CVE-2022-50661

In the Linux kernel, the following vulnerability has been resolved:

seccomp: Move copy_seccomp() to no failure path.

Our syzbot instance reported memory leaks in doseccomp() [0], similar to the report [1]. It shows that we miss freeing struct seccompfilter and some objects included in it.

We can reproduce the issue with the program below [2] which calls one seccomp() and two clone() syscalls.

The first clone()d child exits earlier than its parent and sends a signal to kill it during the second clone(), more precisely before the fatalsignalpending() test in copyprocess(). When the parent receives the signal, it has to destroy the embryonic process and return -EINTR to user space. In the failure path, we have to call seccompfilter_release() to decrement the filter's refcount.

Initially, we called it in freetask() called from the failure path, but the commit 3a15fb6ed92c ("seccomp: release filter after task is fully dead") moved it to releasetask() to notify user space as early as possible that the filter is no longer used.

To keep the change and current seccomp refcount semantics, let's move copyseccomp() just after the signal check and add a WARNONONCE() in freetask() for future debugging.

comm "reproseccomp", pid 230, jiffies 4294687090 (age 9.914s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: doseccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:120) unreferenced object 0xffffc90000035000 (size 4096): comm "reproseccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: __vmallocnoderange (mm/vmalloc.c:3226) _vmallocnode (mm/vmalloc.c:3261 (discriminator 4)) bpfprogallocnostats (kernel/bpf/core.c:91) bpfprogalloc (kernel/bpf/core.c:129) bpfprogcreatefromuser (net/core/filter.c:1414) doseccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:120) unreferenced object 0xffff888003fa1000 (size 1024): comm "reproseccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: bpfprogallocnostats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95) bpfprogalloc (kernel/bpf/core.c:129) bpfprogcreatefromuser (net/core/filter.c:1414) doseccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:120) unreferenced object 0xffff888006360240 (size 16): comm "reproseccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 16 bytes): 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........ backtrace: bpfprogstoreorigfilter (net/core/filter.c:1137) bpfprogcreatefromuser (net/core/filter.c:1428) doseccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) dosyscall64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entrySYSCALL64afterhwframe (arch/x86/entry/entry64.S:120) unreferenced object 0xffff888 ---truncated---