The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard

CVE-2021-25068

Vertical Privilege Escalation in KONGA 0.14.9 allows attackers to higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/{ID} at ADMIN parameter.

**terça-feira, 16 de novembro de 2021**

  **KONGA 0.14.9 - Privilege Escalation (Exploit)**

**Report Vulnerability**

**_Product: KONGA Model:  0.14.9 Vulnerability: Privilege EscalationImpact: Full admin access (v__ertical privilege escalation__)_****_Authentication: required_ ****_Exploit Author: Fabricio Salomao (__@\_SOl0m0n__) / Paulo Trindade (@paulotrindadec)_**

**PoC**

Bellow has created a normal user called "usernormal" without privilege.

Through of request bellow was changed the flag "FALSE" in the parameter "admin" to "**TRUE**".

![](https://1.bp.blogspot.com/-UvzhCIJXGGM/YZP0iI5s4vI/AAAAAAAAT00/tlLPp9CzvO8yr16cNxsx_TGyLoGUqqDfgCLcBGAsYHQ/w640-h234/p2.png)

  

![](https://lh3.googleusercontent.com/-ZLbg9rps_J0/YZPx5tNmzWI/AAAAAAAAT0s/uU-Hi62G0oogpKzNYu75ZCS22CkrTWogwCLcBGAsYHQ/w640-h250/image.png)

After running the exploit, the privilege escalation was a success!

**Result:**

![](https://1.bp.blogspot.com/-QkIP_UYLdMQ/YZP0_MYbvfI/AAAAAAAAT08/Cdl2tOveJNstnRXWQPf_N9w8CJXQnfOOwCLcBGAsYHQ/w640-h200/p3.jpeg)

  

**Nenhum comentário:**

**Postar um comentário**

CVE-2021-44103: KONGA 0.14.9 - Privilege Escalation (Exploit)

The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.

Press Releases | 8 February 2022

******New address bar vulnerabilities found in DuckDuckGo and Tap Browser, disclosed by Cyber Citadel researchers, could affect millions of iOS and Android users******

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities today in the DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS mobile web browser applications

These flaws can be exploited, by potentially tricking users into supplying sensitive information to a malicious website. Our discovery found that a malicious attacker could easily lead the unsuspecting users to believe that they are visiting a legitimate website as the address bar points to the correct website. It is pertinent to mention here that, Cyber Citadel, as a part of its responsible disclosure policy gave a time frame of 60 days to all three browsers to fix these vulnerabilities. At the time of publishing this disclosure, the issue was only addressed by DuckDuckGo.

****Address Bar Spoofing Vulnerabili**es**

Mobile web browser address bar spoofing allows an attacker to change the URL of a malicious website to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.

This vulnerability bypasses the security certificates built into most modern mobile address bars. Desktop web browsers designate a website as safe by the lock icon on the far left of an address bar that ‘guarantees’ a website has a valid SSL certificate and is, therefore, secure.

On the other hand, security indicators on mobile devices are harder to find, due to the lack of screen real-estate, and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.

Address bar spoofing traditionally scores approximately 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS), technically assigning address bar spoofing with a moderate impact.

However, given the substantial 667% rise in spear-phishing attacks experienced during the COVID-19 pandemic, mobile address bar spoofing should arguably be held in higher regard. In a survey conducted by Mimecast, 2.1 million domains were tied to phishing attacks, with 47% of successful attacks making use of fraudulent websites. The disclosed DuckDuckGo and Tap Browser vulnerabilities directly tie into these figures by allowing cybercriminals to make fraudulent websites more believable and, therefore, more successful in harvesting sensitive information.

**DuckDuckGo**

‘Hatched’ in 2008, DuckDuckGo has become a popular web browsing tool downloaded 5 million times per month as a mobile application or desktop extension. It gives users the ability to browse the web privately, while protecting users from internet trackers.

The recent address bar spoofing CVE-2021-44683 disclosed by Baloch and Samak considerably weakens DuckDuckGo’s promised privacy protections for iOS users.

In the proof of concept (POC), Baloch and Samak revealed that version 7.64.4 of DuckDuckGo’s iOS application was prone to address bar spoofing due to a mishandling of JavaScript’s window.open function used to open a secondary window.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-POC-copy-1.jpg)

DuckDuckGo address bar spoofing POC

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-Evidence.jpg)

DuckDuckGo address bar spoofing evidence

When exploited by a bad actor, an address bar in a secondary window opened in DuckDuckGo would display a legitimate URL despite being hosted by an attacker. This fraudulent page could be designed to trick users into supplying sensitive PII such as usernames and passwords.

**Tap Browser**

Built exclusively for iOS, Tap Browser is used for its additional web browsing functionalities such as easy navigation icons, in-app media players and an in-built VPN service.

Although a relatively low user base (7,000 downloads), the Tap Browser address bar spoofing vulnerability part of the CVE-2021-44683 disclosed by Baloch and Samak was open to secondary window exploitation.

In the POC, Baloch and Samak demonstrated how a secondary window could be spoofed by a bad actor to replicate Facebook, Gmail, Apple and Bing browsers.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-1.jpg)

1\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS1.png)

1\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-2.jpeg)

2\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS2.png)

2\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-3.jpeg)

3\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS3.png)

3\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-4.jpg)

4\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS4.png)

4\. Evidence of address bar spoofing in Tap Browser

**Response from Vendors**

**Vendor**

**Service**

**Version**

**Platform**

**Reported Date**

**Fixed**

**CVE**

DuckDuckGo

DuckDuckGo

7.64.4

iOS

26/09/21

7.64.18

CVE-2021-44683

Tap Browser

Tap Browser

1.2

iOS

26/09/21

Unfixed

N/A

**HexCon Talk on Address Bar Spoofing Flaws**

This is not the first time, Rafay Baloch has found flaws in browsers. In October 2021 at the Hexcon Security conference, Rafay Baloch presented his findings across various mobile browsers titled “What you see, is not always what you get”. Various categories of address bar spoofing vulnerabilities were discussed along with how these vulnerabilities can be used to abuse security mechanisms in browsers.

**Previous CVEs Disclosed by Cyber Citadel Researchers**

This disclosure by Cyber Citadel security researchers comes a year after Rafay Baloch teamed up with Rapid7’s Director of Research Tod Beardsley to disclose a similar address bar vulnerability across seven mobile web browsers including Apple Safari and Opera Touch.

Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in the Google, Facebook, PayPal and Microsoft Hall of Fame.

CVE-2021-44683: Multiple Address Bar Spoofing Flaws in Mobile Browsers - Cyber Citadel

A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information.

\* **\[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses**
**@ 2021-09-29 22:57 Eric Dumazet**
  2021-09-30 13:30 \` patchwork-bot+netdevbpf
  2022-03-24  8:03 \` wanghai (M)
  0 siblings, 2 replies; 5+ messages in thread
From: Eric Dumazet @ 2021-09-29 22:57 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: netdev, Eric Dumazet, Eric Dumazet, Jann Horn,
	Eric W . Biederman, Luiz Augusto von Dentz, Marcel Holtmann

From: Eric Dumazet <edumazet@google.com>

Jann Horn reported that SO\_PEERCRED and SO\_PEERGROUPS implementations
are racy, as af\_unix can concurrently change sk\_peer\_pid and sk\_peer\_cred.

In order to fix this issue, this patch adds a new spinlock that needs
to be used whenever these fields are read or written.

Jann also pointed out that l2cap\_sock\_get\_peer\_pid\_cb() is currently
reading sk->sk\_peer\_pid which makes no sense, as this field
is only possibly set by AF\_UNIX sockets.
We will have to clean this in a separate patch.
This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get\_peer\_pid callback"
or implementing what was truly expected.

Fixes: 109f6e39fa07 ("af\_unix: Allow SO\_PEERCRED to work across namespaces.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
---
 include/net/sock.h |  2 ++
 net/core/sock.c    | 32 ++++++++++++++++++++++++++------
 net/unix/af\_unix.c | 34 ++++++++++++++++++++++++++++------
 3 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index c005c3c750e89b6d4d36d36ccfad392a7e733603..f471cd0a6f98cb5b2b961f01c2de62870d61521e 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -488,8 +488,10 @@ struct sock {
 	u8			sk\_prefer\_busy\_poll;
 	u16			sk\_busy\_poll\_budget;
 #endif
+	spinlock\_t		sk\_peer\_lock;
 	struct pid		\*sk\_peer\_pid;
 	const struct cred	\*sk\_peer\_cred;
+
 	long			sk\_rcvtimeo;
 	ktime\_t			sk\_stamp;
 #if BITS\_PER\_LONG==32
diff --git a/net/core/sock.c b/net/core/sock.c
index 512e629f97803f3216db8f054e97fd1b7a6e6c63..c70cbce69a66181c3688862ea51aa781b3ce4f97 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1376,6 +1376,16 @@ int sock\_setsockopt(struct socket \*sock, int level, int optname,
 }
 EXPORT\_SYMBOL(sock\_setsockopt);
 
+static const struct cred \*sk\_get\_peer\_cred(struct sock \*sk)
+{
+	const struct cred \*cred;
+
+	spin\_lock(&sk->sk\_peer\_lock);
+	cred = get\_cred(sk->sk\_peer\_cred);
+	spin\_unlock(&sk->sk\_peer\_lock);
+
+	return cred;
+}
 
 static void cred\_to\_ucred(struct pid \*pid, const struct cred \*cred,
 			  struct ucred \*ucred)
@@ -1552,7 +1562,11 @@ int sock\_getsockopt(struct socket \*sock, int level, int optname,
 		struct ucred peercred;
 		if (len > sizeof(peercred))
 			len = sizeof(peercred);
+
+		spin\_lock(&sk->sk\_peer\_lock);
 		cred\_to\_ucred(sk->sk\_peer\_pid, sk->sk\_peer\_cred, &peercred);
+		spin\_unlock(&sk->sk\_peer\_lock);
+
 		if (copy\_to\_user(optval, &peercred, len))
 			return -EFAULT;
 		goto lenout;
@@ -1560,20 +1574,23 @@ int sock\_getsockopt(struct socket \*sock, int level, int optname,
 
 	case SO\_PEERGROUPS:
 	{
+		const struct cred \*cred;
 		int ret, n;
 
\-		if (!sk->sk\_peer\_cred)
+		cred = sk\_get\_peer\_cred(sk);
+		if (!cred)
 			return -ENODATA;
 
\-		n = sk->sk\_peer\_cred->group\_info->ngroups;
+		n = cred->group\_info->ngroups;
 		if (len < n \* sizeof(gid\_t)) {
 			len = n \* sizeof(gid\_t);
+			put\_cred(cred);
 			return put\_user(len, optlen) ? -EFAULT : -ERANGE;
 		}
 		len = n \* sizeof(gid\_t);
 
\-		ret = groups\_to\_user((gid\_t \_\_user \*)optval,
-				     sk->sk\_peer\_cred->group\_info);
+		ret = groups\_to\_user((gid\_t \_\_user \*)optval, cred->group\_info);
+		put\_cred(cred);
 		if (ret)
 			return ret;
 		goto lenout;
@@ -1935,9 +1952,10 @@ static void \_\_sk\_destruct(struct rcu\_head \*head)
 		sk->sk\_frag.page = NULL;
 	}
 
\-	if (sk->sk\_peer\_cred)
-		put\_cred(sk->sk\_peer\_cred);
+	/\* We do not need to acquire sk->sk\_peer\_lock, we are the last user. \*/
+	put\_cred(sk->sk\_peer\_cred);
 	put\_pid(sk->sk\_peer\_pid);
+
 	if (likely(sk->sk\_net\_refcnt))
 		put\_net(sock\_net(sk));
 	sk\_prot\_free(sk->sk\_prot\_creator, sk);
@@ -3145,6 +3163,8 @@ void sock\_init\_data(struct socket \*sock, struct sock \*sk)
 
 	sk->sk\_peer\_pid 	=	NULL;
 	sk->sk\_peer\_cred	=	NULL;
+	spin\_lock\_init(&sk->sk\_peer\_lock);
+
 	sk->sk\_write\_pending	=	0;
 	sk->sk\_rcvlowat		=	1;
 	sk->sk\_rcvtimeo		=	MAX\_SCHEDULE\_TIMEOUT;
diff --git a/net/unix/af\_unix.c b/net/unix/af\_unix.c
index f505b89bda6adefe973806f842001d428fc6c5ca..efac5989edb5d37881139bb1ad2fb9cf63bd7342 100644
--- a/net/unix/af\_unix.c
+++ b/net/unix/af\_unix.c
@@ -608,20 +608,42 @@ static void unix\_release\_sock(struct sock \*sk, int embrion)
 
 static void init\_peercred(struct sock \*sk)
 {
\-	put\_pid(sk->sk\_peer\_pid);
-	if (sk->sk\_peer\_cred)
-		put\_cred(sk->sk\_peer\_cred);
+	const struct cred \*old\_cred;
+	struct pid \*old\_pid;
+
+	spin\_lock(&sk->sk\_peer\_lock);
+	old\_pid = sk->sk\_peer\_pid;
+	old\_cred = sk->sk\_peer\_cred;
 	sk->sk\_peer\_pid  = get\_pid(task\_tgid(current));
 	sk->sk\_peer\_cred = get\_current\_cred();
+	spin\_unlock(&sk->sk\_peer\_lock);
+
+	put\_pid(old\_pid);
+	put\_cred(old\_cred);
 }
 
 static void copy\_peercred(struct sock \*sk, struct sock \*peersk)
 {
\-	put\_pid(sk->sk\_peer\_pid);
-	if (sk->sk\_peer\_cred)
-		put\_cred(sk->sk\_peer\_cred);
+	const struct cred \*old\_cred;
+	struct pid \*old\_pid;
+
+	if (sk < peersk) {
+		spin\_lock(&sk->sk\_peer\_lock);
+		spin\_lock\_nested(&peersk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
+	} else {
+		spin\_lock(&peersk->sk\_peer\_lock);
+		spin\_lock\_nested(&sk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
+	}
+	old\_pid = sk->sk\_peer\_pid;
+	old\_cred = sk->sk\_peer\_cred;
 	sk->sk\_peer\_pid  = get\_pid(peersk->sk\_peer\_pid);
 	sk->sk\_peer\_cred = get\_cred(peersk->sk\_peer\_cred);
+
+	spin\_unlock(&sk->sk\_peer\_lock);
+	spin\_unlock(&peersk->sk\_peer\_lock);
+
+	put\_pid(old\_pid);
+	put\_cred(old\_cred);
 }
 
 static int unix\_listen(struct socket \*sock, int backlog)
-- 
2.33.0.800.g4c38ced690-goog

^ permalink raw reply	\[**flat**|nested\] 5+ messages in thread

\* **Re: \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses**
  2021-09-29 22:57 \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses Eric Dumazet
**@ 2021-09-30 13:30 \` patchwork-bot+netdevbpf**
  2022-03-24  8:03 \` wanghai (M)
  1 sibling, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-09-30 13:30 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: davem, kuba, netdev, edumazet, jannh, ebiederm, luiz.von.dentz, marcel

Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Wed, 29 Sep 2021 15:57:50 -0700 you wrote:
\> From: Eric Dumazet <edumazet@google.com>
> 
> Jann Horn reported that SO\_PEERCRED and SO\_PEERGROUPS implementations
> are racy, as af\_unix can concurrently change sk\_peer\_pid and sk\_peer\_cred.
> 
> In order to fix this issue, this patch adds a new spinlock that needs
> to be used whenever these fields are read or written.
> 
> \[...\]
Here is the summary with links:
  - \[net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses
    https://git.kernel.org/netdev/net/c/35306eb23814

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

^ permalink raw reply	\[**flat**|nested\] 5+ messages in thread

\* **Re: \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses**
  2021-09-29 22:57 \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses Eric Dumazet
  2021-09-30 13:30 \` patchwork-bot+netdevbpf
**@ 2022-03-24  8:03 \` wanghai (M)**
  2022-03-24  9:04   \` Kuniyuki Iwashima
  1 sibling, 1 reply; 5+ messages in thread
From: wanghai (M) @ 2022-03-24  8:03 UTC (permalink / raw)
  To: Eric Dumazet, David S . Miller, Jakub Kicinski
  Cc: netdev, Eric Dumazet, Jann Horn, Eric W . Biederman,
	Luiz Augusto von Dentz, Marcel Holtmann


在 2021/9/30 6:57, Eric Dumazet 写道:
\> From: Eric Dumazet <edumazet@google.com>
>
> Jann Horn reported that SO\_PEERCRED and SO\_PEERGROUPS implementations
> are racy, as af\_unix can concurrently change sk\_peer\_pid and sk\_peer\_cred.
>
> In order to fix this issue, this patch adds a new spinlock that needs
> to be used whenever these fields are read or written.
>
> Jann also pointed out that l2cap\_sock\_get\_peer\_pid\_cb() is currently
> reading sk->sk\_peer\_pid which makes no sense, as this field
> is only possibly set by AF\_UNIX sockets.
> We will have to clean this in a separate patch.
> This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get\_peer\_pid callback"
> or implementing what was truly expected.
>
> Fixes: 109f6e39fa07 ("af\_unix: Allow SO\_PEERCRED to work across namespaces.")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Jann Horn <jannh@google.com>
> Cc: Eric W. Biederman <ebiederm@xmission.com>
> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Cc: Marcel Holtmann <marcel@holtmann.org>
> ---
...
\>   static void copy\_peercred(struct sock \*sk, struct sock \*peersk)
>   {
> -	put\_pid(sk->sk\_peer\_pid);
> -	if (sk->sk\_peer\_cred)
> -		put\_cred(sk->sk\_peer\_cred);
> +	const struct cred \*old\_cred;
> +	struct pid \*old\_pid;
> +
> +	if (sk < peersk) {
> +		spin\_lock(&sk->sk\_peer\_lock);
> +		spin\_lock\_nested(&peersk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
> +	} else {
> +		spin\_lock(&peersk->sk\_peer\_lock);
> +		spin\_lock\_nested(&sk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
> +	}
Hi, ALL.
I'm sorry to bother you.

This patch adds sk\_peer\_lock to solve the problem that af\_unix may
concurrently change sk\_peer\_pid and sk\_peer\_cred.

I am confused as to why the order of locks is needed here based on
the address size of sk and peersk.

Any feedback would be appreciated, thanks.
\> +	old\_pid = sk->sk\_peer\_pid;
> +	old\_cred = sk->sk\_peer\_cred;
>   	sk->sk\_peer\_pid  = get\_pid(peersk->sk\_peer\_pid);
>   	sk->sk\_peer\_cred = get\_cred(peersk->sk\_peer\_cred);
> +
> +	spin\_unlock(&sk->sk\_peer\_lock);
> +	spin\_unlock(&peersk->sk\_peer\_lock);
> +
> +	put\_pid(old\_pid);
> +	put\_cred(old\_cred);
>   }
>   
>   static int unix\_listen(struct socket \*sock, int backlog)
-- 
Wang Hai

^ permalink raw reply	\[**flat**|nested\] 5+ messages in thread

\* **Re: \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses**
  2022-03-24  8:03 \` wanghai (M)
**@ 2022-03-24  9:04   \` Kuniyuki Iwashima**
  2022-03-24 11:15     \` wanghai (M)
  0 siblings, 1 reply; 5+ messages in thread
From: Kuniyuki Iwashima @ 2022-03-24  9:04 UTC (permalink / raw)
  To: wanghai38
  Cc: davem, ebiederm, edumazet, eric.dumazet, jannh, kuba,
	luiz.von.dentz, marcel, netdev

From:   "wanghai (M)" <wanghai38@huawei.com>
Date:   Thu, 24 Mar 2022 16:03:31 +0800
\> 在 2021/9/30 6:57, Eric Dumazet 写道:
>> From: Eric Dumazet <edumazet@google.com>
>>
>> Jann Horn reported that SO\_PEERCRED and SO\_PEERGROUPS implementations
>> are racy, as af\_unix can concurrently change sk\_peer\_pid and sk\_peer\_cred.
>>
>> In order to fix this issue, this patch adds a new spinlock that needs
>> to be used whenever these fields are read or written.
>>
>> Jann also pointed out that l2cap\_sock\_get\_peer\_pid\_cb() is currently
>> reading sk->sk\_peer\_pid which makes no sense, as this field
>> is only possibly set by AF\_UNIX sockets.
>> We will have to clean this in a separate patch.
>> This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get\_peer\_pid callback"
>> or implementing what was truly expected.
>>
>> Fixes: 109f6e39fa07 ("af\_unix: Allow SO\_PEERCRED to work across namespaces.")
>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>> Reported-by: Jann Horn <jannh@google.com>
>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>> Cc: Marcel Holtmann <marcel@holtmann.org>
>> ---
> ...
>>   static void copy\_peercred(struct sock \*sk, struct sock \*peersk)
>>   {
>> -	put\_pid(sk->sk\_peer\_pid);
>> -	if (sk->sk\_peer\_cred)
>> -		put\_cred(sk->sk\_peer\_cred);
>> +	const struct cred \*old\_cred;
>> +	struct pid \*old\_pid;
>> +
>> +	if (sk < peersk) {
>> +		spin\_lock(&sk->sk\_peer\_lock);
>> +		spin\_lock\_nested(&peersk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
>> +	} else {
>> +		spin\_lock(&peersk->sk\_peer\_lock);
>> +		spin\_lock\_nested(&sk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
>> +	}
> Hi, ALL.
> I'm sorry to bother you.
> 
> This patch adds sk\_peer\_lock to solve the problem that af\_unix may
> concurrently change sk\_peer\_pid and sk\_peer\_cred.
> 
> I am confused as to why the order of locks is needed here based on
> the address size of sk and peersk.
To simply avoid dead lock.  These locks must be acquired in the same
order.  The smaller address lock is acquired first, then larger one.

  e.g.) CPU-A calls copy\_peercred(sk-A, sk-B), and
        CPU-B calls copy\_peercred(sk-B, sk-A).

There are some implementations like this:

  $ grep -rn double\_lock

\> 
> Any feedback would be appreciated, thanks.
>> +	old\_pid = sk->sk\_peer\_pid;
>> +	old\_cred = sk->sk\_peer\_cred;
>>   	sk->sk\_peer\_pid  = get\_pid(peersk->sk\_peer\_pid);
>>   	sk->sk\_peer\_cred = get\_cred(peersk->sk\_peer\_cred);
>> +
>> +	spin\_unlock(&sk->sk\_peer\_lock);
>> +	spin\_unlock(&peersk->sk\_peer\_lock);
>> +
>> +	put\_pid(old\_pid);
>> +	put\_cred(old\_cred);
>>   }
>>   
>>   static int unix\_listen(struct socket \*sock, int backlog)
> 
> -- 
> Wang Hai
^ permalink raw reply	\[**flat**|nested\] 5+ messages in thread

\* **Re: \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses**
  2022-03-24  9:04   \` Kuniyuki Iwashima
**@ 2022-03-24 11:15     \` wanghai (M)**
  0 siblings, 0 replies; 5+ messages in thread
From: wanghai (M) @ 2022-03-24 11:15 UTC (permalink / raw)
  To: Kuniyuki Iwashima
  Cc: davem, ebiederm, edumazet, eric.dumazet, jannh, kuba,
	luiz.von.dentz, marcel, netdev


在 2022/3/24 17:04, Kuniyuki Iwashima 写道:
\> From:   "wanghai (M)" <wanghai38@huawei.com>
> Date:   Thu, 24 Mar 2022 16:03:31 +0800
>> 在 2021/9/30 6:57, Eric Dumazet 写道:
>>> From: Eric Dumazet <edumazet@google.com>
>>>
>>> Jann Horn reported that SO\_PEERCRED and SO\_PEERGROUPS implementations
>>> are racy, as af\_unix can concurrently change sk\_peer\_pid and sk\_peer\_cred.
>>>
>>> In order to fix this issue, this patch adds a new spinlock that needs
>>> to be used whenever these fields are read or written.
>>>
>>> Jann also pointed out that l2cap\_sock\_get\_peer\_pid\_cb() is currently
>>> reading sk->sk\_peer\_pid which makes no sense, as this field
>>> is only possibly set by AF\_UNIX sockets.
>>> We will have to clean this in a separate patch.
>>> This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get\_peer\_pid callback"
>>> or implementing what was truly expected.
>>>
>>> Fixes: 109f6e39fa07 ("af\_unix: Allow SO\_PEERCRED to work across namespaces.")
>>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>>> Reported-by: Jann Horn <jannh@google.com>
>>> Cc: Eric W. Biederman <ebiederm@xmission.com>
>>> Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>> Cc: Marcel Holtmann <marcel@holtmann.org>
>>> ---
>> ...
>>>    static void copy\_peercred(struct sock \*sk, struct sock \*peersk)
>>>    {
>>> -	put\_pid(sk->sk\_peer\_pid);
>>> -	if (sk->sk\_peer\_cred)
>>> -		put\_cred(sk->sk\_peer\_cred);
>>> +	const struct cred \*old\_cred;
>>> +	struct pid \*old\_pid;
>>> +
>>> +	if (sk < peersk) {
>>> +		spin\_lock(&sk->sk\_peer\_lock);
>>> +		spin\_lock\_nested(&peersk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
>>> +	} else {
>>> +		spin\_lock(&peersk->sk\_peer\_lock);
>>> +		spin\_lock\_nested(&sk->sk\_peer\_lock, SINGLE\_DEPTH\_NESTING);
>>> +	}
>> Hi, ALL.
>> I'm sorry to bother you.
>>
>> This patch adds sk\_peer\_lock to solve the problem that af\_unix may
>> concurrently change sk\_peer\_pid and sk\_peer\_cred.
>>
>> I am confused as to why the order of locks is needed here based on
>> the address size of sk and peersk.
> To simply avoid dead lock.  These locks must be acquired in the same
> order.  The smaller address lock is acquired first, then larger one.
>
>    e.g.) CPU-A calls copy\_peercred(sk-A, sk-B), and
>          CPU-B calls copy\_peercred(sk-B, sk-A).
>
> There are some implementations like this:
>
>    $ grep -rn double\_lock
I got it, thank you for your patient explanation.
\>
>
>> Any feedback would be appreciated, thanks.
>>> +	old\_pid = sk->sk\_peer\_pid;
>>> +	old\_cred = sk->sk\_peer\_cred;
>>>    	sk->sk\_peer\_pid  = get\_pid(peersk->sk\_peer\_pid);
>>>    	sk->sk\_peer\_cred = get\_cred(peersk->sk\_peer\_cred);
>>> +
>>> +	spin\_unlock(&sk->sk\_peer\_lock);
>>> +	spin\_unlock(&peersk->sk\_peer\_lock);
>>> +
>>> +	put\_pid(old\_pid);
>>> +	put\_cred(old\_cred);
>>>    }
>>>    
>>>    static int unix\_listen(struct socket \*sock, int backlog)
>> -- 
>> Wang Hai
> .
>
\-- 
Wang Hai

^ permalink raw reply	\[**flat**|nested\] 5+ messages in thread

end of thread, other threads:\[~2022-03-24 11:15 UTC | newest\]

**Thread overview:** 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-29 22:57 \[PATCH net\] af\_unix: fix races in sk\_peer\_pid and sk\_peer\_cred accesses Eric Dumazet
2021-09-30 13:30 \` patchwork-bot+netdevbpf
2022-03-24  8:03 \` wanghai (M)
2022-03-24  9:04   \` Kuniyuki Iwashima
2022-03-24 11:15     \` wanghai (M)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2021-4203: fix races in sk_peer_pid and sk_peer_cred accesses

A flaw was found in unrestricted eBPF usage by the BPF_BTF_LOAD, leading to a possible out-of-bounds memory write in the Linux kernel’s BPF subsystem due to the way a user loads BTF. This flaw allows a local user to crash or escalate their privileges on the system.

bpf: Make per\_cpu\_ptr return rdonly PTR\_TO\_MEM.

Tag the return type of {per, this}\_cpu\_ptr with RDONLY\_MEM. The returned value of this pair of helpers is kernel object, which can not be updated by bpf programs. Previously these two helpers return PTR\_OT\_MEM for kernel objects of scalar type, which allows one to directly modify the memory. Now with RDONLY\_MEM tagging, the verifier will reject programs that write into RDONLY\_MEM. Fixes: 63d9b80dcf2c ("bpf: Introducte bpf\_this\_cpu\_ptr()") Fixes: eaa6bcb71ef6 ("bpf: Introduce bpf\_per\_cpu\_ptr()") Fixes: 4976b718c355 ("bpf: Introduce pseudo\_btf\_id") Signed-off-by: Hao Luo <haoluo@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20211217003152.48334-8-haoluo@google.com

@@ -682,7 +682,7 @@ BPF\_CALL\_2(bpf\_per\_cpu\_ptr, const void \*, ptr, u32, cpu)

const struct bpf\_func\_proto bpf\_per\_cpu\_ptr\_proto = {

.func = bpf\_per\_cpu\_ptr,

.gpl\_only = false,

\- .ret\_type = RET\_PTR\_TO\_MEM\_OR\_BTF\_ID | PTR\_MAYBE\_NULL,

\+ .ret\_type = RET\_PTR\_TO\_MEM\_OR\_BTF\_ID | PTR\_MAYBE\_NULL | MEM\_RDONLY,

.arg1\_type = ARG\_PTR\_TO\_PERCPU\_BTF\_ID,

.arg2\_type = ARG\_ANYTHING,

};

@@ -695,7 +695,7 @@ BPF\_CALL\_1(bpf\_this\_cpu\_ptr, const void \*, percpu\_ptr)

const struct bpf\_func\_proto bpf\_this\_cpu\_ptr\_proto = {

.func = bpf\_this\_cpu\_ptr,

.gpl\_only = false,

\- .ret\_type = RET\_PTR\_TO\_MEM\_OR\_BTF\_ID,

\+ .ret\_type = RET\_PTR\_TO\_MEM\_OR\_BTF\_ID | MEM\_RDONLY,

.arg1\_type = ARG\_PTR\_TO\_PERCPU\_BTF\_ID,

};

@@ -4399,15 +4399,30 @@ static int check\_mem\_access(struct bpf\_verifier\_env \*env, int insn\_idx, u32 regn

mark\_reg\_unknown(env, regs, value\_regno);

}

}

\- } else if (reg->type == PTR\_TO\_MEM) {

\+ } else if (base\_type(reg->type) == PTR\_TO\_MEM) {

\+ bool rdonly\_mem = type\_is\_rdonly\_mem(reg->type);

+

\+ if (type\_may\_be\_null(reg->type)) {

\+ verbose(env, "R%d invalid mem access '%s'\\n", regno,

\+ reg\_type\_str(env, reg->type));

\+ return -EACCES;

\+ }

+

\+ if (t == BPF\_WRITE && rdonly\_mem) {

\+ verbose(env, "R%d cannot write into %s\\n",

\+ regno, reg\_type\_str(env, reg->type));

\+ return -EACCES;

\+ }

+

if (t == BPF\_WRITE && value\_regno >= 0 &&

is\_pointer\_value(env, value\_regno)) {

verbose(env, "R%d leaks addr into mem\\n", value\_regno);

return -EACCES;

}

+

err = check\_mem\_region\_access(env, regno, off, size,

reg->mem\_size, false);

\- if (!err && t == BPF\_READ && value\_regno >= 0)

\+ if (!err && value\_regno >= 0 && (t == BPF\_READ || rdonly\_mem))

mark\_reg\_unknown(env, regs, value\_regno);

} else if (reg->type == PTR\_TO\_CTX) {

enum bpf\_reg\_type reg\_type = SCALAR\_VALUE;

@@ -6654,6 +6669,13 @@ static int check\_helper\_call(struct bpf\_verifier\_env \*env, struct bpf\_insn \*insn

regs\[BPF\_REG\_0\].type = PTR\_TO\_MEM | ret\_flag;

regs\[BPF\_REG\_0\].mem\_size = tsize;

} else {

\+ /\* MEM\_RDONLY may be carried from ret\_flag, but it

\+ \* doesn't apply on PTR\_TO\_BTF\_ID. Fold it, otherwise

\+ \* it will confuse the check of PTR\_TO\_BTF\_ID in

\+ \* check\_mem\_access().

\+ \*/

\+ ret\_flag &= ~MEM\_RDONLY;

+

regs\[BPF\_REG\_0\].type = PTR\_TO\_BTF\_ID | ret\_flag;

regs\[BPF\_REG\_0\].btf = meta.ret\_btf;

regs\[BPF\_REG\_0\].btf\_id = meta.ret\_btf\_id;

@@ -9455,7 +9477,7 @@ static int check\_ld\_imm(struct bpf\_verifier\_env \*env, struct bpf\_insn \*insn)

mark\_reg\_known\_zero(env, regs, insn->dst\_reg);

dst\_reg->type = aux->btf\_var.reg\_type;

\- switch (dst\_reg->type) {

\+ switch (base\_type(dst\_reg->type)) {

case PTR\_TO\_MEM:

dst\_reg->mem\_size = aux->btf\_var.mem\_size;

break;

@@ -11678,7 +11700,7 @@ static int check\_pseudo\_btf\_id(struct bpf\_verifier\_env \*env,

err = -EINVAL;

goto err\_put;

}

\- aux->btf\_var.reg\_type = PTR\_TO\_MEM;

\+ aux->btf\_var.reg\_type = PTR\_TO\_MEM | MEM\_RDONLY;

aux->btf\_var.mem\_size = tsize;

} else {

aux->btf\_var.reg\_type = PTR\_TO\_BTF\_ID;

CVE-2022-0500: git/torvalds/linux.git - Linux kernel source tree

Unauthenticated Stored Cross-Site Scripting (XSS) in Simple Ajax Chat <= 20220115 allows an attacker to store the malicious code. However, the attack requires specific conditions, making it hard to exploit.

CVE-2022-25610: Simple Ajax Chat

wpsupdater.exe in Kingsoft WPS Office through 11.2.0.10382 allows remote code execution by modifying HKEY_CURRENT_USER in the registry.

**All in One, One for All**

![WPS Writer](https://website-prod.cache.wpscdn.com/img/writer_palette.42f3d2a.svg) ![WPS Writer](https://website-prod.cache.wpscdn.com/img/writer_tubularis.534bd31.svg)

![](https://website-prod.cache.wpscdn.com/img/writer_annotate.6af4b11.svg)

**All in One, One for All**

As an industry-leading office software provider, WPS Office brings convenience and professional support for people in business, education, and home scenarios.

Our office suite is also fully compatible with common products, such as Microsoft Office and Google Docs. The four components of WPS Office are Writer, Spreadsheet, Presentation, and PDF, which can meet your daily work and study requirements. You can use WPS Office exactly the same way you would use Microsoft Word, Excel, and PowerPoint.

![WPS Writer user reviews](https://website-prod.cache.wpscdn.com/img/p1.7d1a212.png)

Patricia Pavel

WPS meets my needs, because I use my mobile phone and iPad when I'm out and use a computer when I'm working. With WPS, I don't need to spend a lot of time transferring files between the computer and the mobile phone. Anyway, it is a free and amazing alternative to Microsoft Office, giving me better experience than MS Office. I like it very much.

CVE-2022-24934: WPS Office - Free Office Download for PC & Mobile, Alternative to MS Office

A vulnerability was found in btrfs_alloc_tree_b in fs/btrfs/extent-tree.c in the Linux kernel due to an improper lock operation in btrfs. In this flaw, a user with a local privilege may cause a denial of service (DOS) due to a deadlock problem.

From

Date

Tue, 14 Sep 2021 10:28:09 +0800

Subject

WARNING: lock held when returning to user space in \_\_btrfs\_tree\_lock

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 6880fa6c5660 Linux 5.15-rc1  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1BfaOcSWIkWUpQAgEj9p2zYVWsQxxacVl/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1rUzyMbe5vcs6khA3tL9EHTLJvsUdWcgB/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1HOZwnXJ42eEmVFS7n85zRcpXCFRHTFxi/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1-OULR4sFWY4qF4KvdLpehrlsZn9mMO7V/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

loop0: detected capacity change from 0 to 32768  
BTRFS info (device loop0): disk space caching is enabled  
BTRFS info (device loop0): has skinny extents  
BTRFS info (device loop0): enabling ssd optimizations  
FAULT\_INJECTION: forcing a failure.  
name failslab, interval 1, probability 0, space 0, times 0  
CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
Call Trace:  
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]  
 dump\_stack\_lvl+0x8d/0xcf lib/dump\_stack.c:106  
 fail\_dump lib/fault-inject.c:52 \[inline\]  
 should\_fail+0x13c/0x160 lib/fault-inject.c:146  
 should\_failslab+0x5/0x10 mm/slab\_common.c:1328  
 slab\_pre\_alloc\_hook.constprop.99+0x4e/0xc0 mm/slab.h:494  
 slab\_alloc\_node mm/slub.c:3120 \[inline\]  
 slab\_alloc mm/slub.c:3214 \[inline\]  
 kmem\_cache\_alloc+0x44/0x280 mm/slub.c:3219  
 btrfs\_alloc\_delayed\_extent\_op fs/btrfs/delayed-ref.h:299 \[inline\]  
 btrfs\_alloc\_tree\_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833  
 \_\_btrfs\_cow\_block+0x16f/0x7d0 fs/btrfs/ctree.c:415  
 btrfs\_cow\_block+0x12a/0x300 fs/btrfs/ctree.c:570  
 btrfs\_search\_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768  
 btrfs\_insert\_empty\_items+0x80/0xf0 fs/btrfs/ctree.c:3905  
 btrfs\_new\_inode+0x311/0xa60 fs/btrfs/inode.c:6530  
 btrfs\_create+0x12b/0x270 fs/btrfs/inode.c:6783  
 lookup\_open+0x660/0x780 fs/namei.c:3282  
 open\_last\_lookups fs/namei.c:3352 \[inline\]  
 path\_openat+0x465/0xe20 fs/namei.c:3557  
 do\_filp\_open+0xe3/0x170 fs/namei.c:3588  
 do\_sys\_openat2+0x357/0x4a0 fs/open.c:1200  
 do\_sys\_open+0x87/0xd0 fs/open.c:1216  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46ae99  
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG\_RAX: 0000000000000055  
RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99  
RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800  
RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017  
R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0

\================================================  
WARNING: lock held when returning to user space!  
5.15.0-rc1 #16 Not tainted  
\------------------------------------------------  
syz-executor/7579 is leaving the kernel with locks still held!  
1 lock held by syz-executor/7579:  
 #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:  
\_\_btrfs\_tree\_lock+0x2e/0x1a0 fs/btrfs/locking.c:112

CVE-2021-4149: lock held when returning to user space in __btrfs_tree_lock

A use-after-free flaw was found in the add_partition in block/partitions/core.c in the Linux kernel. A local attacker with user privileges could cause a denial of service on the system. The issue results from the lack of code cleanup when device_add call fails when adding a partition to the disk.

Messages in this thread

*   First message in thread
*   Hao Sun
    *   Hao Sun
        *   Zqiang
            *   Christoph Hellwig
                *   Zqiang

From

Date

Tue, 7 Sep 2021 09:22:03 +0800

Subject

WARNING in \_\_init\_work

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash  
was triggered.

HEAD commit: 27151f177827 Merge tag 'perf-tools-for-v5.15-2021-09-04'  
git tree: upstream  
console output:  
https://drive.google.com/file/d/1M5oyA\_IcWSDB2XpnoX8SDmKJA3JhKltz/view?usp=sharing  
kernel config: https://drive.google.com/file/d/1ZMVJ2vNe0EiIEeWNVyrGb7hBdOG5Uj3e/view?usp=sharing  
C reproducer: https://drive.google.com/file/d/1AtDNXl8XEBfglKXsKsAH2NuXBcrp8Zp9/view?usp=sharing  
Syzlang reproducer:  
https://drive.google.com/file/d/1R\_XD\_cyMNS0Q\_SGSqomRy\_LIClOrd-gI/view?usp=sharing

If you fix this issue, please add the following tag to the commit:  
Reported-by: Hao Sun <sunhao.th@gmail.com>

ODEBUG: object ffffc9000073cda0 is NOT on stack ffffc90005f34000, but annotated.  
\------------\[ cut here \]------------  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
WARNING: CPU: 2 PID: 27648 at lib/debugobjects.c:548  
\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Modules linked in:  
CPU: 2 PID: 27648 Comm: syz-executor Not tainted 5.14.0+ #13  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014  
RIP: 0010:debug\_object\_is\_on\_stack lib/debugobjects.c:545 \[inline\]  
RIP: 0010:\_\_debug\_object\_init+0x224/0x520 lib/debugobjects.c:607  
Code: 84 ca fe ff ff 83 c0 01 4c 89 f6 48 c7 c7 f8 b0 3c 85 89 05 7e  
c2 56 06 65 48 8b 04 25 40 70 01 00 48 8b 50 20 e8 05 9b f5 01 <0f> 0b  
e9 9e fe ff ff 89 05 87 4d e3 03 e9 c4 fe ff ff 48 c7 c7 e0  
RSP: 0018:ffffc9000073ccf0 EFLAGS: 00010282  
RAX: 0000000000000050 RBX: ffff88810cf2f398 RCX: 0000000000000100  
RDX: 0000000000000000 RSI: ffffffff812cf85c RDI: 00000000ffffffff  
RBP: ffffffff88868538 R08: 0000000000000000 R09: 0000000000000001  
R10: ffffc9000073cc80 R11: 0000000000000005 R12: 0000000000000203  
R13: 0000000000054450 R14: ffffc9000073cda0 R15: ffff88807dd264f0  
FS:  0000000002ad0940(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000  
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033  
CR2: 00000000005061ec CR3: 0000000100da5000 CR4: 0000000000750ee0  
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000  
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400  
PKRU: 55555554  
Call Trace:  
 <IRQ>  
 \_\_init\_work+0x3f/0x50 kernel/workqueue.c:519  
 synchronize\_rcu\_expedited+0x26a/0x460 kernel/rcu/tree\_exp.h:847  
 bdi\_remove\_from\_list mm/backing-dev.c:938 \[inline\]  
 bdi\_unregister+0x97/0x270 mm/backing-dev.c:946  
 release\_bdi+0x4a/0x70 mm/backing-dev.c:968  
 kref\_put include/linux/kref.h:65 \[inline\]  
 bdi\_put+0x47/0x70 mm/backing-dev.c:976  
 bdev\_free\_inode+0x59/0xc0 fs/block\_dev.c:819  
 i\_callback+0x24/0x50 fs/inode.c:224  
 rcu\_do\_batch kernel/rcu/tree.c:2508 \[inline\]  
 rcu\_core+0x2d6/0x9f0 kernel/rcu/tree.c:2743  
 \_\_do\_softirq+0xe9/0x561 kernel/softirq.c:558  
 invoke\_softirq kernel/softirq.c:432 \[inline\]  
 \_\_irq\_exit\_rcu kernel/softirq.c:636 \[inline\]  
 irq\_exit\_rcu+0xe2/0x100 kernel/softirq.c:648  
 sysvec\_apic\_timer\_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1097  
 </IRQ>  
 asm\_sysvec\_apic\_timer\_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638  
RIP: 0010:\_\_sanitizer\_cov\_trace\_pc+0x37/0x60 kernel/kcov.c:197  
Code: 65 48 8b 14 25 40 70 01 00 81 e1 00 01 00 00 a9 00 01 ff 00 74  
0e 85 c9 74 35 8b 82 34 15 00 00 85 c0 74 2b 8b 82 10 15 00 00 <83> f8  
02 75 20 48 8b 8a 18 15 00 00 8b 92 14 15 00 00 48 8b 01 48  
RSP: 0018:ffffc90005f37b78 EFLAGS: 00000246  
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000  
RDX: ffff888109448000 RSI: ffffffff8212a28c RDI: ffffc90005f37d30  
RBP: 0000000000000006 R08: 0000000000000d40 R09: ffff8880165fc5e0  
R10: ffffc90005f37cd0 R11: 0000000000000003 R12: 0000000000000375  
R13: ffff888107597b40 R14: ffffc90005f37d30 R15: ffff8880174b0ea0  
 tomoyo\_domain\_quota\_is\_ok+0xac/0x150 security/tomoyo/util.c:1092  
 tomoyo\_supervisor+0x228/0x7f0 security/tomoyo/common.c:2089  
 tomoyo\_audit\_path\_log security/tomoyo/file.c:168 \[inline\]  
 tomoyo\_path\_permission+0xa0/0xf0 security/tomoyo/file.c:587  
 tomoyo\_path\_perm+0x22f/0x2d0 security/tomoyo/file.c:838  
 tomoyo\_path\_symlink+0x43/0x70 security/tomoyo/tomoyo.c:199  
 security\_path\_symlink+0x48/0x80 security/security.c:1164  
 do\_symlinkat+0x75/0x120 fs/namei.c:4274  
 \_\_do\_sys\_symlink fs/namei.c:4301 \[inline\]  
 \_\_se\_sys\_symlink fs/namei.c:4299 \[inline\]  
 \_\_x64\_sys\_symlink+0x3a/0x40 fs/namei.c:4299  
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]  
 do\_syscall\_64+0x34/0xb0 arch/x86/entry/common.c:80  
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae  
RIP: 0033:0x46a597  
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66  
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 58 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffd09085778 EFLAGS: 00000206 ORIG\_RAX: 0000000000000058  
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000046a597  
RDX: 0000000000000000 RSI: 00000000004e40f9 RDI: 00007ffd09085810  
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000  
R13: 0000000000000000 R14: 00007ffd09085810 R15: 00007ffd090857cc  
\----------------  
Code disassembly (best guess):  
   0: 65 48 8b 14 25 40 70 mov    %gs:0x17040,%rdx  
   7: 01 00  
   9: 81 e1 00 01 00 00    and    $0x100,%ecx  
   f: a9 00 01 ff 00        test   $0xff0100,%eax  
  14: 74 0e                je     0x24  
  16: 85 c9                test   %ecx,%ecx  
  18: 74 35                je     0x4f  
  1a: 8b 82 34 15 00 00    mov    0x1534(%rdx),%eax  
  20: 85 c0                test   %eax,%eax  
  22: 74 2b                je     0x4f  
  24: 8b 82 10 15 00 00    mov    0x1510(%rdx),%eax  
\* 2a: 83 f8 02              cmp    $0x2,%eax <-- trapping instruction  
  2d: 75 20                jne    0x4f  
  2f: 48 8b 8a 18 15 00 00 mov    0x1518(%rdx),%rcx  
  36: 8b 92 14 15 00 00    mov    0x1514(%rdx),%edx  
  3c: 48 8b 01              mov    (%rcx),%rax  
  3f: 48                    rex.W%

Tag

#google