Page MenuHomeFreeBSD
Differential D43450

condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
ClosedPublic
Actions

Authored by markj on Jan 13 2024, 9:11 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Aug 2, 10:31 AM
Unknown Object (File)
Tue, Jul 29, 2:36 AM
Unknown Object (File)
Mon, Jul 28, 6:04 PM
Unknown Object (File)
Mon, Jul 28, 2:25 PM
Unknown Object (File)
Tue, Jul 22, 3:56 PM
Unknown Object (File)
Tue, Jul 22, 7:18 AM
Unknown Object (File)
Jun 25 2025, 7:54 AM
Unknown Object (File)
Jun 23 2025, 3:23 PM
View All 53 Files
Subscribers
imp

Details

Reviewers
kib
Commits
rG11cf350c3893: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
rGdcaf7895039d: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
rGa5ef95cd228e: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled
Summary

When a thread wakes up after sleeping on a CV, it must not dereference
the CV structure, as it may already have been freed. At least ZFS
relies on this invariant, see commit
c636f94bd2ff15be5b904939872b4bce31456c18 for example.

Thus, when logging context-switch events, copy the wmesg into a stack
buffer while it is still safe to do so, and log that after waking up.

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jan 13 2024, 9:11 PM
Herald added a subscriber: imp. · View Herald TranscriptJan 13 2024, 9:11 PM
markj requested review of this revision.Jan 13 2024, 9:11 PM
markj added a parent revision: D43449: condvar: Clean up condvar.h a bit.
Harbormaster completed remote builds in B55427: Diff 132739.Jan 13 2024, 9:11 PM
kib added inline comments.Jan 13 2024, 9:20 PM
sys/kern/kern_condvar.c
216

This code has the same issue?

279

And this and several other functions below

markj updated this revision to Diff 132741.Jan 13 2024, 9:40 PM
markj marked 2 inline comments as done.

Update all of the _cv_wait* variants.

Move the initial ktrcsw() call later, after assertions and special cases are
checked.

Harbormaster completed remote builds in B55429: Diff 132741.Jan 13 2024, 9:40 PM
kib accepted this revision.Jan 13 2024, 9:47 PM
kib added inline comments.
sys/kern/kern_condvar.c
144
This revision is now accepted and ready to land.Jan 13 2024, 9:47 PM
Closed by commit rGa5ef95cd228e: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled (authored by markj). · Explain WhyJan 15 2024, 6:08 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGa5ef95cd228e: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled.
markj added a commit: rGdcaf7895039d: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled.Jan 29 2024, 2:29 PM
markj added a commit: rG11cf350c3893: condvar: Fix a user-after-free in _cv_wait() when ktrace is enabled.

Revision Contents
Changeset List

PathSize
sys/
kern/
109 lines

Diff 132788

View Options

sys/kern/kern_condvar.c

Loading...