Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Date:   Wed, 4 Oct 2023 10:54:29 -0400
From:   Daniel Jordan <daniel.m.jordan@oracle.com>
To:     Wang Jinchao <wangjinchao@xfusion.com>
Cc:     Steffen Klassert <steffen.klassert@secunet.com>,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] padata: Fix the UAF issue related to parallel_data
Message-ID: <rjayevj3rwpj6wt2uq2jc7c3oqbewnobdqhs5bkrjte7fxzkct@k5rpt4g6tnqh>
References: <ZRTLHY5A+VqIKhA2@fedora>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZRTLHY5A+VqIKhA2@fedora>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?QemNEKb0HjhevulqiWBIFpAg3X9O+W/ouJ5YO4pvrE1Dc1ctZfGpEKuSu31L?=
 =?us-ascii?Q?y6qgLo8xhpMdQclNUoW/R0g0JaafiI99zH5EGlRmwMA1TOmx1zjHCWV+JrTG?=
 =?us-ascii?Q?SVAJVhxM/lQWrnvFlTWa30nlUFRKR4zxxjSmyKasT7vx/OhWHznfSxzUPgF8?=
 =?us-ascii?Q?OqVHvIWdgAmQRh+ZpG3+Z8twCGbeZXltzzmkmKnBKsYD17ksnADweOIYip9K?=
 =?us-ascii?Q?NzL/t7tqLBiyY2pKYcHm1lnpqzteJBO4VC4juN7XOhrJkzG8P2GnIaBI8HY9?=
 =?us-ascii?Q?rpjipo5+iBSYDkTxg90ytAtYxVfG/lOax28stS9i+3giujo7DyYS17Dpr3F2?=
 =?us-ascii?Q?9ws+hMgZhl7aSgLhFxX/iYXaUtfiEEVsROxXEFtRqPWf7juX9wEFYRaJRizK?=
 =?us-ascii?Q?tVG16KRxgXttwCyxTnUrUENmhLylp5411wGbTnkrgwEYJLv5EcKWgdja8MkZ?=
 =?us-ascii?Q?LdpDvS74RSnAlHasTgphGcxjrMseXiFsQ2KatkOkdl/YVP1wI9SgHcOYxoJX?=
 =?us-ascii?Q?C8t9V32ZLpQl6lTnSmPG+N1mchysxv/GqBc516dJkh8Bdm4+FDjW+G+qL9t6?=
 =?us-ascii?Q?fIZ1fSwEeobLaXPvJyEYEsy7Eo6JVIVLO6yu33WbW4DoJqjEAFWV6G/2AOEp?=
 =?us-ascii?Q?JoxvfOKpjESdYvCdrUJXbS7xJOUChL9i43ruUWuzB+gsdslcq73ns1y1lzEL?=
 =?us-ascii?Q?lciBkhTTTWlqp1nDdUiqQLsqaZGhnRLfSINeXfIOrCq4qumjxEDseyWNYTx/?=
 =?us-ascii?Q?xiFtk5Tzm19fg9nLpXZ2lchvXLKVn7qSC8A1parCWVWwZUrCNurvbKmppGib?=
 =?us-ascii?Q?m2niL9BHLtCS8/IHFbbJFEp5436SQaC13JIblmY3kj2Cq6nyWxlhGaXkP3Th?=
 =?us-ascii?Q?JmP8UdhdiZA/Eo4Kedg/fk2/+e+a51SvT7KB5ZkS3uJyKj7Cvl3JiW5r/0NJ?=
 =?us-ascii?Q?Ao1GmbugRxlhoRxY1zxlJhu8sQobjW+LxDSFxgZXDDhb9BzJ3aIx+IjQPfgQ?=
 =?us-ascii?Q?mc9g/s5AHR4m5zge/9au7fjwJMy2zkpOBb4+jMNgjt5GuMJ0j2+DshAB3WBq?=
 =?us-ascii?Q?HshSYONNH3osJEUsq4b2OQ7UZG/HC3d8wRWSKTqJiI+RM6/Fi8GXtbPeMhxI?=
 =?us-ascii?Q?QTi9RUGc0r2ECdGvy+d717VCQtM/qPskdsiUZshaMys3joycTa55RG6AlpZs?=
 =?us-ascii?Q?6uzFz7lyvJlbU+n65D0Gf1Rj821sn6oPS7biUoWfW04VouegyuOyBbNyTGRM?=
 =?us-ascii?Q?23nRpQaYkcHXhbJpTzLNlLiRxsSuakmrsQupk1z7GCXHy75rzwrL0gfCoG+C?=
 =?us-ascii?Q?s5QuIqqyNPKeFZgBvfDn80kbSna0qN0jBatIxZXQyk7KLPAvbj6qmfiVt+3F?=
 =?us-ascii?Q?Uqlh4uOU13nOniDf6fO+4td7FZtBRbZ1Q+iQ2AVHPE8m5hNndExJN/VBYt+w?=
 =?us-ascii?Q?YuqyQelwIZa0DGm7EMEHeFuGp2etErhRuXVFSOKfbQ4ZuvpKW6uiondotYOn?=
 =?us-ascii?Q?HjU7HHhIMqdNdFASAUBPTD6ayPX3c8YmtMP578+a9f0bcpTTF/nfgeJW771e?=
 =?us-ascii?Q?CaVgmF0iHjWI1V6BNeD4G1kHpJB+s+9zlekCZEdsU8Iw7wz7qOjbvaiqzuBr?=
 =?us-ascii?Q?WA=3D=3D?=
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 2dXJfYXV5hJ9S+lDsHWv/J09H+WOAsDcVScSMK6E3VEwECbx7sX9YideXagfi7ZmyWeSKp19Vi97DwrdsT0Hk+RnmKltJPMlJ+7C/HneNClkmJs8Ud2H5T+QsHU3mkIHQOfuZ/DeJi5OdD9cye4Y1GpE8X86/LhaKZ3qA+HCVAF39WXQHyccaXPJLEPbQIVfBB5JyWbcpjz1HSCbX292/DP6ZmMEmZNg+kXKanX80Qc5Po+6Ik5WtmJWxd6PUpHRdtie8Dvlz53cH8CU6RBi171Cs/NbrijY4UdzkjUXBzStwShhaPccp6jHx2LaLWJgQBxyW4C4/QygA58qb1+sSg4Iy1cOC3ayCVBbWxFt48vmoEdwhodWlvjOVpURtlH5VIUbZ/PCcilYtQa9Su1jDdkGWObYIliNlBgTEmLRdYjDoa/JryOl8ZWMdGDSeq4/105Z/T4r7X/TB/rZYIkPur/DrRDq9G4T45tI3pJh6w5PFaz9PSphtrk0Q12pXo5tH4H0x+tCCaduBgdDcXBiGY/iKeJNOfaaQ4PI2CNSkjUHGAaRJ73r7FlGcZZ3fiik/HWijcqbyYlWjpxObDfyuc/e7KcwpMXc0UHDLcVmzEMOG5x+QShy9UFVBXyAMyk0IGZaX53fTTTM0e/Suo7f27HxwPT4Wtaex07p68/pXfX9ZGzoUlN+XXBssNdmqlaB/a+R7v3EfD0GYjDJ47bb51ncbFSHwGd87m/nJHO6bzGVyLig+senRrHAVferq8M+3/ychmBYF0FkHTRg3/0ry+jwhWDPVRzQUMnZJ0vS9xULynlRzaDNBTeX7zSIE17atcBYfajC2b7/GFcnAG+lzw==
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e8e61893-308d-4dfe-db70-08dbc4e9d2a8
X-MS-Exchange-CrossTenant-AuthSource: SA1PR10MB5711.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2023 14:54:34.5650
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ELOsMHABtovLf7sm9pIi+zLnTKB4TPtt+19Jg5Ml/urprwL78B68CLK6FaAWHGyBYY/87gA0Y5nzy8wyIJtJkoryBfUbTGvCBqH1w+40mlE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4546
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-10-04_07,2023-10-02_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999
 suspectscore=0 malwarescore=0 spamscore=0 bulkscore=0 mlxscore=0
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2309180000 definitions=main-2310040108
X-Proofpoint-ORIG-GUID: 414ve4Zl8iejylNfU-f54FxIFxdiP_bB
X-Proofpoint-GUID: 414ve4Zl8iejylNfU-f54FxIFxdiP_bB
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 04 Oct 2023 07:54:43 -0700 (PDT)

On Thu, Sep 28, 2023 at 08:38:53AM +0800, Wang Jinchao wrote:
> In a high-load arm64 environment, the pcrypt_aead01 test in LTP can lead to
> system UAF (Use-After-Free) issues. Due to the lengthy analysis of the
> pcrypt_aead01 function call, I'll describe the problem scenario using a
> simplified model:
> 
> Suppose there's a user of padata named `user_function` that adheres to
> the padata requirement of calling `padata_free_shell` after `serial()`
> has been invoked, as demonstrated in the following code:
> 
> ```c
> struct request {
>     struct padata_priv padata;
>     struct completion *done;
> };
> 
> void parallel(struct padata_priv *padata) {
>     do_something();
> }
> 
> void serial(struct padata_priv *padata) {
>     struct request *request = container_of(padata, struct request, padata);
>     complete(request->done);
> }
> 
> void user_function() {
>     DECLARE_COMPLETION(done)
>     padata->parallel = parallel;
>     padata->serial = serial;
>     padata_do_parallel();
>     wait_for_completion(&done);
>     padata_free_shell();
> }
> ```
> 
> In the corresponding padata.c file, there's the following code:
> 
> ```c
> static void padata_serial_worker(struct work_struct *serial_work) {
>     ...
>     cnt = 0;
> 
>     while (!list_empty(&local_list)) {
>         ...
>         padata->serial(padata);
>         cnt++;
>     }
> 
>     local_bh_enable();
> 
>     if (refcount_sub_and_test(cnt, &pd->refcnt))
>         padata_free_pd(pd);
> }
> ```
> 
> Because of the high system load and the accumulation of unexecuted
> softirq at this moment, `local_bh_enable()` in padata takes longer
> to execute than usual. Subsequently, when accessing `pd->refcnt`,
> `pd` has already been released by `padata_free_shell()`, resulting
> in a UAF issue with `pd->refcnt`.
> 
> The fix is straightforward: add `refcount_dec_and_test` before calling
> `padata_free_pd` in `padata_free_shell`.

This could use a Fixes tag.  From Nicolai's patch[0] we agreed on

Fixes: 07928d9bfc81 ("padata: Remove broken queue flushing")

With that,

Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>

Thanks!

[0] https://lore.kernel.org/all/87educb7rm.fsf@suse.de/

> Signed-off-by: Wang Jinchao <wangjinchao@xfusion.com>
> ---
> V2:
>     To satisfy Sparse, use rcu_dereference_protected.
>     Reported-by: kernel test robot <lkp@intel.com>
>     Closes: https://lore.kernel.org/oe-kbuild-all/202309270829.xHgTOMKw-lkp@intel.com/
> 
> V1: https://lore.kernel.org/all/ZRE4XvOOhz4HSOgR@fedora/
> 
>  kernel/padata.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/padata.c b/kernel/padata.c
> index 222d60195de6..acef1e703a8b 100644
> --- a/kernel/padata.c
> +++ b/kernel/padata.c
> @@ -1107,7 +1107,9 @@ void padata_free_shell(struct padata_shell *ps)
>  
>  	mutex_lock(&ps->pinst->lock);
>  	list_del(&ps->list);
> -	padata_free_pd(rcu_dereference_protected(ps->pd, 1));
> +	struct parallel_data *pd = rcu_dereference_protected(ps->pd, 1);
> +	if (refcount_dec_and_test(&pd->refcnt))
> +		padata_free_pd(pd);
>  	mutex_unlock(&ps->pinst->lock);
>  
>  	kfree(ps);
> -- 
> 2.40.0
>