From nobody Tue Jun 25 20:32:23 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W7xMq4MgDz5Pxh5; Tue, 25 Jun 2024 20:32:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W7xMq3wxnz4Rw8; Tue, 25 Jun 2024 20:32:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719347543; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bw/MtWPdduX7wceXxNImFOAO71d7Rr1WfbD3cRMGwpM=; b=O+uvJJHNWMFa6MnMY38qmnUUfwEPyyB1gtWAeUoOWMjqzJyqy/2yZVO3oD6Wa+RTfHySIa KFTEwMj6j8N52j1SmaWes/l7Q/TpkXrDjVKoFBm4lUCHfTqlx1+MNMYtF1E793EgBcfZzK +PrlL4v4zZJkzAAcZIMKwXgukOv2+DeN8lxBrytckxm3xBFPw+dC+lB8TLfTqwOEM3O2BN YW4K7HiLYprTRE5e3qqfiVCpbAee72DnPPvebUS1j3+BiJph+Mji7apO8rPFYH/ncxApsq Cn0Umhi/zG3CWg6DX1pNTyDmA5CqOilTZizd64gsK9AICfMBPXWgWcs/4j2z6w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719347543; a=rsa-sha256; cv=none; b=ELIOyIy2B5kbvIzRurxZpfR90jAaZ9lxeJGye7Mg/zFGZ0W+0wyz2fEmwJJyRO51lC3HxL DwKdPA7r/SM0zFsrE2UuPjECJtb85qRElU0oKvBdfKnQPLfekrCQATE01gV7FujQazkcoE Fjbf9xywz7WA6W5j3fE33NLadJJjyH4GQ49mTQ3Oh70Z+qeMSxEjGFX9e4Hl47i8JM+Agf 3gktwjcF/CCWvCsfZQM2b4wHAByj8HTCzzNWZBI8MKJUXeVh7Y1cT1k9mye9IuRf+HOF0P Y4AccM0Rhfsyg7HfCD42N9W4olwWPyqUS0ET827K63a/MC/DbFH6zxRAjwN57w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719347543; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bw/MtWPdduX7wceXxNImFOAO71d7Rr1WfbD3cRMGwpM=; b=aQtUul+D7dwtk+3AgaBkSeBLSq/pYhl5wvE8tdLsaQje6cyi2NORJ+8n5v9etHM7uvceMG QTgKKzAs3t5QmAyjc7FQp1IB6KmxSpM3TZW++Z71TQZDrqSo/6EPF/jkaQZ3GZNxqFe7Se RcsStjfHGWbYxbx5ey7cndivxuewrg4ivpsqZHzvnsnfdWytjGhMJQRvVAg+7LQUrHMLqS RdldV8WKvLmj6tK9YWiCBpgOKOylPrhjgKF0ZVPeL4tmj5Ug39szI4JfX4y0Afwj9h6TBu iRubnis9ub0zvvXADbo/A9ad2y6oCCtTlQeVkfUn1ol2p2UcTmP3HqC9Pcag/A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W7xMq3XKFzGp8; Tue, 25 Jun 2024 20:32:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45PKWNa7026611; Tue, 25 Jun 2024 20:32:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45PKWNbS026609; Tue, 25 Jun 2024 20:32:23 GMT (envelope-from git) Date: Tue, 25 Jun 2024 20:32:23 GMT Message-Id: <202406252032.45PKWNbS026609@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kyle Evans Subject: git: 3da568710fde - main - stand: module: unlink the entire tail when dependencies fail to load List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3da568710fde08251996c117b87bedb326dedb57 Auto-Submitted: auto-generated The branch main has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=3da568710fde08251996c117b87bedb326dedb57 commit 3da568710fde08251996c117b87bedb326dedb57 Author: Kyle Evans AuthorDate: 2024-06-25 20:31:50 +0000 Commit: Kyle Evans CommitDate: 2024-06-25 20:32:08 +0000 stand: module: unlink the entire tail when dependencies fail to load Assume you have loader configured to load linux64, which has a dependency on both linux_common and mqueuefs but neither the kernel nor kernel config in question have the mqueuefs module included. When the load command for linux64 fails to find mqueuefs, it will free both linux64 and linux_common as they were loaded first, but only linux64 gets removed from the module list. As a result, future traversals hit an easy use-after-free with linux_common. Fix it so that we unlink the entire tail of the list. Anything after the initially loaded module is, by definition, a dependency on the loaded module while we're still in the load command, so we can just discard the entire tail. If linux_common were loaded before linux64, it should not move to a position during this load where it would suddenly be missing from the view presented to the kernel. Reported by: philip Reviewed by: imp, philip, tsoome MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D45731 --- stand/common/module.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/stand/common/module.c b/stand/common/module.c index 832a8eb4988d..29228f0de22a 100644 --- a/stand/common/module.c +++ b/stand/common/module.c @@ -64,6 +64,7 @@ static char *mod_searchmodule(char *name, struct mod_depend *verinfo); static char * mod_searchmodule_pnpinfo(const char *bus, const char *pnpinfo); static void file_insert_tail(struct preloaded_file *mp); static void file_remove(struct preloaded_file *fp); +static void file_remove_tail(struct preloaded_file *fp); struct file_metadata* metadata_next(struct file_metadata *base_mp, int type); static void moduledir_readhints(struct moduledir *mdp); static void moduledir_rebuild(void); @@ -876,7 +877,7 @@ mod_loadkld(const char *kldname, int argc, char *argv[]) file_insert_tail(fp); /* Add to the list of loaded files */ if (file_load_dependencies(fp) != 0) { err = ENOENT; - file_remove(fp); + file_remove_tail(fp); loadaddr = loadaddr_saved; fp = NULL; break; @@ -1637,25 +1638,45 @@ file_insert_tail(struct preloaded_file *fp) * Remove module from the chain */ static void -file_remove(struct preloaded_file *fp) +file_remove_impl(struct preloaded_file *fp, bool keep_tail) { - struct preloaded_file *cm; + struct preloaded_file *cm, *next; if (preloaded_files == NULL) return; + if (keep_tail) + next = fp->f_next; + else + next = NULL; + if (preloaded_files == fp) { - preloaded_files = fp->f_next; + preloaded_files = next; return; } + for (cm = preloaded_files; cm->f_next != NULL; cm = cm->f_next) { if (cm->f_next == fp) { - cm->f_next = fp->f_next; + cm->f_next = next; return; } } } +static void +file_remove(struct preloaded_file *fp) +{ + + file_remove_impl(fp, true); +} + +static void +file_remove_tail(struct preloaded_file *fp) +{ + + file_remove_impl(fp, false); +} + static char * moduledir_fullpath(struct moduledir *mdp, const char *fname) {