Return-Path: <linux-kernel-owner+w=401wt.eu-S1752167AbZJPVut@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752167AbZJPVut (ORCPT <rfc822;w@1wt.eu>);
	Fri, 16 Oct 2009 17:50:49 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751879AbZJPVus
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Fri, 16 Oct 2009 17:50:48 -0400
Received: from cantor.suse.de ([195.135.220.2]:53958 "EHLO mx1.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751687AbZJPVus (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 16 Oct 2009 17:50:48 -0400
Date: Fri, 16 Oct 2009 23:50:46 +0200 (CEST)
From: Jiri Kosina <jkosina@suse.cz>
X-X-Sender: jikos@twin.jikos.cz
To: Earl Chew <earl_chew@agilent.com>
Cc: linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
       Jens Axboe <jens.axboe@oracle.com>
Subject: Re: [PATCH v1 1/1]: fs: pipe.c null pointer dereference
In-Reply-To: <4AD8852E.2090302@agilent.com>
Message-ID: <alpine.LRH.2.00.0910162349040.20992@twin.jikos.cz>
References: <4AD8852E.2090302@agilent.com>
User-Agent: Alpine 2.00 (LRH 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4407
Lines: 154


[ adding some CCs, so that this userspace-triggerable NULL pointer 
  dereference doesn't get lost in the deep dark waters of LKML ]

On Fri, 16 Oct 2009, Earl Chew wrote:

> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
> 
> 
> > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
> 
> This defect is also described in:
>   http://lkml.org/lkml/2009/10/14/184
>   http://bugzilla.kernel.org/show_bug.cgi?id=14416
> 
> 
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
> 
> =============================================================
> #!/bin/sh
> while : ; do
>    { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
>    PID=$!
>    OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
>         { read PID REST ; echo $PID; } )
>    OUT="${OUT%% *}"
>    DELAY=$((RANDOM * 1000 / 32768))
>    usleep $((DELAY * 1000 + RANDOM % 1000 ))
>    echo n > /proc/$OUT/fd/1                 # Trigger defect
> done
> =============================================================
> 
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
> 
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
>        msleep(100);
>        mutex_lock(&inode->i_mutex);
> 
> 
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
> 
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
> 
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
> 
> 
> 
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000
> -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
>  static int
>  pipe_read_open(struct inode *inode, struct file *filp)
>  {
> -	/* We could have perhaps used atomic_t, but this and friends
> -	   below are the only places.  So it doesn't seem worthwhile.  */
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	inode->i_pipe->readers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		inode->i_pipe->readers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  static int
>  pipe_write_open(struct inode *inode, struct file *filp)
>  {
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	inode->i_pipe->writers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		inode->i_pipe->writers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	if (filp->f_mode & FMODE_READ)
> -		inode->i_pipe->readers++;
> -	if (filp->f_mode & FMODE_WRITE)
> -		inode->i_pipe->writers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		if (filp->f_mode & FMODE_READ)
> +			inode->i_pipe->readers++;
> +		if (filp->f_mode & FMODE_WRITE)
> +			inode->i_pipe->writers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  /*
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
Jiri Kosina
SUSE Labs, Novell Inc.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/