Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2558334pxb; Tue, 24 Aug 2021 01:52:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxY3XaE6sZqG+hUTVfUnQeHPtYVxtgD0x7MJRFYq5Ds2+t+v8SJDUA3d5qP/jkQmjSsLd6P X-Received: by 2002:a05:6e02:1d1a:: with SMTP id i26mr25684219ila.96.1629795161447; Tue, 24 Aug 2021 01:52:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629795161; cv=none; d=google.com; s=arc-20160816; b=O6zrpaABj8r2qEO+7SXUTAExSC4NkmG+GiDMOlrWT/npE98lky9KaIoMfUYG1LPyLa 7RN1WIw9dc0b/yhFIPRsIIdsfEQTTrHyDu3a5B8ZDqIqAfu+VfOgO9zb2hShBsOlKhMb +ASzRwQibGNyGpSuI4qhaFC0xBG+GJT6UwRmLBdI0MO8tzOlJiIf9/jIq/lBanKxzTGz l8UVK5dHHwogX48HtzRVo4C5MfAr/8+XxCkJraJ5sHgQBAv3gmrGGxP+WhT1U5Mml+wy B701BzuHVvajBxHJnvMcoQzgyfQEH+AMdxW+4QykUP+OEYOutMUNgGRD6yRrWoDoHXhI OVmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=9SUm9DZ7VT6OGAhj+B8v8x/YoYhvTLFIbpXVrBIm1SM=; b=SKD1NYuT/K/UDCB7tfReH7G1g7Ml7VcSteSlG2drOELISCPRHiK6YCzbXF3d81Wqgj Tl/QFvSfT2OvuzD3JjCz5qLJPN0uTg/RTNJIJ2yXi6fJu2Ct8KR95zqQxLsscgZqOE2O vzuob+FEWQikuYhIsDsc4ViuNf/nFBuymz2u3/5cgnf2affttG6nZecMSYtG0UatNtdx hhDfhoq7EsSY+gCVxc/A8A4E29XRXRV/Vnjp5BqGDAQw/vq763vkhwmkE2M4nPwifqCT G7X5SZYeQE5vgFf/YpCJrU+VsFTnKz2/EM8h8iBifEtFfyIuyO37kPxKB1GDn7EZpEwh 5PvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=uyEIwPaZ; dkim=neutral (no key) header.i=@suse.cz header.b=8MFFSxEG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y9si3110675jan.84.2021.08.24.01.52.30; Tue, 24 Aug 2021 01:52:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=uyEIwPaZ; dkim=neutral (no key) header.i=@suse.cz header.b=8MFFSxEG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235418AbhHXIwY (ORCPT + 99 others); Tue, 24 Aug 2021 04:52:24 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:57694 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234214AbhHXIwS (ORCPT ); Tue, 24 Aug 2021 04:52:18 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id D0CE922000; Tue, 24 Aug 2021 08:51:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1629795092; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9SUm9DZ7VT6OGAhj+B8v8x/YoYhvTLFIbpXVrBIm1SM=; b=uyEIwPaZpo+FJT5NMF6ke8bf/DEOluwvxBF7e4/9Om/U1H3agGUSgas98SKrQSR+tLXhNu 8GscnomaMAcFAyjFzXbT/yQN2L8O9GVzVIgoZm1XXnRuIWtenLk3+IQIpd6EjCFX0b7J5s MAPkRkrAB3uMXnov2eRmx8fae/izDsE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1629795092; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=9SUm9DZ7VT6OGAhj+B8v8x/YoYhvTLFIbpXVrBIm1SM=; b=8MFFSxEGOm1HQRRt0CxSsCYO5MprgKVTVAB54CGQyP3mXGXGEVCqJBS65k/XeM9PeYAWgs CbCu//LK4tgjK6DQ== Received: from quack2.suse.cz (unknown [10.100.224.230]) by relay2.suse.de (Postfix) with ESMTP id 8612AA3BBA; Tue, 24 Aug 2021 08:51:32 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id 5DCCF1E0BD5; Tue, 24 Aug 2021 10:51:32 +0200 (CEST) Date: Tue, 24 Aug 2021 10:51:32 +0200 From: Jan Kara To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Paul Moore , Eric Paris , Steve Grubb , Jan Kara , Will Deacon , Alexander Viro , Seiji Nishikawa Subject: Re: [ghak-trim PATCH v1] audit: move put_tree() to avoid trim_trees refcount underflow and UAF Message-ID: <20210824085132.GA12376@quack2.suse.cz> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 23-08-21 22:04:09, Richard Guy Briggs wrote: > AUDIT_TRIM is expected to be idempotent, but multiple executions resulted in a > refcount underflow and use-after-free. > > git bisect fingered commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca (2019-11) > ("locking/refcount: Consolidate implementations of refcount_t") > but this patch with its more thorough checking that wasn't in the x86 assembly > code merely exposed a previously existing tree refcount imbalance in the case > of tree trimming code that was refactored with prune_one() to remove a tree > introduced in commit 8432c70062978d9a57bde6715496d585ec520c3e (2018-11) > ("audit: Simplify locking around untag_chunk()") > > Move the put_tree() to cover only the prune_one() case. > > Passes audit-testsuite and 3 passes of "auditctl -t" with at least one > directory watch. > > Fixes: 8432c7006297 ("audit: Simplify locking around untag_chunk()") > Signed-off-by: Richard Guy Briggs > Cc: Jan Kara > Cc: Will Deacon > Cc: Alexander Viro > Cc: Seiji Nishikawa Ah, that was indeed a stupid mistake. Thanks for debugging this! The patch looks good to me. You can add: Reviewed-by: Jan Kara Honza > --- > kernel/audit_tree.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c > index b2be4e978ba3..2cd7b5694422 100644 > --- a/kernel/audit_tree.c > +++ b/kernel/audit_tree.c > @@ -593,7 +593,6 @@ static void prune_tree_chunks(struct audit_tree *victim, bool tagged) > spin_lock(&hash_lock); > } > spin_unlock(&hash_lock); > - put_tree(victim); > } > > /* > @@ -602,6 +601,7 @@ static void prune_tree_chunks(struct audit_tree *victim, bool tagged) > static void prune_one(struct audit_tree *victim) > { > prune_tree_chunks(victim, false); > + put_tree(victim); > } > > /* trim the uncommitted chunks from tree */ > -- > 2.27.0 > -- Jan Kara SUSE Labs, CR