From patchwork Mon Sep 25 07:35:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wang Jinchao X-Patchwork-Id: 726761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95674CE7A8C for ; Mon, 25 Sep 2023 07:36:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229475AbjIYHgU (ORCPT ); Mon, 25 Sep 2023 03:36:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41786 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229709AbjIYHgT (ORCPT ); Mon, 25 Sep 2023 03:36:19 -0400 Received: from wxsgout04.xfusion.com (wxsgout03.xfusion.com [36.139.52.80]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34B42DA; Mon, 25 Sep 2023 00:36:10 -0700 (PDT) Received: from wuxshcsitd00600.xfusion.com (unknown [10.32.133.213]) by wxsgout04.xfusion.com (SkyGuard) with ESMTPS id 4RvF492VnMz9xk16; Mon, 25 Sep 2023 15:34:01 +0800 (CST) Received: from localhost (10.82.147.3) by wuxshcsitd00600.xfusion.com (10.32.133.213) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 25 Sep 2023 15:35:59 +0800 Date: Mon, 25 Sep 2023 15:35:58 +0800 From: Wang Jinchao To: Steffen Klassert , Daniel Jordan , , CC: Subject: [PATCH] padata: Fix the UAF issue related to parallel_data Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Originating-IP: [10.82.147.3] X-ClientProxiedBy: wuxshcsitd00601.xfusion.com (10.32.135.241) To wuxshcsitd00600.xfusion.com (10.32.133.213) Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead to system UAF (Use-After-Free) issues. Due to the lengthy analysis of the pcrypt_aead01 function call, I'll describe the problem scenario using a simplified model: Suppose there's a user of padata named `user_function` that adheres to the padata requirement of calling `padata_free_shell` after `serial()` has been invoked, as demonstrated in the following code: ```c struct request { struct padata_priv padata; struct completion *done; }; void parallel(struct padata_priv *padata) { do_something(); } void serial(struct padata_priv *padata) { struct request *request = container_of(padata, struct request, padata); complete(request->done); } void user_function() { DECLARE_COMPLETION(done) padata->parallel = parallel() padata_do_parallel(); wait_for_completion(&done); padata_free_shell(); } ``` In the corresponding padata.c file, there's the following code: ```c static void padata_serial_worker(struct work_struct *serial_work) { ... cnt = 0; while (!list_empty(&local_list)) { ... padata->serial(padata); cnt++; } local_bh_enable(); if (refcount_sub_and_test(cnt, &pd->refcnt)) padata_free_pd(pd); } ``` Because of the high system load and the accumulation of unexecuted softirq at this moment, `local_bh_enable()` in padata takes longer to execute than usual. Subsequently, when accessing `pd->refcnt`, `pd` has already been released by `padata_free_shell()`, resulting in a UAF issue with `pd->refcnt`. The fix is straightforward: add `refcount_dec_and_test` before calling `padata_free_pd` in `padata_free_shell`. Signed-off-by: Wang Jinchao --- kernel/padata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/padata.c b/kernel/padata.c index 222d60195de6..15dbcf7ce623 100644 --- a/kernel/padata.c +++ b/kernel/padata.c @@ -1107,7 +1107,8 @@ void padata_free_shell(struct padata_shell *ps) mutex_lock(&ps->pinst->lock); list_del(&ps->list); - padata_free_pd(rcu_dereference_protected(ps->pd, 1)); + if (refcount_dec_and_test(&ps->pd->refcnt)) + padata_free_pd(rcu_dereference_protected(ps->pd, 1)); mutex_unlock(&ps->pinst->lock); kfree(ps);