pipe: Fix missing lock in pipe_resize_ring()
pipe_resize_ring() needs to take the pipe->rd_wait.lock spinlock to prevent post_one_notification() from trying to insert into the ring whilst the ring is being replaced. The occupancy check must be done after the lock is taken, and the lock must be taken after the new ring is allocated. The bug can lead to an oops looking something like: BUG: KASAN: use-after-free in post_one_notification.isra.0+0x62e/0x840 Read of size 4 at addr ffff88801cc72a70 by task poc/27196 ... Call Trace: post_one_notification.isra.0+0x62e/0x840 __post_watch_notification+0x3b7/0x650 key_create_or_update+0xb8b/0xd20 __do_sys_add_key+0x175/0x340 __x64_sys_add_key+0xbe/0x140 do_syscall_64+0x5c/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported by Selim Enes Karaduman @Enesdex working with Trend Micro Zero Day Initiative. Fixes: c73be61c ("pipe: Add general notification queue support") Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17291 Signed-off-by:David Howells <dhowells@redhat.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org>
Loading
-
mentioned in commit b5fe8c47
-
mentioned in commit 1f358cd3
-
mentioned in commit 3d53a9a9
-
mentioned in commit 3e922611
-
mentioned in commit c95a650a
-
mentioned in commit e2ccd2db
-
mentioned in commit c1c758b2
-
mentioned in commit 4445c2c7
-
mentioned in commit 9dcd4893
-
mentioned in commit 0b8102e8
-
mentioned in commit b900a242
-
mentioned in commit 85d08f8c
-
mentioned in commit ab3dd1b7
-
mentioned in commit 4f7e7bfe
-
mentioned in commit 422a4f4b
-
mentioned in commit 78715ee7
Please sign in to comment