Page MenuHomeFreeBSD

condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
ClosedPublic

Authored by markj on Jan 13 2024, 9:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 24, 11:43 PM
Unknown Object (File)
Fri, Oct 24, 7:08 PM
Unknown Object (File)
Tue, Oct 21, 4:39 AM
Unknown Object (File)
Mon, Oct 20, 2:25 PM
Unknown Object (File)
Sat, Oct 18, 6:05 PM
Unknown Object (File)
Sat, Oct 18, 6:05 PM
Unknown Object (File)
Sat, Oct 18, 6:05 PM
Unknown Object (File)
Sat, Oct 18, 6:05 PM
Subscribers

Details

Summary

When a thread wakes up after sleeping on a CV, it must not dereference
the CV structure, as it may already have been freed. At least ZFS
relies on this invariant, see commit
c636f94bd2ff15be5b904939872b4bce31456c18 for example.

Thus, when logging context-switch events, copy the wmesg into a stack
buffer while it is still safe to do so, and log that after waking up.

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 55427
Build 52316: arc lint + arc unit

Event Timeline

sys/kern/kern_condvar.c
207

This code has the same issue?

262

And this and several other functions below

markj marked 2 inline comments as done.

Update all of the _cv_wait* variants.

Move the initial ktrcsw() call later, after assertions and special cases are
checked.

kib added inline comments.
sys/kern/kern_condvar.c
143
This revision is now accepted and ready to land.Jan 13 2024, 9:47 PM