www.infradead.org Git - users/dwmw2/linux.git/commit

author	David Howells <dhowells@redhat.com>
	Thu, 26 May 2022 06:34:52 +0000 (07:34 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 6 Jun 2022 06:48:53 +0000 (08:48 +0200)
commit	71c603806614c6715165eed06099e24c2e41ad58
tree	73ef010629f074bd98f1bfcdbe42438a6eeee01f	tree
parent	05e0caaf5133a5924636aaa7d69694f889ab58b6	commit \| diff

pipe: Fix missing lock in pipe_resize_ring()

commit 189b0ddc245139af81198d1a3637cac74f96e13a upstream.

pipe_resize_ring() needs to take the pipe->rd_wait.lock spinlock to
prevent post_one_notification() from trying to insert into the ring
whilst the ring is being replaced.

The occupancy check must be done after the lock is taken, and the lock
must be taken after the new ring is allocated.

The bug can lead to an oops looking something like:

BUG: KASAN: use-after-free in post_one_notification.isra.0+0x62e/0x840
Read of size 4 at addr ffff88801cc72a70 by task poc/27196
...
Call Trace:
  post_one_notification.isra.0+0x62e/0x840
  __post_watch_notification+0x3b7/0x650
  key_create_or_update+0xb8b/0xd20
  __do_sys_add_key+0x175/0x340
  __x64_sys_add_key+0xbe/0x140
  do_syscall_64+0x5c/0xc0
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported by Selim Enes Karaduman @Enesdex working with Trend Micro Zero
Day Initiative.

Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17291
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>