Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp529952pxk; Wed, 2 Sep 2020 08:05:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyC7em8oAMcbnk+urcHQzwZAExIi/PrCoZKoL5bYNa3l8EOJRQyx8YAIqMWhkH4bPHqQNi0 X-Received: by 2002:aa7:d043:: with SMTP id n3mr448171edo.243.1599059130141; Wed, 02 Sep 2020 08:05:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599059130; cv=none; d=google.com; s=arc-20160816; b=dw725MIqabA9+apu5oTDf1NMmwKeDXRfyqtltsFfU6oDM8cteU/pdtOZ9iX2WTuyAT 6G+6MFUTRtk6caZuM72ewF4WEPqC8MuMclVAouphWyEF0s9VDr7fho793Y6INROIIA3q /8yeb7MDHnA0+KCtuAWyPTO0wHUxFpofW+Fc8b6nVM9UUcV4Nv+tRNcEdmtUGZEWiotJ manolaXVCJktvSFWD99AMDvla/ru4ph8gf2PxLmhbP+hMZmLfFoyuAsMfoFE5qFUBLw7 vqL4K3AIv6bQU6ZI0gPy2k9LGH36H0OfiJl3rtqmmc4bqGXi7VQor66PXlLDlQYeTmWQ uVxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=2yjs51SuYlYSUilMgak7DQa/qGyKL3VPzrK0/NXEgZ4=; b=DM6YIaG0lpxovnvKdByrESMXzxYO18IXiXBrYD8PxAIAHPsDgtM7YTdyQBAkhbjzla 91VYkw4O/M1pDj+2ALoxJIGIP8j3YikMN8WXVwUSHB3I3qzWz7MoWoco5SexfV4nZxcW ywDUDJBGvy7Epka9usL+B+UIAUiQo0YsWyJliHkQFhbmrr96y0O35Pk6N3v1OyfH6Kib bZ02aZBmOhI22oRGGDPRlFDOmmJEiKIA1GIh7GrWwqL+4EINEVtRtx4DlzObDxs37g8b FqmkJclWyhJJVYEHTDq438/PoGuXnaKKx9anGTivRjG5Z2wsRHZ3G5IMiL4bBWyMPEKZ kzvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm1 header.b=Ob4KSGs+; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=G5760nFN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k3si2807462eds.225.2020.09.02.08.05.04; Wed, 02 Sep 2020 08:05:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.pizza header.s=fm1 header.b=Ob4KSGs+; dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=G5760nFN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbgIBPDD (ORCPT + 99 others); Wed, 2 Sep 2020 11:03:03 -0400 Received: from new2-smtp.messagingengine.com ([66.111.4.224]:40851 "EHLO new2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727001AbgIBNvx (ORCPT ); Wed, 2 Sep 2020 09:51:53 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailnew.nyi.internal (Postfix) with ESMTP id C4C125804AD; Wed, 2 Sep 2020 09:40:10 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Wed, 02 Sep 2020 09:40:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.pizza; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm1; bh=2yjs51SuYlYSUilMgak7DQa/qGy KL3VPzrK0/NXEgZ4=; b=Ob4KSGs+ScX2RMUcN1Qibmw5cQESFwSC0pFbE8wqKZc m5nkQb5Y2tBPaY2Hz9hTFztGlMtfc5PBr4edZG7ArA19QeES6fI8f4tV+vcoWRKb m2g7HYoUnxZrR+0C3Ki6vvw94NOPDmcXnkqDCaysVH4qu/Pi2+AJwho7v6XAT4OZ SRnLcNr7R7UtNDsyRi0caPt0apEOiJvxJSow/EQIq5otI0xryNh2cBOrJDDrteFk ibs0GanyXN0aqwQ+GYaP0zRg9x+zU3pLNDpjMgTUG2ahnoZxOkRago6wszquLQIv IrdvvxgI2W+DFnqG6nhQkblqKEG27OkbyvBHweS18nQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=2yjs51 SuYlYSUilMgak7DQa/qGyKL3VPzrK0/NXEgZ4=; b=G5760nFNMyXQWhN5KyukMM udReu9QsqR0W2kjd5/SUQGJVmj9jAnwSbsX3I+DmIQyLCXsNB6liY37QJrpdjlB9 XkDlwGlWTutRdGU3DvxCBFTBxrqJyjSejKL5S+8b+ngaii1nxoUJXUvwfTyccjzF 43JLzQrA4dnl0xY/ahOSjQc+L9oUL00UXWq2lQQjZ9rTlP42sTU9EAmv/7Ae7Ro8 bN+g8udv64RJsoY+YzzlsRdWgECs4ve6TB4VAATFfdhIs8gutmUHQeXQwebTd9qN pZX1z4j0ZUcowakUaKNg3yEH3KmGLEubfHX7hdwr5E+aQV8UB8bFsY+1IxpcgzDA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudefledgieekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehttdertddttddvnecuhfhrohhmpefvhigthhho ucetnhguvghrshgvnhcuoehthigthhhosehthigthhhordhpihiiiigrqeenucggtffrrg htthgvrhhnpeegkeefjeegkedtjefgfeduleekueetjeeghffhuefgffefleehgeeifedv gfethfenucfkphepuddvkedruddtjedrvdeguddrudejkeenucfuphgrmhfkphfpvghtfi horhhkpeduvdekrddutdejrddvgedurddujeeknecuvehluhhsthgvrhfuihiivgeptden ucfrrghrrghmpehmrghilhhfrhhomhepthihtghhohesthihtghhohdrphhiiiiirg X-ME-Proxy: Received: from cisco (unknown [128.107.241.178]) by mail.messagingengine.com (Postfix) with ESMTPA id 25B2F30600A6; Wed, 2 Sep 2020 09:40:08 -0400 (EDT) Date: Wed, 2 Sep 2020 07:39:56 -0600 From: Tycho Andersen To: Christian Brauner Cc: Kees Cook , linux-kernel@vger.kernel.org, "Tobin C . Harding" , Christian Brauner , syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com Subject: Re: [PATCH 1/2] seccomp: don't leak memory when filter install races Message-ID: <20200902133956.GB1136703@cisco> References: <20200902014017.934315-1-tycho@tycho.pizza> <20200902090849.bvevcuhtae73pplm@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200902090849.bvevcuhtae73pplm@wittgenstein> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 02, 2020 at 11:08:49AM +0200, Christian Brauner wrote: > On Tue, Sep 01, 2020 at 07:40:16PM -0600, Tycho Andersen wrote: > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize > > the listener fd, then check to see if we can actually use it later in > > seccomp_may_assign_mode(), which can fail if anyone else in our thread > > group has installed a filter and caused some divergence. If we can't, we > > partially clean up the newly allocated file: we put the fd, put the file, > > but don't actually clean up the *memory* that was allocated at > > filter->notif. Let's clean that up too. > > > > To accomplish this, let's hoist the actual "detach a notifier from a > > filter" code to its own helper out of seccomp_notify_release(), so that in > > case anyone adds stuff to init_listener(), they only have to add the > > cleanup code in one spot. This does a bit of extra locking and such on the > > failure path when the filter is not attached, but it's a slow failure path > > anyway. > > > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > Signed-off-by: Tycho Andersen > > --- > > This looks sane to me! > Acked-by: Christian Brauner > > One thing I noticed when checking the failure paths. In init_listener we > allocate the notifier by directly storing it into filter->notif and if > anon_inode_getfile() fails we simply kfree(filter->notif) but don't NULL > it and leave filter->notif pointing to freed memory. > Since we have a few places where we check filter->notif whether it is > initialized or not maybe we should NULL filter->notif if init_listener() > fails or alloc the notifier into a tmp variable and only assign it to > filter->notif after we can't fail anymore in init_listener(). > > Just a thought since the error path in seccomp_set_mode_filter() is a > little more complex. :) Yeah it seems like we definitely should, and maybe this is what Kees was talking about and I missed it. I'll send a patch on top of this shortly. Tycho