From patchwork Tue Aug 28 20:13:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 145358 Delivered-To: patch@linaro.org Received: by 2002:a2e:1648:0:0:0:0:0 with SMTP id 8-v6csp1589068ljw; Tue, 28 Aug 2018 13:13:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZETn3JP4MYdvGiMnjB7JVXdmK9KfFs8LOiF40TLBMpRHwouWQ02LidSSjrLV/lN7e/+tJx X-Received: by 2002:a17:902:7798:: with SMTP id o24-v6mr2916572pll.93.1535487217437; Tue, 28 Aug 2018 13:13:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535487217; cv=none; d=google.com; s=arc-20160816; b=zcUfZ704c7sIoPj2Q6bRgVThXSjxdVYhZnLdNr0I9y+246P1iYch1SB0xm8cvm8o2E VKa30GVv/MV/vb5bRRk2oR0oubgiu+Bsj+2VOZWnfxo5Z4VH7yiJIIezEC2q0+WamDtY bR/csj7K277EjVqTTlaeDCnjCLjFoQQJxsiI8r7Q0nURMc7wCovsEttCc0odm+5dA0YJ Kbc0vRCQie99QXDJ5Gs/jVIJgwGpJ+w1vZ1IalBbUiQWkCsoU0e4hr6UVRFBZasw7og/ jXhm5IWqdUZwO8NZI2kXDYJt3pQPBn6SG5+AAAcJJ5fqzf8FZ7apKIvGOX0+X6LeEm1g /cgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=npEd73737ocTlcqIyMwBUjQJ/UmyDyHqx83Mw3n4NgM=; b=H6QMwbCNa33tuXhYK1fYWmZ+AKg7Din4NrLpg2ryYaF+YB/FLceVrxflQwaEts7SHf ZI4l2BL9bkSWfPIFH4E8rcToGZWG0BH0P4lJD2zTOy5uHXahET/QFlguPsnRQWilbfl1 WKEfgExZFOtmZhERR3Ix6ZNvNvnT/XA+9qyBQgIyxDVqr6Hwsg0QvSmHePm4AtMshUjq /DYJNGA9VDF3hfjiLcCUsaaWjB+k+Unj2hZfc3lr3v+qeMmq5urnkX9pzKPHurFIKShx gZ3CBNY5sha/DNm6JHwQsQFti3gDN2GzRc7kok9r8Pm3UIfUP+u2xIrI31FyhFUOPoto Ga3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A8QHVgM/"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y10-v6si1906969pgf.312.2018.08.28.13.13.37; Tue, 28 Aug 2018 13:13:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="A8QHVgM/"; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727086AbeH2AGu (ORCPT + 13 others); Tue, 28 Aug 2018 20:06:50 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:43726 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726961AbeH2AGu (ORCPT ); Tue, 28 Aug 2018 20:06:50 -0400 Received: by mail-pl1-f193.google.com with SMTP id x6-v6so1196362plv.10 for ; Tue, 28 Aug 2018 13:13:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=npEd73737ocTlcqIyMwBUjQJ/UmyDyHqx83Mw3n4NgM=; b=A8QHVgM/eLYudGOmpnQW87Xv+1KEPlkAmL0REUtI9riABWncsedZrXxJvD0Pzx52Qu uOBbrad4UILwS3ENgtmgEpbuY22cTvXfpX4FfLti3Mk9wEROQwasF8AX/Jh79UQrFkj3 ICLam+w3WbVYDi432ds2FLt9h3vq80slLyLok= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=npEd73737ocTlcqIyMwBUjQJ/UmyDyHqx83Mw3n4NgM=; b=SnBLbPFK9uaupSctrYyGCy2incfi0iZi3AFTiSP3FUCVH4SrjAg9od+QtGjKO3VFr8 05Gcmsi6If8NJbMaN3QsZUvAE+Y9wr4hhjzY236q6U/KoJJK1W2BXN838o+tuLzfUyoC eyICJ8LIWaTQ4JcZCEda5xKevZreyo2sz2paOU50Ly8i4pD/IU5wzYsKOTQOYn0xgu+c K6nhmg0IAPHUYK6qPtJBRe0Os8WudYK4FcPth/y5FBxpLgY6aHJKWmpM3S12ZYpjfG7y 95/Cns9zO6h8UdP1pBLetm5byC2Eqx2im/Y1acu9qF0QPdooyfdBHEit2ajqU5j5gjKh YQBA== X-Gm-Message-State: APzg51CYiLaANvP+hbtIHX4EGjFQQb4yO48gBlfQJmMi7b4YKcEPYIW1 bGRGsquRz3guzJHfySbnoMAzRA== X-Received: by 2002:a17:902:27a8:: with SMTP id d37-v6mr2936520plb.290.1535487215966; Tue, 28 Aug 2018 13:13:35 -0700 (PDT) Received: from localhost.localdomain ([49.207.48.21]) by smtp.gmail.com with ESMTPSA id t86-v6sm3098181pfe.109.2018.08.28.13.13.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 28 Aug 2018 13:13:34 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Vegard Nossum , Peter Zijlstra , Andy Lutomirski , Frederic Weisbecker , Jamie Iles , Thomas Gleixner Subject: [PATCH for-4.9.y 02/14] kthread: Fix use-after-free if kthread fork fails Date: Wed, 29 Aug 2018 01:43:13 +0530 Message-Id: <1535487205-26280-3-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> References: <1535487205-26280-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Vegard Nossum commit 4d6501dce079c1eb6bf0b1d8f528a5e81770109e upstream. If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but fails in copy_process() between calling dup_task_struct() and setting p->set_child_tid, then the value of p->set_child_tid will be inherited from the parent and get prematurely freed by free_kthread_struct(). kthread() - worker_thread() - process_one_work() | - call_usermodehelper_exec_work() | - kernel_thread() | - _do_fork() | - copy_process() | - dup_task_struct() | - arch_dup_task_struct() | - tsk->set_child_tid = current->set_child_tid // implied | - ... | - goto bad_fork_* | - ... | - free_task(tsk) | - free_kthread_struct(tsk) | - kfree(tsk->set_child_tid) - ... - schedule() - __schedule() - wq_worker_sleeping() - kthread_data(task)->flags // UAF The problem started showing up with commit 1da5c46fa965 since it reused ->set_child_tid for the kthread worker data. A better long-term solution might be to get rid of the ->set_child_tid abuse. The comment in set_kthread_struct() also looks slightly wrong. Debugged-by: Jamie Iles Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed") Signed-off-by: Vegard Nossum Acked-by: Oleg Nesterov Cc: Peter Zijlstra Cc: Greg Kroah-Hartman Cc: Andy Lutomirski Cc: Frederic Weisbecker Cc: Jamie Iles Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com Signed-off-by: Thomas Gleixner Signed-off-by: Amit Pundir --- To be applied on 4.4.y and 3.18.y as well. Build tested on v4.4.153 and v3.18.120. kernel/fork.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) -- 2.7.4 diff --git a/kernel/fork.c b/kernel/fork.c index 2c98b987808d..46a6b0311ca3 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1530,6 +1530,18 @@ static __latent_entropy struct task_struct *copy_process( if (!p) goto fork_out; + /* + * This _must_ happen before we call free_task(), i.e. before we jump + * to any of the bad_fork_* labels. This is to avoid freeing + * p->set_child_tid which is (ab)used as a kthread's data pointer for + * kernel threads (PF_KTHREAD). + */ + p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; + /* + * Clear TID on mm_release()? + */ + p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; + ftrace_graph_init_task(p); rt_mutex_init_task(p); @@ -1691,11 +1703,6 @@ static __latent_entropy struct task_struct *copy_process( } } - p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL; - /* - * Clear TID on mm_release()? - */ - p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL; #ifdef CONFIG_BLOCK p->plug = NULL; #endif