diff options
| author | Waiman Long <[email protected]> | 2022-01-02 21:35:58 -0500 |
|---|---|---|
| committer | Peter Zijlstra <[email protected]> | 2022-01-25 22:30:28 +0100 |
| commit | 61cc4534b6550997c97a03759ab46b29d44c0017 (patch) | |
| tree | 4f7922d52522639795e1716ac63a64c2e064b9de /lib/test_fortify/write_overflow-memcpy.c | |
| parent | e204193b138af347fbbbe026e68cb3385112f387 (diff) | |
locking/lockdep: Avoid potential access of invalid memory in lock_class
It was found that reading /proc/lockdep after a lockdep splat may
potentially cause an access to freed memory if lockdep_unregister_key()
is called after the splat but before access to /proc/lockdep [1]. This
is due to the fact that graph_lock() call in lockdep_unregister_key()
fails after the clearing of debug_locks by the splat process.
After lockdep_unregister_key() is called, the lock_name may be freed
but the corresponding lock_class structure still have a reference to
it. That invalid memory pointer will then be accessed when /proc/lockdep
is read by a user and a use-after-free (UAF) error will be reported if
KASAN is enabled.
To fix this problem, lockdep_unregister_key() is now modified to always
search for a matching key irrespective of the debug_locks state and
zap the corresponding lock class if a matching one is found.
[1] https://lore.kernel.org/lkml/[email protected]/
Fixes: 8b39adbee805 ("locking/lockdep: Make lockdep_unregister_key() honor 'debug_locks' again")
Reported-by: Tetsuo Handa <[email protected]>
Signed-off-by: Waiman Long <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Reviewed-by: Bart Van Assche <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Diffstat (limited to 'lib/test_fortify/write_overflow-memcpy.c')
0 files changed, 0 insertions, 0 deletions