Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3125153pxb; Tue, 24 Aug 2021 16:03:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxKS+Qs4bZcdmmSt4Qkx/SZbpzd6PK0q1+69mjq19AzeadaJqvym2NCnhaNin5QuigXzTNl X-Received: by 2002:a05:6402:2288:: with SMTP id cw8mr44410471edb.216.1629846217333; Tue, 24 Aug 2021 16:03:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629846217; cv=none; d=google.com; s=arc-20160816; b=I03x5hGlolMPQLVPrX1m+JT12oz9whKuTVx2ZF7KV8DtoNCsk9DdC7qHsuZdowRjQF QjFmIfACreGe2iZ+yN5C8Mvva8H0H+EzMpzURsA1D+Vh84SkVfDMX99ljaciv1yRH5Fs /63+aRI9366p29cqFvVpV+TsohO7SA/hdech1l6VPKyF1ep6pcDZhxr2Z8LB90zw1xH7 f0FZXQO/+BWOEOikvLkClYakqONz7miz2tXTuZe5KDxVR00ngnV3CyvJPTRSUqDBICg7 ciclVq3qEn3M3LOO9iMYWO0V5e6F2E7jEP+20vF19PGf8HkDhf1eE0GyftCdbnRMD98O OSjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=f10+9KbmQ1w02G7q+vYSGq4zSlnvBUYSA0JIwEQJN9s=; b=VyBR/rqRo81OuorMuQ7BTt5O5lk/Ufdgd26RmBM8XEVp01bHBTtcASR/ji+ykOqVhy k6jLjaLfbeG5PnzT7PmhgzRXaSQ+HinTNhpEqzjMAC7Y+7GsKXqR2T0raUdGqyBr4PFG oRjezw9UyDuZaZugvy/aptVT+JnGSdo+JClfQpzvInykMxESelwvIuJUhAZ1qUPtXD0G 7/HwlyQyCv/LHUaORdgTIsSz6OxbaV8NaK/nmEIpM5UzU7KhxVYaarKfxiEKhqzWRxX6 I/5T9xGyAx+qMH1iJpwMcRb//g2UQF3IiepoHM6dAPyHsB8Rlb4BXuHZtlBv4bqBmpiz 7Zig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=DoP7KssK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f10si18586973ejf.597.2021.08.24.16.03.14; Tue, 24 Aug 2021 16:03:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=DoP7KssK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230488AbhHXW73 (ORCPT + 99 others); Tue, 24 Aug 2021 18:59:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229618AbhHXW72 (ORCPT ); Tue, 24 Aug 2021 18:59:28 -0400 Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C7F64C061757 for ; Tue, 24 Aug 2021 15:58:43 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id me10so19209988ejb.11 for ; Tue, 24 Aug 2021 15:58:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f10+9KbmQ1w02G7q+vYSGq4zSlnvBUYSA0JIwEQJN9s=; b=DoP7KssKpIp9XCkUTxSi/zJLenqik0tcmDAHiauRUoCkNW9AhrTA3DICkRxjXiq0Gq dRYBDkL5Sym1M6q0snsRd390sVMfXGrjN4fhrFCdghsp6nJrY87LvE04TTqy7NIbkhJH Bd3tOpoDw8/4jKEFu2fgyGRtZdjv/oeTtLYgDgmlKzPlQFWzlbTUj6H2AOJ8Fjru+1qF Gr2t0qpDr/877oJTSPkPeomwi2Tu/pIfVMAtkvGrNQU4PRdHQ+/nyWnNwWM2pKyt0Bcb jxFyls6YkCRdmA2MdEVtUerQbZwTFVThTly3iQS2e16Hpazi8Rd4GvD36CQqHkS9pdJp q9jA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f10+9KbmQ1w02G7q+vYSGq4zSlnvBUYSA0JIwEQJN9s=; b=Gf8LJDNPkbG1cL6DUUo/ZXqUEN06OHiAKpa3ZZb7qUrvWYXZKBRQTnXQfnPM067TWA 80NpwrAd9zAU2v9XzfSytm0GJMeapBbt/oVvi0aIjXPhuMZSVDvhjdLbS1MTNzqvKq4k sgQrAbJAeiYYP8hnlL91JxGq4jEPj5DJBUtgtmn5b7pOvyhCOnJsKuGSIXA1HWMowukX a3pk+YTIMATOSnFMlARGjPYlu8BvcSAWHcFts+bADbQc34BtoCive5RQl4bnBH0Q8DX9 iY/vqwXRHEl5JLceSssuldEQRi1ee6vn9D0o7vY3jPk1YAGrkrteMmNYJb7xX/4eek+7 MG/A== X-Gm-Message-State: AOAM533zPO4X9rXj4nUL0MvgVXiv8TyjoZjIXteKtmyQjpZsOovR9w3q tMictRX43NEosmMWqfmVPruI26YdEU+vSLAQMnM3 X-Received: by 2002:a17:907:a04d:: with SMTP id gz13mr10091350ejc.91.1629845922271; Tue, 24 Aug 2021 15:58:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Tue, 24 Aug 2021 18:58:31 -0400 Message-ID: Subject: Re: [ghak-trim PATCH v1] audit: move put_tree() to avoid trim_trees refcount underflow and UAF To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , Eric Paris , Steve Grubb , Jan Kara , Will Deacon , Alexander Viro , Seiji Nishikawa Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 23, 2021 at 10:05 PM Richard Guy Briggs wrote: > > AUDIT_TRIM is expected to be idempotent, but multiple executions resulted in a > refcount underflow and use-after-free. > > git bisect fingered commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca (2019-11) > ("locking/refcount: Consolidate implementations of refcount_t") > but this patch with its more thorough checking that wasn't in the x86 assembly > code merely exposed a previously existing tree refcount imbalance in the case > of tree trimming code that was refactored with prune_one() to remove a tree > introduced in commit 8432c70062978d9a57bde6715496d585ec520c3e (2018-11) > ("audit: Simplify locking around untag_chunk()") > > Move the put_tree() to cover only the prune_one() case. > > Passes audit-testsuite and 3 passes of "auditctl -t" with at least one > directory watch. > > Fixes: 8432c7006297 ("audit: Simplify locking around untag_chunk()") > Signed-off-by: Richard Guy Briggs > Cc: Jan Kara > Cc: Will Deacon > Cc: Alexander Viro > Cc: Seiji Nishikawa > --- > kernel/audit_tree.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) First a quick comment about the commit description, when referencing specific commits in the description please use the same format that you used in the "Fixes:" tag; it makes the description easier to read. No need to resend, I fixed it when I merged your patch, but something to keep in mind for the future. As for the patch itself, thanks for finding this and sending a fix. Normally this is something I would send up to Linus at the end of the week during the -rcX phase, but since we are currently at -rc7 I'm going to simply add the -stable marking and merge it into audit/next to get pushed up to Linus early next week, assuming we see v5.14 released this Sunday. If for some reason we see a v5.14-rc8 next week I'll adjust things and send it to Linus as a -stable patch. -- paul moore www.paul-moore.com