Page MenuHomeFreeBSD

condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
ClosedPublic

Authored by markj on Jan 13 2024, 9:11 PM.
Tags
None
Referenced Files
F107101948: D43450.diff
Fri, Jan 10, 3:42 AM
Unknown Object (File)
Wed, Jan 8, 2:14 AM
Unknown Object (File)
Dec 6 2024, 12:08 PM
Unknown Object (File)
Oct 19 2024, 7:51 PM
Unknown Object (File)
Oct 1 2024, 8:12 AM
Unknown Object (File)
Sep 18 2024, 3:52 AM
Unknown Object (File)
Sep 17 2024, 9:22 AM
Unknown Object (File)
Sep 16 2024, 11:31 PM
Subscribers

Details

Summary

When a thread wakes up after sleeping on a CV, it must not dereference
the CV structure, as it may already have been freed. At least ZFS
relies on this invariant, see commit
c636f94bd2ff15be5b904939872b4bce31456c18 for example.

Thus, when logging context-switch events, copy the wmesg into a stack
buffer while it is still safe to do so, and log that after waking up.

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55427
Build 52316: arc lint + arc unit

Event Timeline

sys/kern/kern_condvar.c
207

This code has the same issue?

262

And this and several other functions below

markj marked 2 inline comments as done.

Update all of the _cv_wait* variants.

Move the initial ktrcsw() call later, after assertions and special cases are
checked.

kib added inline comments.
sys/kern/kern_condvar.c
143
This revision is now accepted and ready to land.Jan 13 2024, 9:47 PM