首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

kthread: Fix use-after-free if kthread fork fails

If a kthread forks (e.g. usermodehelper since commit 1da5c46fa965) but
fails in copy_process() between calling dup_task_struct() and setting
p->set_child_tid, then the value of p->set_child_tid will be inherited
from the parent and get prematurely freed by free_kthread_struct().

    kthread()
     - worker_thread()
        - process_one_work()
        |  - call_usermodehelper_exec_work()
        |     - kernel_thread()
        |        - _do_fork()
        |           - copy_process()
        |              - dup_task_struct()
        |                 - arch_dup_task_struct()
        |                    - tsk->set_child_tid = current->set_child_tid // implied
        |              - ...
        |              - goto bad_fork_*
        |              - ...
        |              - free_task(tsk)
        |                 - free_kthread_struct(tsk)
        |                    - kfree(tsk->set_child_tid)
        - ...
        - schedule()
           - __schedule()
              - wq_worker_sleeping()
                 - kthread_data(task)->flags // UAF

The problem started showing up with commit 1da5c46fa965 since it reused
->set_child_tid for the kthread worker data.

A better long-term solution might be to get rid of the ->set_child_tid
abuse. The comment in set_kthread_struct() also looks slightly wrong.

Debugged-by: Jamie Iles <jamie.iles@oracle.com>
Fixes: 1da5c46fa965 ("kthread: Make struct kthread kmalloc'ed")
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jamie Iles <jamie.iles@oracle.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20170509073959.17858-1-vegard.nossum@oracle.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Vegard Nossum 8 年之前
父节点
5ea30e4e58
当前提交
4d6501dce0
共有 1 个文件被更改,包括 12 次插入5 次删除
分列视图 显示文件统计
  1. 12 5
      kernel/fork.c

+ 12 - 5
kernel/fork.c
查看文件 

@@ -1553,6 +1553,18 @@ static __latent_entropy struct task_struct *copy_process(
 
 	if (!p)
 
 		goto fork_out;
 
 
+	/*
 
+	 * This _must_ happen before we call free_task(), i.e. before we jump
 
+	 * to any of the bad_fork_* labels. This is to avoid freeing
 
+	 * p->set_child_tid which is (ab)used as a kthread's data pointer for
 
+	 * kernel threads (PF_KTHREAD).
 
+	 */
 
+	p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
 
+	/*
 
+	 * Clear TID on mm_release()?
 
+	 */
 
+	p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
 
+
 
 	ftrace_graph_init_task(p);
 
 
 	rt_mutex_init_task(p);
 
@@ -1716,11 +1728,6 @@ static __latent_entropy struct task_struct *copy_process(
 
 		}
 
 	}
 
 
-	p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
 
-	/*
 
-	 * Clear TID on mm_release()?
 
-	 */
 
-	p->clear_child_tid = (clone_flags & CLONE_CHILD_CLEARTID) ? child_tidptr : NULL;
 
 #ifdef CONFIG_BLOCK
 
 	p->plug = NULL;
 
 #endif