From nobody Sun Jul 21 05:25:28 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WRX1N5fvyz5R0WY; Sun, 21 Jul 2024 05:25:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WRX1N4SBDz4SjG; Sun, 21 Jul 2024 05:25:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721539528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mBd5kcEej1dSbK0oSpDdF4tTYptuOCAA+MdzxdRe7tM=; b=NlJtJ9Av1NzmxjLbGi+/4IUdShRDVJKH7ghlmWO7hxqIpc2i8KxVFToU/CGJfU9xP3WQdm H02Xf5Wcb+2Xvsz1Z9ZTkyPT8C2jgyfAO79SoWd+zAo2cVt4948uqdPL1lWjL6Mqki3ROC vtdjrA7NU7Dl+nNRXxrjS6ZRsYVpqnTgD6sUCHudkH3MCP86VXW0uLOFQRTAzYBS8QH0n+ TQH/y9ge34586kI/1YSmbMXhHAkP8iBZUYjfcsKRz+UAzd9adcH6gIvYO0ORP1fyHSx14b IPKhyvJORIlfhRhR/TTWSb8594Nb6N0UnkL8d6BRfIRU//8xUmvN+/42A4nwGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721539528; a=rsa-sha256; cv=none; b=antoIDmq+df8x6a+lZuNsOd9ErWqB9O7EmQ7X1+wNvEihiScR/dBi/27jTMHSIt2GewZnd lCanqYu+5GlJTMhoes8DK4FO9KgX5oItCUIij6DMyx4OPGLXy5oAUDgg+nwCzNNtTPz/Hu woZQKo/22M3R/94Dg7F9DNxLGsC548/zlXNz7v22LmqUhKpD0UCR5z/DglI0qrnjFmly3x RJBLgOWWNqAyHOlzq2K4PeTg9fZwJbpjcTREzV96V5somx+Tqtxbp8W1UmYcLIXUoeufXl Xs5eONR6jU8RyWOkfvC+hc5jrWcaYH1y/b0cclMqy4bwCzyZbiq6vjtajK161Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721539528; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mBd5kcEej1dSbK0oSpDdF4tTYptuOCAA+MdzxdRe7tM=; b=h4pS357CKD+3yg5ZLicDUa7dzzSHzMNEO04xWMj30n+et2p5aZ12+t0WNYtSy07TTDwbnK eS7Ndnr9whem8dnNwWeCKyHmXDhx47ojs+1DV3A8E0wyWc11cmwFK61Vsc6FRye+48mn2A J1i2cDBCwIxu5xPbjmmizYEzzIHSKkv0cL/Xp82JvQGX73YVoKWn0QbFO8un8qLr2doy3U Fm1jPlWIupKncJZp6Ymfvl1muFj8fc7CSU3RvQchTL8KX9mfgz9LQ+cTP5ceIyYgBSXmtW mGPprtcuwdPwSpxLS5szP/ONgkMu8vyBHCSdF5G+o+xamd/pMNYYA/yNbz5UIg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WRX1N3qGwzn8h; Sun, 21 Jul 2024 05:25:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 46L5PSC4017484; Sun, 21 Jul 2024 05:25:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 46L5PSVF017481; Sun, 21 Jul 2024 05:25:28 GMT (envelope-from git) Date: Sun, 21 Jul 2024 05:25:28 GMT Message-Id: <202407210525.46L5PSVF017481@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: f29a2ea5b44d - stable/14 - stand: module: unlink the entire tail when dependencies fail to load List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: f29a2ea5b44d79957c2568fa0181877c7556c7f3 Auto-Submitted: auto-generated The branch stable/14 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=f29a2ea5b44d79957c2568fa0181877c7556c7f3 commit f29a2ea5b44d79957c2568fa0181877c7556c7f3 Author: Kyle Evans AuthorDate: 2024-06-25 20:31:50 +0000 Commit: Kyle Evans CommitDate: 2024-07-21 05:24:50 +0000 stand: module: unlink the entire tail when dependencies fail to load Assume you have loader configured to load linux64, which has a dependency on both linux_common and mqueuefs but neither the kernel nor kernel config in question have the mqueuefs module included. When the load command for linux64 fails to find mqueuefs, it will free both linux64 and linux_common as they were loaded first, but only linux64 gets removed from the module list. As a result, future traversals hit an easy use-after-free with linux_common. Fix it so that we unlink the entire tail of the list. Anything after the initially loaded module is, by definition, a dependency on the loaded module while we're still in the load command, so we can just discard the entire tail. If linux_common were loaded before linux64, it should not move to a position during this load where it would suddenly be missing from the view presented to the kernel. Reported by: philip Reviewed by: imp, philip, tsoome (cherry picked from commit 3da568710fde08251996c117b87bedb326dedb57) --- stand/common/module.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/stand/common/module.c b/stand/common/module.c index 832a8eb4988d..29228f0de22a 100644 --- a/stand/common/module.c +++ b/stand/common/module.c @@ -64,6 +64,7 @@ static char *mod_searchmodule(char *name, struct mod_depend *verinfo); static char * mod_searchmodule_pnpinfo(const char *bus, const char *pnpinfo); static void file_insert_tail(struct preloaded_file *mp); static void file_remove(struct preloaded_file *fp); +static void file_remove_tail(struct preloaded_file *fp); struct file_metadata* metadata_next(struct file_metadata *base_mp, int type); static void moduledir_readhints(struct moduledir *mdp); static void moduledir_rebuild(void); @@ -876,7 +877,7 @@ mod_loadkld(const char *kldname, int argc, char *argv[]) file_insert_tail(fp); /* Add to the list of loaded files */ if (file_load_dependencies(fp) != 0) { err = ENOENT; - file_remove(fp); + file_remove_tail(fp); loadaddr = loadaddr_saved; fp = NULL; break; @@ -1637,25 +1638,45 @@ file_insert_tail(struct preloaded_file *fp) * Remove module from the chain */ static void -file_remove(struct preloaded_file *fp) +file_remove_impl(struct preloaded_file *fp, bool keep_tail) { - struct preloaded_file *cm; + struct preloaded_file *cm, *next; if (preloaded_files == NULL) return; + if (keep_tail) + next = fp->f_next; + else + next = NULL; + if (preloaded_files == fp) { - preloaded_files = fp->f_next; + preloaded_files = next; return; } + for (cm = preloaded_files; cm->f_next != NULL; cm = cm->f_next) { if (cm->f_next == fp) { - cm->f_next = fp->f_next; + cm->f_next = next; return; } } } +static void +file_remove(struct preloaded_file *fp) +{ + + file_remove_impl(fp, true); +} + +static void +file_remove_tail(struct preloaded_file *fp) +{ + + file_remove_impl(fp, false); +} + static char * moduledir_fullpath(struct moduledir *mdp, const char *fname) {