Received: by 2002:a05:6358:f14:b0:e5:3b68:ec04 with SMTP id b20csp102417rwj; Thu, 22 Dec 2022 05:34:19 -0800 (PST) X-Google-Smtp-Source: AMrXdXv3qd7VpbfgRseWyhx/mOWxG3Ei3/R8EraTfJGkS1M17MEZdybUrFaDuXKSX3IIvNoYRvdZ X-Received: by 2002:a17:906:b00c:b0:7c4:fa17:7202 with SMTP id v12-20020a170906b00c00b007c4fa177202mr4732325ejy.33.1671716058964; Thu, 22 Dec 2022 05:34:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671716058; cv=none; d=google.com; s=arc-20160816; b=afDmruNc2jBEKUMpkXfwZFDvz9DiGR06GbXXM/GkZFCPyEOFNNPhadMefisrL7e0OK AmqqQCWoWYEiC4Xlk56a2vx5OsSX2hK5h9QxwlpiSy83zH5mAxvudT9ARmjc7rNOpzqe FMf8Z0LoRq1FuI4pbVvbE6cxmtulwM+oGjWSfLu/CccvYv+iqR5HAlOTfSIrF9ErxoxO UlOxe9NKCNEZY/ItfxZCFDdkoU6LlNeZ9oUoLKICtk65WDHlmJNKTMW8iHSZjF3twV2z UiR/MQMt2rQftORBta2pkpr4dtgY9bu//Y2gZCjhRSwY+ZPfiE7chadlxXgfv1VPe1dI 2nMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:in-reply-to:date:subject :cc:to:from:user-agent:references:dkim-signature; bh=shwwZFvYNRcVxLkvBAhBQlcpsvVebNeekhejxdi6EsE=; b=Usk4CPGWVpGWvW8AYBNjsePVqX8E0eccpBqWdn+OUytPkg3T2oSoiRh0H9Q9qkr0O3 v8+56xuVZD0QORcrj/h3mfEhpB25EXjaRzM5J6za0Q79YjDe8E9Y4Bb2NMk/J9PxaBWE czKv7frI5Qtfvdlvn3dEwv4PckrO7ZwOhJtyIhAkkkXWI/idozeAyShVBgObTeJmXXJu C07M/T3lvEmsJsiO1Y/ygCgy6biF57AndcIK2YFE37j067iZx4/YqNbrthQlMJFrlO+H zQaKFD9a/jifKyqu0OdnIr+YjaAGxoXT0R5yv2L0fnlN+qy/ufUNaCqV11RvrrxG7q0u CmLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=mIj9HkPK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id wy4-20020a170906fe0400b0078d770f363fsi410098ejb.471.2022.12.22.05.34.03; Thu, 22 Dec 2022 05:34:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=mIj9HkPK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235912AbiLVMPZ (ORCPT + 67 others); Thu, 22 Dec 2022 07:15:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46298 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235746AbiLVMPA (ORCPT ); Thu, 22 Dec 2022 07:15:00 -0500 Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 60BFC2A533 for ; Thu, 22 Dec 2022 04:11:45 -0800 (PST) Received: by mail-pj1-x102b.google.com with SMTP id x3so1705546pjv.4 for ; Thu, 22 Dec 2022 04:11:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc:subject:date:message-id:reply-to; bh=shwwZFvYNRcVxLkvBAhBQlcpsvVebNeekhejxdi6EsE=; b=mIj9HkPKpukPMJVGBTu3rBG53HjEHgt8Zdcnws1iZUQHiT4JLzQF3UHkBEg5DqNkou gugUeAPE6ZzG6s3Kz8NX1is/cGxgIpYMdepVKZdFehwBuxb4S75VkhaelTeJvUcAxFzl JkMGnbOkvsYgyCS1KyBnxRNyVPuqGWoSB8gN8c8/uZ1XJME/epTrVWI2JvWJbL2CPICU 8NIJx2FI5XywLcjkGJyt4eZs15swf/t5z4eVfiPiZf6pOHlwBtWL5JgnnAX9iuU5qIRl QcL+s1LMBLWmTfh8UhnQHixA1B1XjESYESUbSgoUgMBuboi+5RlOlDkWgt/xzPml5g49 yQXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=shwwZFvYNRcVxLkvBAhBQlcpsvVebNeekhejxdi6EsE=; b=PMeD9UViYXoWFF7akkrl3QnkMymxXbCUqzZZ4MJR2uxQ5L+Zc9VUsXDrfW7CSAx45A cccR2sV+QJNP7Y1cbKjQ/Z0Cz+ADmsMWsL4XMA1A0yqFH+CTZ7xQ/BawSnbVFjku40mP RxOOeMH/UnJOcQKaF8a12Qsg/Wzh2RtAqCTW3nOARVUj2w0GiVdhJDDRhBof14XE4PQB oHQe5McKXkJUNBv04h63fHniUL+5JzpxMjxIpFQjjSO7V32mep9KOKeOwRkNIMLpDAzf ItTdjQPlrmfEpknJGevvRysLqsav5C7MuCf0Iprwx74moqxM2hE/pf2z3DaJ+EUwIMjm uwcw== X-Gm-Message-State: AFqh2kpAHdZHEPPfa5Pq/zd8kUilKuWRgu+Ocy78Bmy3NzPPX0Qhn6qs rUnR8qZhYppgpv4k8xzZCO0= X-Received: by 2002:a17:903:264b:b0:185:441e:90b4 with SMTP id je11-20020a170903264b00b00185441e90b4mr4953030plb.26.1671711104801; Thu, 22 Dec 2022 04:11:44 -0800 (PST) Received: from MBP (ec2-18-117-95-84.us-east-2.compute.amazonaws.com. [18.117.95.84]) by smtp.gmail.com with ESMTPSA id x2-20020a170902ec8200b0017f72a430adsm418439plg.71.2022.12.22.04.11.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Dec 2022 04:11:44 -0800 (PST) References: <20221115140233.21981-1-schspa@gmail.com> User-agent: mu4e 1.8.10; emacs 29.0.60 From: Schspa Shi To: Luis Chamberlain Cc: mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, bristot@redhat.com, vschneid@redhat.com, linux-kernel@vger.kernel.org, syzbot+10d19d528d9755d9af22@syzkaller.appspotmail.com, syzbot+70d5d5d83d03db2c813d@syzkaller.appspotmail.com, syzbot+83cb0411d0fcf0a30fc1@syzkaller.appspotmail.com Subject: Re: [PATCH] umh: fix UAF when the process is being killed Date: Thu, 22 Dec 2022 20:09:38 +0800 In-reply-to: Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Attaching the full test program in case anyone wants to add some comments. /* * complete-uaf.c --- UAF test for complete * * Copyright (C) 2022, Schspa Shi, all rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ #define pr_fmt(fmt) "complete-uaf-test:" fmt #include #include #include #include #include #include #include #include #include #include #include #include struct test_work { struct completion *complete; struct pid *caller_pid; unsigned long delay_time; int id; }; #define MAX_WAIT_TIMEOUT (50) static atomic_t test_instance_count; static bool use_fix = false; module_param(use_fix, bool, 0444); MODULE_PARM_DESC(use_fix, "Use fix"); static void mdelay_with_yield(unsigned long timeout_ms) { unsigned long start = jiffies; do { yield(); } while (jiffies_to_msecs(jiffies - start) < timeout_ms); return; } static void test_work_complete(struct test_work *workdata) { struct completion *comp = xchg(&workdata->complete, NULL); /* Sleep for 1 millisecond to simulate preemption */ msleep(100); if (comp) complete(comp); kfree(workdata); } static int completion_thread(void *data) { struct test_work *workdata = data; mdelay_with_yield(workdata->delay_time); /* Simulate an external kill signal */ kill_pid(workdata->caller_pid, SIGKILL, 1); test_work_complete(workdata); return 0; } static int complete_uaf_test_proc_show(struct seq_file *m, void *v) { struct task_struct *thread; DECLARE_COMPLETION_ONSTACK(done); struct test_work *workdata; int retval; int id; workdata = kzalloc(sizeof(*workdata), GFP_KERNEL); if (!workdata) { return -ENOMEM; } id = atomic_inc_return(&test_instance_count); workdata->complete = &done; workdata->id = id; workdata->delay_time = get_random_u32() % (MAX_WAIT_TIMEOUT); workdata->caller_pid = get_pid(task_tgid(current)); thread = kthread_run(completion_thread, workdata, "complete_uaf_test_kthread-%d", workdata->id); if (IS_ERR(thread)) { seq_printf(m, "kthread create failed with status %ld", PTR_ERR(thread)); kfree(workdata); return PTR_ERR(thread); } retval = wait_for_completion_killable(&done); if (retval) { if (xchg(&workdata->complete, NULL)) goto exit; if (use_fix) { wait_for_completion(&done); } } seq_printf(m, "test %d success\n", id); exit: return 0; } static int __init complete_uaf_test_init(void) { proc_create_single("complete_uaf_test", 0, NULL, complete_uaf_test_proc_show); return 0; } module_init(complete_uaf_test_init); MODULE_AUTHOR("Schspa "); MODULE_LICENSE("GPL v2"); -- BRs Schspa Shi