Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-12-29 17:25:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
826cc42adf
linux-stable/drivers/block
History
Yang Erkun 826cc42adf brd: defer automatic disk creation until module initialization succeeds 
My colleague Wupeng found the following problems during fault injection:

BUG: unable to handle page fault for address: fffffbfff809d073
PGD 6e648067 P4D 123ec8067 PUD 123ec4067 PMD 100e38067 PTE 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 5 UID: 0 PID: 755 Comm: modprobe Not tainted 6.12.0-rc3+ #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.16.1-2.fc37 04/01/2014
RIP: 0010:__asan_load8+0x4c/0xa0
...
Call Trace:
 <TASK>
 blkdev_put_whole+0x41/0x70
 bdev_release+0x1a3/0x250
 blkdev_release+0x11/0x20
 __fput+0x1d7/0x4a0
 task_work_run+0xfc/0x180
 syscall_exit_to_user_mode+0x1de/0x1f0
 do_syscall_64+0x6b/0x170
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

loop_init() is calling loop_add() after __register_blkdev() succeeds and
is ignoring disk_add() failure from loop_add(), for loop_add() failure
is not fatal and successfully created disks are already visible to
bdev_open().

brd_init() is currently calling brd_alloc() before __register_blkdev()
succeeds and is releasing successfully created disks when brd_init()
returns an error. This can cause UAF for the latter two case:

case 1:
    T1:
modprobe brd
  brd_init
    brd_alloc(0) // success
      add_disk
        disk_scan_partitions
          bdev_file_open_by_dev // alloc file
          fput // won't free until back to userspace
    brd_alloc(1) // failed since mem alloc error inject
  // error path for modprobe will release code segment
  // back to userspace
  __fput
    blkdev_release
      bdev_release
        blkdev_put_whole
          bdev->bd_disk->fops->release // fops is freed now, UAF!

case 2:
    T1:                            T2:
modprobe brd
  brd_init
    brd_alloc(0) // success
                                   open(/dev/ram0)
    brd_alloc(1) // fail
  // error path for modprobe

                                   close(/dev/ram0)
                                   ...
                                   /* UAF! */
                                   bdev->bd_disk->fops->release

Fix this problem by following what loop_init() does. Besides,
reintroduce brd_devices_mutex to help serialize modifications to
brd_list.

Fixes: 7f9b348cb5 ("brd: convert to blk_alloc_disk/blk_cleanup_disk")
Reported-by: Wupeng Ma <mawupeng1@huawei.com>
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20241030034914.907829-1-yangerkun@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-10-30 07:31:07 -06:00
..
aoe block-6.12-20241004 2024-10-04 10:43:44 -07:00
drbd block-6.12-20241018 2024-10-18 15:53:00 -07:00
mtip32xx [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
null_blk null_blk: Don't bother validating blocksize 2024-07-09 00:00:17 -06:00
rnbd block/rnbd-srv: Add sanity check and remove redundant assignment 2024-08-28 08:50:35 -06:00
xen-blkback xen/blkback: add missing MODULE_DESCRIPTION() macro 2024-07-10 00:21:18 -06:00
zram zram: don't free statically defined names 2024-09-26 14:01:44 -07:00
amiflop.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-19 08:14:49 -06:00
ataflop.c Merge branch 'for-6.11/block-limits' into for-6.11/block 2024-06-19 08:14:49 -06:00
brd.c brd: defer automatic disk creation until module initialization succeeds 2024-10-30 07:31:07 -06:00
floppy.c floppy: add missing MODULE_DESCRIPTION() macro 2024-07-10 00:22:03 -06:00
Kconfig rust: block: add rnull, Rust null_blk implementation 2024-06-14 07:45:04 -06:00
loop.c loop: Use bdev limit helpers for configuring discard 2024-10-30 07:23:57 -06:00
Makefile rust: block: add rnull, Rust null_blk implementation 2024-06-14 07:45:04 -06:00
n64cart.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
nbd.c nbd: correct the maximum value for discard sectors 2024-09-06 08:31:40 -06:00
pktcdvd.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ps3disk.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
ps3vram.c block: pass a queue_limits argument to blk_alloc_disk 2024-02-19 16:58:23 -07:00
rbd_types.h libceph, rbd: replace zero-length array with flexible-array 2020-06-01 13:22:53 +02:00
rbd.c A small patchset to address bogus I/O errors and ultimately an 2024-07-26 10:34:42 -07:00
rnull.rs rust: block: add rnull, Rust null_blk implementation 2024-06-14 07:45:04 -06:00
sunvdc.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
swim3.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
swim_asm.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
ublk_drv.c ublk: support device recovery without I/O queueing 2024-10-22 08:16:37 -06:00
virtio_blk.c virtio: features, fixes, cleanups 2024-07-19 11:57:55 -07:00
xen-blkfront.c xen-blkfront: fix sector_size propagation to the block layer 2024-07-02 08:58:12 -06:00
z2ram.c z2ram: add missing MODULE_DESCRIPTION() macro 2024-06-19 07:54:00 -06:00