Re: [syzbot] KASAN: use-after-free Write in put_ucounts

From: Eric W. Biederman
Date: Tue Jul 20 2021 - 12:33:33 EST

Hillf Danton <hdanton@xxxxxxxx> writes:

> On Mon, 19 Jul 2021 12:24:41 -0500 Eric W. Biederman wrote:
>>> To fix the uaf, add a couple of changes. Now only for thoughts.
>>> 1/ s/atomic_add_negative/atomic_inc_not_zero/ to correct the get
>>> method.
>>I really don't think so. The use of atomic_add_negative is very
>>deliberate. Changing that fundamentally changes the algorithm into used
> Given atomic_dec_and_test() in put_ucounts(), what sense are you
> deliberately trying to make by bumping up a zero count?
>>to keep track of things. Definitely not something to lead with.
>>Before it even makes sense to talk about how to change the code,
>>a plausible explanation for how a use after free happens is needed.
> I am trying just to avoid touching zero count. That is it.

Observing a zero-reference count in this case is a result of a
use-after-free. So that is definitely not what needs to be fixed.

>>That explanation should account for the fact this code was in linux-next
>>the since last -rc1 without any kind of issue with the test code.
> The code is no good without surviving syzbot, right? And -rcX does not
> matter.

That was with syzbot running against linux-next for 8ish weeks.

Something changed that syzbot is now reporting an error.

It is definitely worth fixing but we need to track down and understand
what the bug is.