Re: [PATCH] kernel/kmod: fix use-after-free of the sub_info structure

[Tetsuo Handa]

Martin Schwidefsky wrote:
> Found this in the message log on a s390 system:
> 
> BUG kmalloc-192 (Not tainted): Poison overwritten

The use-after-free location you are suspecting is

----------
        retval = do_execve(getname_kernel(sub_info->path),
                           (const char __user *const __user *)sub_info->argv,
                           (const char __user *const __user *)sub_info->envp);
        if (!retval)
                return 0;

        /* Exec failed? */
fail:
        sub_info->retval = retval;
        do_exit(0);
}
----------

, isn't it?

I could not interpret the

> For UMH_NO_WAIT __call_usermodehelper() frees the sub_info structure
> directly, for UMH_WAIT_EXEC the call to umh_complete() allows
> call_usermodehelper_exec() to continue which then frees sub_info.

lines.

For both UMH_NO_WAIT and UMH_WAIT_EXEC cases,

  kernel_thread(call_helper, sub_info, CLONE_VFORK | SIGCHLD)

in __call_usermodehelper() waits for do_execve() to succeed or do_exit(),
doesn't it? What is wrong with assigning sub_info->retval in
____call_usermodehelper() when do_execve() did not succeed?
Which function/thread can free sub_info before assigning sub_info->retval?

Regards.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/