[PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue

Siddh Raman Pant code at siddh.me
Wed Aug 3 03:56:04 UTC 2022


On Wed, 03 Aug 2022 06:38:36 +0530  Eric Biggers <ebiggers at kernel.org> wrote:
> On Thu, Jul 28, 2022 at 09:21:21PM +0530, Siddh Raman Pant wrote:
> > If not done, a reference to a freed pipe remains in the watch_queue,
> > as this function is called before freeing a pipe in free_pipe_info()
> > (see line 834 of fs/pipe.c).
> > 
> > This causes a UAF when post_one_notification() tries to access the pipe
> > on a key update, which is reported by syzbot.
> > 
> > We also need to use READ_ONCE() in post_one_notification() to prevent the
> > compiler from optimising and loading a non-NULL value from wqueue->pipe.
> 
> Didn't this already get fixed by the following commit?
> 
>     commit 353f7988dd8413c47718f7ca79c030b6fb62cfe5
>     Author: Linus Torvalds <torvalds at linux-foundation.org>
>     Date:   Tue Jul 19 11:09:01 2022 -0700
> 
>         watchqueue: make sure to serialize 'wqueue->defunct' properly
> 
> With that, post_one_notification() only runs while the watch_queue is locked and
> not "defunct".  So it's guaranteed that the pipe still exists.  Any concurrent
> free_pipe_info() waits for the watch_queue to be unlocked in watch_queue_clear()
> before proceeding to free the pipe.  So where is there still a bug?

It doesn't fix the dangling pointer to the freed pipe in the watch_queue, which
had caused this crash.

> > 
> > Bug report: https://syzkaller.appspot.com/bug?id=1870dd7791ba05f2ea7f47f7cbdde701173973fc
> > Reported-and-tested-by: syzbot+c70d87ac1d001f29a058 at syzkaller.appspotmail.com
> 
> If this actually does fix something, then it's mixing Fixes and Cc stable tags.

Noted.

> > diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
> > index bb9962b33f95..617425e34252 100644
> > --- a/kernel/watch_queue.c
> > +++ b/kernel/watch_queue.c
> > @@ -99,7 +99,7 @@ static bool post_one_notification(struct watch_queue *wqueue,
> >                    struct watch_notification *n)
> >  {
> >      void *p;
> > -    struct pipe_inode_info *pipe = wqueue->pipe;
> > +    struct pipe_inode_info *pipe = READ_ONCE(wqueue->pipe);
> >      struct pipe_buffer *buf;
> >      struct page *page;
> >      unsigned int head, tail, mask, note, offset, len;
> > @@ -637,6 +637,12 @@ void watch_queue_clear(struct watch_queue *wqueue)
> >          spin_lock_bh(&wqueue->lock);
> >      }
> >  
> > +    /* Clearing the watch queue, so we should clean the associated pipe. */
> > +    if (wqueue->pipe) {
> > +        wqueue->pipe->watch_queue = NULL;
> > +        wqueue->pipe = NULL;
> > +    }
> > +
> >      spin_unlock_bh(&wqueue->lock);
> >      rcu_read_unlock();
> >  }
> 
> And this is clearly the wrong fix anyway, since it makes the call to
> put_watch_queue() in free_pipe_info() never be executed.  So AFAICT, this patch
> introduces a memory leak, and doesn't actually fix anything...
> 
> - Eric
> 

Sorry for overlooking that. wqueue->pipe->watch_queue = NULL; is unnecessary,
but wqueue->pipe = NULL; is needed.

I will send a final v4 once all issues are resolved in this thread.

Thanks,
Siddh



More information about the Linux-security-module-archive mailing list