Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp970300pxk; Thu, 10 Sep 2020 03:43:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqRmtVfgsIO2Ig6G9wvOO4bJoVMmWTVo4XClmyX+TjUdwYNB/3grEb5ySKM0SYi/v2D6bE X-Received: by 2002:a17:906:2962:: with SMTP id x2mr7913855ejd.188.1599734613868; Thu, 10 Sep 2020 03:43:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599734613; cv=none; d=google.com; s=arc-20160816; b=aq9R+iikqxOMzANefAhO7rsbBUzfpinbw47jLfMy2+0MQ22fR/cBq8mkNU1uTfjrsh xTVozVGDCUkT1USYdNSCG7+2fdZjJffUYxzk46ohk+EyCnHvUKbNInhmyzpriQWDzyl9 5bIBlSZ7cVQAG73GNP14slgCdBCqmOYb6Kdv9hXoTMRyX7XcNdB1jHyA8yq72ILzsOTP BjFqtBYSu81fLSmNlSbmG5LMA98DRxIzpJQqQEr19BFgvAWZM1sSg6m0FFfG1FHRV7KE q/ovjjAJzy369JjD8j6/PSkJpZCnfLhXkYWkScraeRPSnbpkvd6bImO81SRkZKWuq5GO ux/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=ILN40/XT4Rfv4O1mpAvP1DEQYMxFBRd2TZUVtzcawNA=; b=b9VHkp5wUg4dFxbaLIt1zXx2K7t04j17UsQ8v7HS/asIIENfoyXQFDLzRyNPU/Nvfp cXJh2LAI+u0gYyyJ7DpIE9ocV+fbjZrHgliL6wmGjLyroITgmkEUEFH3zYe9fj11mS// p5OS4tCT8BbMUWb3s3cfyQZpkSJ3x8+fFUOOIylz6uWkmzstqV6PGwbdZoOm2ZKOJtRo FVNizAPSFr/jP6szI85LMmqwO1Ur1CgcMJWUEHc/+JyEuNWnET/YtJpxVHGhiDIFmkyk coz77ofSds3xmMpPeB8pjsTWc7yMzyU1+Z+eMWxhcM7C81c8pq0YvJbp8yo0I52d5ZPv D4rw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si3505318edm.191.2020.09.10.03.43.08; Thu, 10 Sep 2020 03:43:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726345AbgIJKme convert rfc822-to-8bit (ORCPT + 99 others); Thu, 10 Sep 2020 06:42:34 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:36780 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726057AbgIJKmD (ORCPT ); Thu, 10 Sep 2020 06:42:03 -0400 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-409-cK_L9dlCO6qXUkXUIk9AhQ-1; Thu, 10 Sep 2020 06:41:58 -0400 X-MC-Unique: cK_L9dlCO6qXUkXUIk9AhQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EC3998030DD; Thu, 10 Sep 2020 10:41:56 +0000 (UTC) Received: from krava.redhat.com (unknown [10.40.192.38]) by smtp.corp.redhat.com (Postfix) with ESMTP id D4E845D9E8; Thu, 10 Sep 2020 10:41:54 +0000 (UTC) From: Jiri Olsa To: Peter Zijlstra , Arnaldo Carvalho de Melo Cc: lkml , Ingo Molnar , Namhyung Kim , Alexander Shishkin , Michael Petlan , Wade Mealing Subject: [PATCH] perf: Fix race in perf_mmap_close function Date: Thu, 10 Sep 2020 12:41:53 +0200 Message-Id: <20200910104153.1672460-1-jolsa@kernel.org> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=jolsa@kernel.org X-Mimecast-Spam-Score: 0.001 X-Mimecast-Originator: kernel.org Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There's a possible race in perf_mmap_close when checking ring buffer's mmap_count refcount value. The problem is that the mmap_count check is not atomic because we call atomic_dec and atomic_read separately. perf_mmap_close: ... atomic_dec(&rb->mmap_count); ... if (atomic_read(&rb->mmap_count)) goto out_put; free_uid out_put: ring_buffer_put(rb); /* could be last */ The race can happen when we have two (or more) events sharing same ring buffer and they go through atomic_dec and then they both see 0 as refcount value later in atomic_read. Then both will go on and execute code which is meant to be run just once. The code that detaches ring buffer is probably fine to be executed more than once, but the problem is in calling free_uid, which will later on demonstrate in related crashes and refcount warnings, like: refcount_t: addition on 0; use-after-free. ... RIP: 0010:refcount_warn_saturate+0x6d/0xf ... Call Trace: prepare_creds+0x190/0x1e0 copy_creds+0x35/0x172 copy_process+0x471/0x1a80 _do_fork+0x83/0x3a0 __do_sys_wait4+0x83/0x90 __do_sys_clone+0x85/0xa0 do_syscall_64+0x5b/0x1e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Using atomic decrease and check instead of separated calls. This fixes CVE-2020-14351. Signed-off-by: Jiri Olsa --- kernel/events/core.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/events/core.c b/kernel/events/core.c index 7ed5248f0445..29313cc54d9e 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5903,8 +5903,6 @@ static void perf_mmap_close(struct vm_area_struct *vma) mutex_unlock(&event->mmap_mutex); } - atomic_dec(&rb->mmap_count); - if (!atomic_dec_and_mutex_lock(&event->mmap_count, &event->mmap_mutex)) goto out_put; @@ -5912,7 +5910,7 @@ static void perf_mmap_close(struct vm_area_struct *vma) mutex_unlock(&event->mmap_mutex); /* If there's still other mmap()s of this buffer, we're done. */ - if (atomic_read(&rb->mmap_count)) + if (!atomic_dec_and_test(&rb->mmap_count)) goto out_put; /* -- 2.26.2