KASAN: use-after-free Read in task_is_descendant
Oleg Nesterov
oleg at redhat.com
Thu Oct 25 12:17:09 UTC 2018
On 10/25, Tetsuo Handa wrote:
>
> On 2018/10/25 20:13, Oleg Nesterov wrote:
> >
> > So again, suppose that "child" is already dead. Its task_struct can't be freed,
> > but child->real_parent can point to the already freed memory.
>
> Yes.
>
> But if child->real_parent is pointing to the already freed memory,
> why does pid_alive(child) == true help?
Hmm. Because pid_alive(child) == true && child->real_parent is freed must not
be possible? As long as we check pid_alive() under rcu_read_lock().
> >> @@ -283,6 +283,11 @@ static int task_is_descendant(struct task_struct *parent,
> >> return 0;
> >>
> >> rcu_read_lock();
> >> + if (!pid_alive(parent) || !pid_alive(walker)) {
> >> + rcu_read_unlock();
> >> + printk("parent or walker is dead.\n");
> >
> > This is what we need to do, except I think we should change yama_ptrace_access_check().
> > And iiuc parent == current, pid_alive(parent) looks unnecessary. Although we need to
> > check ptracer_exception_found(), may be it needs some changes too.
>
> There are two task_is_descendant() callers, and one of them is not passing current.
As I said below, please ignore ptracer_exception_found(), another caller for now,
perhaps it needs some changes too. I even have a vague feeling that I have already
blamed this function some time ago...
> > And yes, task_is_descendant() can hit the dead child, if nothing else it can
> > be killed. This can explain the kasan report.
>
> The kasan is reporting that child->real_parent (or maybe child->real_parent->real_parent
> or child->real_parent->real_parent->real_parent ...) was pointing to already freed memory,
> isn't it?
Yes. and you know, I am all confused. I no longer can understand you :/
> How can we check that that pointer is pointing to already freed memory? As soon as
>
> walker = rcu_dereference(walker->real_parent);
>
> is executed, task_alive(walker) will try to read from already freed memory...
Of course we should not do it this way. The patch I sent doesn't...
Oleg.
More information about the Linux-security-module-archive
mailing list