KASAN: use-after-free Read in task_is_descendant
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Fri Oct 26 15:04:32 UTC 2018
On 2018/10/26 23:39, Oleg Nesterov wrote:
> On 10/26, Tetsuo Handa wrote:
>> Suppose p1 == p2->real_parent and p2 == p3->real_parent, and p1 exited
>> when someone tried to attach on p2, p2->real_parent was pointing to already
>> (or about to be) freed p1.
>
> I don't see a difference.
>
> If p1 exits it will re-parent p2, p2->real_parent will be updated.
>
>> So, the puzzle part is why p2->real_parent was still pointing p1 even after
>> p1 was freed...
>
> I don't understand the question.
>
> Once again. TASK->real_parent can point to the freed mem only if a) TASK exits,
> and b) _after_ that its parent TASK->real_parent exits too.
Oh, p2 exited and then p1 also exited when someone tried to attach on p2.
Then, p2->real_parent can point to already (or about to be) freed p1.
>
>>> Again, did you read my previous email?
>>
>> Yes. But I still can't be convinced that pid_alive() test helps.
>
> Well, I don't understand which part of my explanations is not clear to you.
OK. Checking pid_alive() should help.
(By the way, if p->real_parent were updated to point to init_task when p exits,
we could omit pid_alive() check?)
More information about the Linux-security-module-archive
mailing list