From: Eric Biggers <ebiggers3@gmail.com>
To: Davidlohr Bueso <dave@stgolabs.net>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Manfred Spraul <manfred@colorfullife.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] ipc/shm: fix use-after-free of shm file via remap_file_pages()
Date: Mon, 9 Apr 2018 13:36:35 -0700 [thread overview]
Message-ID: <20180409203635.GD203367@gmail.com> (raw)
In-Reply-To: <20180409201232.3rweldbjtvxjj5ql@linux-n805>
On Mon, Apr 09, 2018 at 01:12:32PM -0700, Davidlohr Bueso wrote:
> On Mon, 09 Apr 2018, Eric Biggers wrote:
>
> > It's necessary because if we don't hold a reference to sfd->file, then it can be
> > a stale pointer when we compare it in __shm_open(). In particular, if the new
> > struct file happened to be allocated at the same address as the old one, then
> > 'sfd->file == shp->shm_file' so the mmap would be allowed. But, it will be a
> > different shm segment than was intended. The caller may not even have
> > permissions to map it normally, yet it would be done anyway.
> >
> > In the end it's just broken to have a pointer to something that can be freed out
> > from under you...
>
> So this is actually handled by shm_nattch, serialized by the ipc perm->lock.
> shm_destroy() is called when 0, which in turn does the fput(shm_file). Note
> that shm_file is given a count of 1 when a new segment is created (deep in
> get_empty_filp()). So I don't think the pointer is going anywhere, or am I missing
> something?
>
> Thanks,
> Davidlohr
In the remap_file_pages() case, a reference is taken to the ->vm_file, then the
segment is unmapped. If that brings ->shm_nattch to 0, then the underlying shm
segment and ID can be removed, which (currently) causes the real shm file to be
freed. But, the outer file still exists and will have ->mmap() called on it.
That's why the outer file needs to hold a reference to the real shm file.
Eric
next prev parent reply other threads:[~2018-04-09 20:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <94eb2c06f65e5e2467055d036889@google.com>
2018-04-09 4:30 ` Eric Biggers
2018-04-09 9:48 ` Kirill A. Shutemov
2018-04-09 18:50 ` Eric Biggers
2018-04-09 20:12 ` Davidlohr Bueso
2018-04-09 20:26 ` Davidlohr Bueso
2018-04-09 20:36 ` Eric Biggers [this message]
2018-04-10 7:58 ` Kirill A. Shutemov
2018-04-10 19:14 ` Eric Biggers
2018-04-10 19:28 ` [PATCH v2] " Eric Biggers
2018-04-10 16:05 ` [PATCH] " Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180409203635.GD203367@gmail.com \
--to=ebiggers3@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=dave@stgolabs.net \
--cc=ebiederm@xmission.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=manfred@colorfullife.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox