x86/ioperm: Prevent a memory leak when fork fails

jaytlang · KAGA-KOKO · commit 4bfe6cce133c · 2020-05-28T21:36:20.000+02:00
In the copy_process() routine called by _do_fork(), failure to allocate a PID (or further along in the function) will trigger an invocation to exit_thread(). This is done to clean up from an earlier call to copy_thread_tls(). Naturally, the child task is passed into exit_thread(), however during the process, io_bitmap_exit() nullifies the parent's io_bitmap rather than the child's. As copy_thread_tls() has been called ahead of the failure, the reference count on the calling thread's io_bitmap is incremented as we would expect. However, io_bitmap_exit() doesn't accept any arguments, and thus assumes it should trash the current thread's io_bitmap reference rather than the child's. This is pretty sneaky in practice, because in all instances but this one, exit_thread() is called with respect to the current task and everything works out. A determined attacker can issue an appropriate ioctl (i.e. KDENABIO) to get a bitmap allocated, and force a clone3() syscall to fail by passing in a zeroed clone_args structure. The kernel handles the erroneous struct and the buggy code path is followed, and even though the parent's reference to the io_bitmap is trashed, the child still holds a reference and thus the structure will never be freed. Fix this by tweaking io_bitmap_exit() and its subroutines to accept a task_struct argument which to operate on. Fixes: ea5f1cd ("x86/ioperm: Remove bitmap if all permissions dropped") Signed-off-by: Jay Lang <jaytlang@mit.edu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable#@vger.kernel.org Link: https://lkml.kernel.org/r/20200524162742.253727-1-jaytlang@mit.edu
diff --git a/arch/x86/include/asm/io_bitmap.h b/arch/x86/include/asm/io_bitmap.h
@@ -17,7 +17,7 @@ struct task_struct;
 
 #ifdef CONFIG_X86_IOPL_IOPERM
 void io_bitmap_share(struct task_struct *tsk);
-void io_bitmap_exit(void);
+void io_bitmap_exit(struct task_struct *tsk);
 
 void native_tss_update_io_bitmap(void);
 
@@ -29,7 +29,7 @@ void native_tss_update_io_bitmap(void);
 
 #else
 static inline void io_bitmap_share(struct task_struct *tsk) { }
-static inline void io_bitmap_exit(void) { }
+static inline void io_bitmap_exit(struct task_struct *tsk) { }
 static inline void tss_update_io_bitmap(void) { }
 #endif
 
diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
@@ -33,28 +33,28 @@ void io_bitmap_share(struct task_struct *tsk)
 	set_tsk_thread_flag(tsk, TIF_IO_BITMAP);
 }
 
-static void task_update_io_bitmap(void)
+static void task_update_io_bitmap(struct task_struct *tsk)
 {
-	struct thread_struct *t = &current->thread;
+	struct thread_struct *t = &tsk->thread;
 
 	if (t->iopl_emul == 3 || t->io_bitmap) {
 		/* TSS update is handled on exit to user space */
-		set_thread_flag(TIF_IO_BITMAP);
+		set_tsk_thread_flag(tsk, TIF_IO_BITMAP);
 	} else {
-		clear_thread_flag(TIF_IO_BITMAP);
+		clear_tsk_thread_flag(tsk, TIF_IO_BITMAP);
 		/* Invalidate TSS */
 		preempt_disable();
 		tss_update_io_bitmap();
 		preempt_enable();
 	}
 }
 
-void io_bitmap_exit(void)
+void io_bitmap_exit(struct task_struct *tsk)
 {
-	struct io_bitmap *iobm = current->thread.io_bitmap;
+	struct io_bitmap *iobm = tsk->thread.io_bitmap;
 
-	current->thread.io_bitmap = NULL;
-	task_update_io_bitmap();
+	tsk->thread.io_bitmap = NULL;
+	task_update_io_bitmap(tsk);
 	if (iobm && refcount_dec_and_test(&iobm->refcnt))
 		kfree(iobm);
 }
@@ -102,7 +102,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 		if (!iobm)
 			return -ENOMEM;
 		refcount_set(&iobm->refcnt, 1);
-		io_bitmap_exit();
+		io_bitmap_exit(current);
 	}
 
 	/*
@@ -134,7 +134,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
 	}
 	/* All permissions dropped? */
 	if (max_long == UINT_MAX) {
-		io_bitmap_exit();
+		io_bitmap_exit(current);
 		return 0;
 	}
 
@@ -192,7 +192,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
 	}
 
 	t->iopl_emul = level;
-	task_update_io_bitmap();
+	task_update_io_bitmap(current);
 
 	return 0;
 }
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
@@ -96,15 +96,15 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
 }
 
 /*
- * Free current thread data structures etc..
+ * Free thread data structures etc..
  */
 void exit_thread(struct task_struct *tsk)
 {
 	struct thread_struct *t = &tsk->thread;
 	struct fpu *fpu = &t->fpu;
 
 	if (test_thread_flag(TIF_IO_BITMAP))
-		io_bitmap_exit();
+		io_bitmap_exit(tsk);
 
 	free_vm86(t);
 

Original file line number	Diff line number	Diff line change
`@@ -33,28 +33,28 @@ void io_bitmap_share(struct task_struct *tsk)`
`33`	`33`	`set_tsk_thread_flag(tsk, TIF_IO_BITMAP);`
`34`	`34`	`}`
`35`	`35`
`36`		`-static void task_update_io_bitmap(void)`
	`36`	`+static void task_update_io_bitmap(struct task_struct *tsk)`
`37`	`37`	`{`
`38`		`- struct thread_struct *t = &current->thread;`
	`38`	`+ struct thread_struct *t = &tsk->thread;`
`39`	`39`
`40`	`40`	`if (t->iopl_emul == 3 \|\| t->io_bitmap) {`
`41`	`41`	`/* TSS update is handled on exit to user space */`
`42`		`- set_thread_flag(TIF_IO_BITMAP);`
	`42`	`+ set_tsk_thread_flag(tsk, TIF_IO_BITMAP);`
`43`	`43`	`} else {`
`44`		`- clear_thread_flag(TIF_IO_BITMAP);`
	`44`	`+ clear_tsk_thread_flag(tsk, TIF_IO_BITMAP);`
`45`	`45`	`/* Invalidate TSS */`
`46`	`46`	`preempt_disable();`
`47`	`47`	`tss_update_io_bitmap();`
`48`	`48`	`preempt_enable();`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
`52`		`-void io_bitmap_exit(void)`
	`52`	`+void io_bitmap_exit(struct task_struct *tsk)`
`53`	`53`	`{`
`54`		`- struct io_bitmap *iobm = current->thread.io_bitmap;`
	`54`	`+ struct io_bitmap *iobm = tsk->thread.io_bitmap;`
`55`	`55`
`56`		`- current->thread.io_bitmap = NULL;`
`57`		`- task_update_io_bitmap();`
	`56`	`+ tsk->thread.io_bitmap = NULL;`
	`57`	`+ task_update_io_bitmap(tsk);`
`58`	`58`	`if (iobm && refcount_dec_and_test(&iobm->refcnt))`
`59`	`59`	`kfree(iobm);`
`60`	`60`	`}`
`@@ -102,7 +102,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)`
`102`	`102`	`if (!iobm)`
`103`	`103`	`return -ENOMEM;`
`104`	`104`	`refcount_set(&iobm->refcnt, 1);`
`105`		`- io_bitmap_exit();`
	`105`	`+ io_bitmap_exit(current);`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`/*`
`@@ -134,7 +134,7 @@ long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)`
`134`	`134`	`}`
`135`	`135`	`/* All permissions dropped? */`
`136`	`136`	`if (max_long == UINT_MAX) {`
`137`		`- io_bitmap_exit();`
	`137`	`+ io_bitmap_exit(current);`
`138`	`138`	`return 0;`
`139`	`139`	`}`
`140`	`140`
`@@ -192,7 +192,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`t->iopl_emul = level;`
`195`		`- task_update_io_bitmap();`
	`195`	`+ task_update_io_bitmap(current);`
`196`	`196`
`197`	`197`	`return 0;`
`198`	`198`	`}`
Original file line number	Diff line number	Diff line change
`@@ -96,15 +96,15 @@ int arch_dup_task_struct(struct task_struct dst, struct task_struct src)`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`/*`
`99`		`- * Free current thread data structures etc..`
	`99`	`+ * Free thread data structures etc..`
`100`	`100`	`*/`
`101`	`101`	`void exit_thread(struct task_struct *tsk)`
`102`	`102`	`{`
`103`	`103`	`struct thread_struct *t = &tsk->thread;`
`104`	`104`	`struct fpu *fpu = &t->fpu;`
`105`	`105`
`106`	`106`	`if (test_thread_flag(TIF_IO_BITMAP))`
`107`		`- io_bitmap_exit();`
	`107`	`+ io_bitmap_exit(tsk);`
`108`	`108`
`109`	`109`	`free_vm86(t);`
`110`	`110`