Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completing async USB via usbdevio

From: Sergey Vlasov
Date: Tue Sep 27 2005 - 11:01:02 EST

Next message: Badari Pulavarty: "Re: Fw: Re: 2.6.14-rc2-mm1 ide problems on AMD64"
Previous message: Jens Axboe: "Re: [patch 0/4] ide: Break ide_lock to per-hwgroup lock"
In reply to: Linus Torvalds: "Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completingasync USB via usbdevio"
Next in thread: Linus Torvalds: "Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC]Oops while completing async USB via usbdevio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 27, 2005 at 07:53:30AM -0700, Linus Torvalds wrote:
> On Sun, 25 Sep 2005, Harald Welte wrote:
> >
> > async_completed() calls send_sig_info(), which in turn does a
> > spin_lock(&tasklist_lock) to protect itself from task_struct->sighand
> > from going away. However, the call to
> > "spin_lock_irqsave(task_struct->sighand->siglock)" causes an oops,
> > because "sighand" has disappeared.
>
> And the real bug is that you're buggering up the system in the first
> place.
>
> You don't save "current". You save "pid", and then you send a signal using
> that and kill_proc_info(). End of story, bug gone. And it works with
> threaded programs too, which the old thing didn't work at all with.

And then a process calls USBDEVFS_SUBMITURB and immediately exits; its
pid gets reused by a completely different process (maybe even
root-owned), then the urb completes, and kill_proc_info() sends the
signal to the unsuspecting process.

> I refuse to apply this patch - Greg, don't even _try_ to sneak this in
> through a git merge. What a horribly broken thing to do: why would USB
> _ever_ need to know about things like tasklist_lock, and internal signal
> handling functions and rules like "p->sighand"?

Hmm, then probably send_sig_info() should check for non-NULL
p->sighand after taking tasklist_lock? Otherwise all uses of
send_sig_info() for non-current tasks are unsafe.

"git grep -w send_sig_info" shows that most callers call
send_sig_info() for the current task, except these:

arch/sparc/kernel/traps.c: send_sig_info(SIGFPE, &info, fpt);
arch/sparc64/kernel/sys_sunos32.c: send_sig_info(SIGSYS, &info, current);
drivers/char/drm/drm_irq.c: send_sig_info( vbl_sig->info.si_signo, &vbl_sig->info, vbl_sig->task );
drivers/usb/core/devio.c: send_sig_info(as->signr, &sinfo, as->task);
drivers/usb/core/inode.c: send_sig_info(ds->discsignr, &sinfo, ds->disctask);
drivers/usb/gadget/file_storage.c: send_sig_info(SIGUSR1, SEND_SIG_FORCED, thread_task);
kernel/signal.c: return send_sig_info(sig, (void*)(long)(priv != 0), p);

BTW, all other callers of send_sig_info() are under
arch/{alpha,arm,sparc,sparc64}/ - 23 total.

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Badari Pulavarty: "Re: Fw: Re: 2.6.14-rc2-mm1 ide problems on AMD64"
Previous message: Jens Axboe: "Re: [patch 0/4] ide: Break ide_lock to per-hwgroup lock"
In reply to: Linus Torvalds: "Re: [Security] [vendor-sec] [BUG/PATCH/RFC] Oops while completingasync USB via usbdevio"
Next in thread: Linus Torvalds: "Re: [linux-usb-devel] Re: [Security] [vendor-sec] [BUG/PATCH/RFC]Oops while completing async USB via usbdevio"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]