  blk_add_trace_rq_issue+0x54/0xa0
[  502.734755]  blk_mq_start_request+0xde/0x1b0
[  502.735287]  scsi_queue_rq+0x528/0x1140
...
[  502.742704]  sg_new_write.isra.0+0x16e/0x3e0
[  502.747501]  sg_ioctl+0x466/0x1100

Reproduce method:
  ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sda, BLKTRACESTART)
  ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sdb, BLKTRACESTART)

  echo 0 > /sys/block/sdb/trace/enable &
  // Add delay(mdelay/msleep) before kernel enters blk_trace_free()

  ioctl$SG_IO(/dev/sda, SG_IO, ...)
  // Enters trace_note_tsk() after blk_trace_free() returned
  // Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

Fixes: c71a896154119f ("blktrace: add ftrace plugin")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/blktrace.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 8ac3663e0012..c142e100840e 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1581,6 +1581,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
 	if (bt == NULL)
 		return -EINVAL;
 
+	if (bt->trace_state == Blktrace_running) {
+		bt->trace_state = Blktrace_stopped;
+		spin_lock_irq(&running_trace_lock);
+		list_del_init(&bt->running_list);
+		spin_unlock_irq(&running_trace_lock);
+		relay_flush(bt->rchan);
+	}
+
 	put_probe_ref();
 	synchronize_rcu();
 	blk_trace_free(bt);
-- 
2.33.0

next prev parent reply	other threads:[~2021-10-04 12:54 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-04 12:51 [PATCH 4.4 00/41] 4.4.286-rc1 review Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 01/41] usb: gadget: r8a66597: fix a loop in set_feature() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 02/41] usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 03/41] cifs: fix incorrect check for null pointer in header_assemble Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 04/41] xen/x86: fix PV trap handling on secondary processors Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 05/41] USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 06/41] USB: serial: mos7840: remove duplicated 0xac24 device ID Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 07/41] USB: serial: option: add Telit LN920 compositions Greg Kroah-Hartman
2021-10-04 12:51 ` [PATCH 4.4 08/41] USB: serial: option: remove duplicate USB device ID Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 09/41] USB: serial: option: add device id for Foxconn T99W265 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 10/41] net: hso: fix muxed tty registration Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 11/41] net/mlx4_en: Dont allow aRFS for encapsulated packets Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 12/41] scsi: iscsi: Adjust iface sysfs attr detection Greg Kroah-Hartman
2021-10-04 12:52 ` Greg Kroah-Hartman [this message]
2021-10-04 12:52 ` [PATCH 4.4 14/41] m68k: Double cast io functions to unsigned long Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 15/41] compiler.h: Introduce absolute_pointer macro Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 16/41] net: i825xx: Use absolute_pointer for memcpy from fixed memory location Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 17/41] sparc: avoid stringop-overread errors Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 18/41] qnx4: " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 19/41] parisc: Use absolute_pointer() to define PAGE0 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 20/41] arm64: Mark __stack_chk_guard as __ro_after_init Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 21/41] alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 22/41] net: 6pack: Fix tx timeout and slot time Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 23/41] spi: Fix tegra20 build with CONFIG_PM=n Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 24/41] qnx4: work around gcc false positive warning bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 25/41] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 26/41] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 27/41] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 28/41] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 29/41] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 30/41] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 31/41] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 32/41] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 33/41] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 34/41] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 35/41] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 36/41] EDAC/synopsys: Fix wrong value type assignment for edac_mode Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 37/41] arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 38/41] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 39/41] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 40/41] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 4.4 41/41] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 18:06 ` [PATCH 4.4 00/41] 4.4.286-rc1 review Pavel Machek
2021-10-04 19:50 ` Shuah Khan
2021-10-05  2:13 ` Guenter Roeck

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8ac3663e001 dfblob:c142e100840 )
 OR (
bs:"[PATCH 4.4 13/41] blktrace: Fix uaf in blk_trace access after removing by sysfs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211004125027.010673526@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=chengzhihao1@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox