Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]seccomp: Move copy_seccomp() to no failure path.[EOL][EOL]Our syzbot instance reported memory leaks in do_seccomp() [0], similar[EOL]to the report [1].  It shows that we miss freeing struct seccomp_filter[EOL]and some objects included in it.[EOL][EOL]We can reproduce the issue with the program below [2] which calls one[EOL]seccomp() and two clone() syscalls.[EOL][EOL]The first clone()d child exits earlier than its parent and sends a[EOL]signal to kill it during the second clone(), more precisely before the[EOL]fatal_signal_pending() test in copy_process().  When the parent receives[EOL]the signal, it has to destroy the embryonic process and return -EINTR to[EOL]user space.  In the failure path, we have to call seccomp_filter_release()[EOL]to decrement the filter's refcount.[EOL][EOL]Initially, we called it in free_task() called from the failure path, but[EOL]the commit 3a15fb6ed92c ("seccomp: release filter after task is fully[EOL]dead") moved it to release_task() to notify user space as early as possible[EOL]that the filter is no longer used.[EOL][EOL]To keep the change and current seccomp refcount semantics, let's move[EOL]copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in[EOL]free_task() for future debugging.[EOL][EOL][0]:[EOL]unreferenced object 0xffff8880063add00 (size 256):[EOL]  comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s)[EOL]  hex dump (first 32 bytes):[EOL]    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................[EOL]    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................[EOL]  backtrace:[EOL]    do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)[EOL]    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)[EOL]    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)[EOL]unreferenced object 0xffffc90000035000 (size 4096):[EOL]  comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)[EOL]  hex dump (first 32 bytes):[EOL]    01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................[EOL]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................[EOL]  backtrace:[EOL]    __vmalloc_node_range (mm/vmalloc.c:3226)[EOL]    __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))[EOL]    bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)[EOL]    bpf_prog_alloc (kernel/bpf/core.c:129)[EOL]    bpf_prog_create_from_user (net/core/filter.c:1414)[EOL]    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)[EOL]    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)[EOL]    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)[EOL]unreferenced object 0xffff888003fa1000 (size 1024):[EOL]  comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)[EOL]  hex dump (first 32 bytes):[EOL]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................[EOL]    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................[EOL]  backtrace:[EOL]    bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)[EOL]    bpf_prog_alloc (kernel/bpf/core.c:129)[EOL]    bpf_prog_create_from_user (net/core/filter.c:1414)[EOL]    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)[EOL]    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)[EOL]    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)[EOL]unreferenced object 0xffff888006360240 (size 16):[EOL]  comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)[EOL]  hex dump (first 16 bytes):[EOL]    01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff  ..7.verl........[EOL]  backtrace:[EOL]    bpf_prog_store_orig_filter (net/core/filter.c:1137)[EOL]    bpf_prog_create_from_user (net/core/filter.c:1428)[EOL]    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)[EOL]    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)[EOL]    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)[EOL]unreferenced object 0xffff888[EOL]---truncated---