On 4/1/20 7:00 PM, Luis Chamberlain wrote: > On commit 6ac93117ab00 ("blktrace: use existing disk debugfs directory") > Omar fixed the original blktrace code for multiqueue use. This however > left in place a possible crash, if you happen to abuse blktrace in a way > it was not intended. > > Namely, if you loop adding a device, setup the blktrace with BLKTRACESETUP, > forget to BLKTRACETEARDOWN, and then just remove the device you end up > with a panic: Weird, I swear I tested that and didn't hit it, but ... > This issue can be reproduced with break-blktrace [2] using: > > break-blktrace -c 10 -d + -s, right? > This patch fixes this issue. Note that there is also another > respective UAF but from the ioctl path [3], this should also fix > that issue. > > This patch then also contends the severity of CVE-2019-19770 as > this issue is only possible using root to shoot yourself in the > foot by also misuing blktrace. > > [0] https://bugzilla.kernel.org/show_bug.cgi?id=205713 > [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770 > [2] https://github.com/mcgrof/break-blktrace I verified that this does reproduce the exact same KASAN splat on kernel 4.19.83 as reported in the original bug, thanks! -Eric