Commit 73ee5302 authored Feb 22, 2021 by Yang Yingliang

futex: sched: fix UAF when free futex_exit_mutex in free_task()



hulk inclusion
category: bugfix
bugzilla: NA
CVE: NA

-------------------------------------------------

If free_task() is called on error path, it will free
futex_exit_mutex of parent process and cause UAF, so
move free of futex_exit_mutex to __put_task_struct().

Fixes: f9a5a3dea71b ("futex: sched: fix kabi broken in task_struct")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Jian Cheng <cj.chengjian@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>

parent 04d0e96b

kernel/fork.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -458,8 +458,6 @@ void free_task(struct task_struct *tsk)
		arch_release_task_struct(tsk);
		if (tsk->flags & PF_KTHREAD)
		free_kthread_struct(tsk);
		kfree(tsk->futex_exit_mutex);
		tsk->futex_exit_mutex = NULL;
		free_task_struct(tsk);
		}
		EXPORT_SYMBOL(free_task);
		@@ -731,6 +729,8 @@ void __put_task_struct(struct task_struct *tsk)
		exit_creds(tsk);
		delayacct_tsk_free(tsk);
		put_signal_struct(tsk->signal);
		kfree(tsk->futex_exit_mutex);
		tsk->futex_exit_mutex = NULL;

		if (!profile_handoff_task(tsk))
		free_task(tsk);