[PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue
Siddh Raman Pant
code at siddh.me
Wed Aug 3 03:56:04 UTC 2022
On Wed, 03 Aug 2022 06:38:36 +0530 Eric Biggers <ebiggers at kernel.org> wrote:
> On Thu, Jul 28, 2022 at 09:21:21PM +0530, Siddh Raman Pant wrote:
> > If not done, a reference to a freed pipe remains in the watch_queue,
> > as this function is called before freeing a pipe in free_pipe_info()
> > (see line 834 of fs/pipe.c).
> >
> > This causes a UAF when post_one_notification() tries to access the pipe
> > on a key update, which is reported by syzbot.
> >
> > We also need to use READ_ONCE() in post_one_notification() to prevent the
> > compiler from optimising and loading a non-NULL value from wqueue->pipe.
>
> Didn't this already get fixed by the following commit?
>
> commit 353f7988dd8413c47718f7ca79c030b6fb62cfe5
> Author: Linus Torvalds <torvalds at linux-foundation.org>
> Date: Tue Jul 19 11:09:01 2022 -0700
>
> watchqueue: make sure to serialize 'wqueue->defunct' properly
>
> With that, post_one_notification() only runs while the watch_queue is locked and
> not "defunct". So it's guaranteed that the pipe still exists. Any concurrent
> free_pipe_info() waits for the watch_queue to be unlocked in watch_queue_clear()
> before proceeding to free the pipe. So where is there still a bug?
It doesn't fix the dangling pointer to the freed pipe in the watch_queue, which
had caused this crash.
> >
> > Bug report: https://syzkaller.appspot.com/bug?id=1870dd7791ba05f2ea7f47f7cbdde701173973fc
> > Reported-and-tested-by: syzbot+c70d87ac1d001f29a058 at syzkaller.appspotmail.com
>
> If this actually does fix something, then it's mixing Fixes and Cc stable tags.
Noted.
> > diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
> > index bb9962b33f95..617425e34252 100644
> > --- a/kernel/watch_queue.c
> > +++ b/kernel/watch_queue.c
> > @@ -99,7 +99,7 @@ static bool post_one_notification(struct watch_queue *wqueue,
> > struct watch_notification *n)
> > {
> > void *p;
> > - struct pipe_inode_info *pipe = wqueue->pipe;
> > + struct pipe_inode_info *pipe = READ_ONCE(wqueue->pipe);
> > struct pipe_buffer *buf;
> > struct page *page;
> > unsigned int head, tail, mask, note, offset, len;
> > @@ -637,6 +637,12 @@ void watch_queue_clear(struct watch_queue *wqueue)
> > spin_lock_bh(&wqueue->lock);
> > }
> >
> > + /* Clearing the watch queue, so we should clean the associated pipe. */
> > + if (wqueue->pipe) {
> > + wqueue->pipe->watch_queue = NULL;
> > + wqueue->pipe = NULL;
> > + }
> > +
> > spin_unlock_bh(&wqueue->lock);
> > rcu_read_unlock();
> > }
>
> And this is clearly the wrong fix anyway, since it makes the call to
> put_watch_queue() in free_pipe_info() never be executed. So AFAICT, this patch
> introduces a memory leak, and doesn't actually fix anything...
>
> - Eric
>
Sorry for overlooking that. wqueue->pipe->watch_queue = NULL; is unnecessary,
but wqueue->pipe = NULL; is needed.
I will send a final v4 once all issues are resolved in this thread.
Thanks,
Siddh
More information about the Linux-security-module-archive
mailing list