• Matthew Wilcox's avatar
    idr: fix invalid ptr dereference on item delete · 7a4deea1
    Matthew Wilcox authored
    If the radix tree underlying the IDR happens to be full and we attempt
    to remove an id which is larger than any id in the IDR, we will call
    __radix_tree_delete() with an uninitialised 'slot' pointer, at which
    point anything could happen.  This was easiest to hit with a single
    entry at id 0 and attempting to remove a non-0 id, but it could have
    happened with 64 entries and attempting to remove an id >= 64.
    
    Roman said:
    
      The syzcaller test boils down to opening /dev/kvm, creating an
      eventfd, and calling a couple of KVM ioctls. None of this requires
      superuser. And the result is dereferencing an uninitialized pointer
      which is likely a crash. The specific path caught by syzbot is via
      KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are
      other user-triggerable paths, so cc:stable is probably justified.
    
    Matthew added:
    
      We have around 250 calls to idr_remove() in the kernel today. Many of
      them pass an ID which is embedded in the object they're removing, so
      they're safe. Picking a few likely candidates:
    
      drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl.
      drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar
      drivers/atm/nicstar.c could be taken down by a handcrafted packet
    
    Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org
    Fixes: 0a835c4f ("Reimplement IDR and IDA using the radix tree")
    Reported-by: <syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com>
    Debugged-by: default avatarRoman Kagan <rkagan@virtuozzo.com>
    Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7a4deea1
idr-test.c 13.2 KB