[RHEL7,COMMIT] ms/kernel/kmod: fix use-after-free of the sub_info structure

Submitted by Vasily Averin on Aug. 24, 2020, 1:47 p.m.

Details

Message ID 202008241347.07ODlpOL021762@vz7build.vvs.sw.ru
State New
Series "ms/kernel/kmod: fix use-after-free of the sub_info structure"
Headers show

Commit Message

Vasily Averin Aug. 24, 2020, 1:47 p.m.
The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.8
------>
commit b970da536cb20510058d6013b29b0ef34e3228c6
Author: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date:   Mon Aug 24 16:47:51 2020 +0300

    ms/kernel/kmod: fix use-after-free of the sub_info structure
    
    Found this in the message log on a s390 system:
    
        BUG kmalloc-192 (Not tainted): Poison overwritten
        Disabling lock debugging due to kernel taint
        INFO: 0x00000000684761f4-0x00000000684761f7. First byte 0xff instead of 0x6b
        INFO: Allocated in call_usermodehelper_setup+0x70/0x128 age=71 cpu=2 pid=648
         __slab_alloc.isra.47.constprop.56+0x5f6/0x658
         kmem_cache_alloc_trace+0x106/0x408
         call_usermodehelper_setup+0x70/0x128
         call_usermodehelper+0x62/0x90
         cgroup_release_agent+0x178/0x1c0
         process_one_work+0x36e/0x680
         worker_thread+0x2f0/0x4f8
         kthread+0x10a/0x120
         kernel_thread_starter+0x6/0xc
         kernel_thread_starter+0x0/0xc
        INFO: Freed in call_usermodehelper_exec+0x110/0x1b8 age=71 cpu=2 pid=648
         __slab_free+0x94/0x560
         kfree+0x364/0x3e0
         call_usermodehelper_exec+0x110/0x1b8
         cgroup_release_agent+0x178/0x1c0
         process_one_work+0x36e/0x680
         worker_thread+0x2f0/0x4f8
         kthread+0x10a/0x120
         kernel_thread_starter+0x6/0xc
         kernel_thread_starter+0x0/0xc
    
    There is a use-after-free bug on the subprocess_info structure allocated
    by the user mode helper.  In case do_execve() returns with an error
    ____call_usermodehelper() stores the error code to sub_info->retval, but
    sub_info can already have been freed.
    
    Regarding UMH_NO_WAIT, the sub_info structure can be freed by
    __call_usermodehelper() before the worker thread returns from
    do_execve(), allowing memory corruption when do_execve() failed after
    exec_mmap() is called.
    
    Regarding UMH_WAIT_EXEC, the call to umh_complete() allows
    call_usermodehelper_exec() to continue which then frees sub_info.
    
    To fix this race the code needs to make sure that the call to
    call_usermodehelper_freeinfo() is always done after the last store to
    sub_info->retval.
    
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    
    https://jira.sw.ru/browse/PSBM-107061
    (cherry-picked from commit 0baf2a4dbf75abb7c186fd6c8d55d27aaa354a29)
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 kernel/kmod.c | 76 +++++++++++++++++++++++++++++------------------------------
 1 file changed, 37 insertions(+), 39 deletions(-)

Patch hide | download patch | download mbox

diff --git a/kernel/kmod.c b/kernel/kmod.c
index 7fc0ba9..de2bcfd 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -585,12 +585,34 @@  int __request_module(bool wait, const char *fmt, ...)
 EXPORT_SYMBOL(__request_module);
 #endif /* CONFIG_MODULES */
 
+static void call_usermodehelper_freeinfo(struct subprocess_info *info)
+{
+	if (info->cleanup)
+		(*info->cleanup)(info);
+	kfree(info);
+}
+
+static void umh_complete(struct subprocess_info *sub_info)
+{
+	struct completion *comp = xchg(&sub_info->complete, NULL);
+	/*
+	 * See call_usermodehelper_exec(). If xchg() returns NULL
+	 * we own sub_info, the UMH_KILLABLE caller has gone away
+	 * or the caller used UMH_NO_WAIT.
+	 */
+	if (comp)
+		complete(comp);
+	else
+		call_usermodehelper_freeinfo(sub_info);
+}
+
 /*
  * This is the task which runs the usermode application
  */
 static int ____call_usermodehelper(void *data)
 {
 	struct subprocess_info *sub_info = data;
+	int wait = sub_info->wait & ~UMH_KILLABLE;
 	struct cred *new;
 	int retval;
 
@@ -607,7 +629,7 @@  static int ____call_usermodehelper(void *data)
 	retval = -ENOMEM;
 	new = prepare_kernel_cred(current);
 	if (!new)
-		goto fail;
+		goto out;
 
 	spin_lock(&umh_sysctl_lock);
 	new->cap_bset = cap_intersect(usermodehelper_bset, new->cap_bset);
@@ -619,7 +641,7 @@  static int ____call_usermodehelper(void *data)
 		retval = sub_info->init(sub_info, new);
 		if (retval) {
 			abort_creds(new);
-			goto fail;
+			goto out;
 		}
 	}
 
@@ -628,12 +650,13 @@  static int ____call_usermodehelper(void *data)
 	retval = do_execve(getname_kernel(sub_info->path),
 			   (const char __user *const __user *)sub_info->argv,
 			   (const char __user *const __user *)sub_info->envp);
+out:
+	sub_info->retval = retval;
+	/* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */
+	if (wait != UMH_WAIT_PROC)
+		umh_complete(sub_info);
 	if (!retval)
 		return 0;
-
-	/* Exec failed? */
-fail:
-	sub_info->retval = retval;
 	do_exit(0);
 }
 
@@ -644,26 +667,6 @@  static int call_helper(void *data)
 	return ____call_usermodehelper(data);
 }
 
-static void call_usermodehelper_freeinfo(struct subprocess_info *info)
-{
-	if (info->cleanup)
-		(*info->cleanup)(info);
-	kfree(info);
-}
-
-static void umh_complete(struct subprocess_info *sub_info)
-{
-	struct completion *comp = xchg(&sub_info->complete, NULL);
-	/*
-	 * See call_usermodehelper_exec(). If xchg() returns NULL
-	 * we own sub_info, the UMH_KILLABLE caller has gone away.
-	 */
-	if (comp)
-		complete(comp);
-	else
-		call_usermodehelper_freeinfo(sub_info);
-}
-
 /* Keventd can't block, but this (a child) can. */
 static int wait_for_helper(void *data)
 {
@@ -725,18 +728,8 @@  static void __call_usermodehelper(struct kthread_work *work)
 		kmod_thread_locker = NULL;
 	}
 
-	switch (wait) {
-	case UMH_NO_WAIT:
-		call_usermodehelper_freeinfo(sub_info);
-		break;
-
-	case UMH_WAIT_PROC:
-		if (pid > 0)
-			break;
-		/* FALLTHROUGH */
-	case UMH_WAIT_EXEC:
-		if (pid < 0)
-			sub_info->retval = pid;
+	if (pid < 0) {
+		sub_info->retval = pid;
 		umh_complete(sub_info);
 	}
 }
@@ -991,7 +984,12 @@  static int __call_usermodehelper_exec(struct subprocess_info *sub_info,
 		goto out;
 	}
 
-	sub_info->complete = &done;
+	/*
+	 * Set the completion pointer only if there is a waiter.
+	 * This makes it possible to use umh_complete to free
+	 * the data structure in case of UMH_NO_WAIT.
+	 */
+	sub_info->complete = (wait == UMH_NO_WAIT) ? NULL : &done;
 	sub_info->wait = wait;
 
 	queue_kthread_work(worker, &sub_info->work);