From nobody Sun Jul 21 05:25:22 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WRX1G4sjKz5R0Nx; Sun, 21 Jul 2024 05:25:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WRX1G47NZz4T1h; Sun, 21 Jul 2024 05:25:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721539522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NGiqP0RN93bs3nW1v03o5W5jeMbcXn2V72P/5w+WJt0=; b=vSQoDblNYS9jwPWcIOvv3yLMZUUgLicx7FUFgktX+ryqmFygxOQAlto6Rz4sQrppueH+H3 MsWyvLYrb9L/HZTCcHRyMjRxgkYWYkWaHmDsKK+bdiuOp/7BHPZ2fP3wumWdZURykqTY2m ms8HVPlD3/vZ1L0fDfWCo4YpB7DFAtso+qkj+/5tFDYjq/K1bin4vnypMGVT+DU5Wsys3l dgAcDAJdyuaokycc+CYRaAd3UPaTh51wNKli05GNMNC18pm1mNhQaXrgU5TzV9RPlpm3Jr n5acUbayzYEcE6ALETEHboXidtGGNonuXde01M5PxRVUJEbDkrSjXAw2TRgBNQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1721539522; a=rsa-sha256; cv=none; b=lBp7fQQiq8ziXeJcNwVWgmVutSeydA9JYoim+H9OHwY9FLN9J0QlTYX38vuKb4V75YQ/dt sPAahGyysEB0wCNhCalF2RU6oqlaudq4XFfc1tJNWYC1dp2784aPzAkr//26656/r9xeP8 4SR0LniTNwezUCt2mrINZhBf7eNNCHngmHIw0+sGUJPnnNSh7JTcr5/PwWb1VjJXmTqky7 sSl+wzg0OjpE+PFPdOU9O58MUaoGD+9cIyIL+VzlhIRgge22DhLXyGtQ8y3KQKzB/IuHbz 1VDK2ALMwm/ZFhu9QBWctpsqb1rXYyFIeEiR1yYAo9GYDNTPFImrFwfhQUdsvQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1721539522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NGiqP0RN93bs3nW1v03o5W5jeMbcXn2V72P/5w+WJt0=; b=huMkwqYZw21AOHPammCJacq+j0r4jBUQzNLev+pEmuqJicPMqUXEbORK/GAQleL9MkML3p SG42YxRhRmcOUkGpVq6tqNdJzHH0mPqRttzLhG7vM1xnDmeMu25R8NWsEueiEeqGLTe170 4zeyKYSydQz4dNvL3c7lERRGgxIzpDnvnaxEb/CK25pNyF8QLUhKUjblbyIBAOiH6nKIJh oFuzNnfrHLJ2TileuduEw3DAGsW9D3xZ3xA4Hv+MFmVNGYAA+I7oSRmT5ztPeQJx1tZ5Ue FlSCffCdrbDeVF77wdDaPVpqGw10GoY58BVbkzcpcJPgQOpmXOw+kOM+lgLOGg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WRX1G3b87zncS; Sun, 21 Jul 2024 05:25:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 46L5PMWZ017261; Sun, 21 Jul 2024 05:25:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 46L5PMH2017258; Sun, 21 Jul 2024 05:25:22 GMT (envelope-from git) Date: Sun, 21 Jul 2024 05:25:22 GMT Message-Id: <202407210525.46L5PMH2017258@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 2e57144df7e1 - stable/13 - stand: module: unlink the entire tail when dependencies fail to load List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 2e57144df7e1f8d9ed91a75f96ff2b8affc1c601 Auto-Submitted: auto-generated The branch stable/13 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=2e57144df7e1f8d9ed91a75f96ff2b8affc1c601 commit 2e57144df7e1f8d9ed91a75f96ff2b8affc1c601 Author: Kyle Evans AuthorDate: 2024-06-25 20:31:50 +0000 Commit: Kyle Evans CommitDate: 2024-07-21 05:25:07 +0000 stand: module: unlink the entire tail when dependencies fail to load Assume you have loader configured to load linux64, which has a dependency on both linux_common and mqueuefs but neither the kernel nor kernel config in question have the mqueuefs module included. When the load command for linux64 fails to find mqueuefs, it will free both linux64 and linux_common as they were loaded first, but only linux64 gets removed from the module list. As a result, future traversals hit an easy use-after-free with linux_common. Fix it so that we unlink the entire tail of the list. Anything after the initially loaded module is, by definition, a dependency on the loaded module while we're still in the load command, so we can just discard the entire tail. If linux_common were loaded before linux64, it should not move to a position during this load where it would suddenly be missing from the view presented to the kernel. Reported by: philip Reviewed by: imp, philip, tsoome (cherry picked from commit 3da568710fde08251996c117b87bedb326dedb57) --- stand/common/module.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/stand/common/module.c b/stand/common/module.c index b4a53701ffba..699be7bf4feb 100644 --- a/stand/common/module.c +++ b/stand/common/module.c @@ -65,6 +65,7 @@ static char *mod_searchmodule(char *name, struct mod_depend *verinfo); static char * mod_searchmodule_pnpinfo(const char *bus, const char *pnpinfo); static void file_insert_tail(struct preloaded_file *mp); static void file_remove(struct preloaded_file *fp); +static void file_remove_tail(struct preloaded_file *fp); struct file_metadata* metadata_next(struct file_metadata *base_mp, int type); static void moduledir_readhints(struct moduledir *mdp); static void moduledir_rebuild(void); @@ -958,7 +959,7 @@ mod_loadkld(const char *kldname, int argc, char *argv[]) file_insert_tail(fp); /* Add to the list of loaded files */ if (file_load_dependencies(fp) != 0) { err = ENOENT; - file_remove(fp); + file_remove_tail(fp); loadaddr = loadaddr_saved; fp = NULL; break; @@ -1719,25 +1720,45 @@ file_insert_tail(struct preloaded_file *fp) * Remove module from the chain */ static void -file_remove(struct preloaded_file *fp) +file_remove_impl(struct preloaded_file *fp, bool keep_tail) { - struct preloaded_file *cm; + struct preloaded_file *cm, *next; if (preloaded_files == NULL) return; + if (keep_tail) + next = fp->f_next; + else + next = NULL; + if (preloaded_files == fp) { - preloaded_files = fp->f_next; + preloaded_files = next; return; } + for (cm = preloaded_files; cm->f_next != NULL; cm = cm->f_next) { if (cm->f_next == fp) { - cm->f_next = fp->f_next; + cm->f_next = next; return; } } } +static void +file_remove(struct preloaded_file *fp) +{ + + file_remove_impl(fp, true); +} + +static void +file_remove_tail(struct preloaded_file *fp) +{ + + file_remove_impl(fp, false); +} + static char * moduledir_fullpath(struct moduledir *mdp, const char *fname) {