From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACE37C433EF for ; Thu, 10 Feb 2022 04:34:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0C2C56B0073; Wed, 9 Feb 2022 23:34:17 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0723E6B0074; Wed, 9 Feb 2022 23:34:17 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E55066B0075; Wed, 9 Feb 2022 23:34:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0145.hostedemail.com [216.40.44.145]) by kanga.kvack.org (Postfix) with ESMTP id D47246B0073 for ; Wed, 9 Feb 2022 23:34:16 -0500 (EST) Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 6BD478249980 for ; Thu, 10 Feb 2022 04:34:16 +0000 (UTC) X-FDA: 79125603312.14.5BDEE9F Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) by imf05.hostedemail.com (Postfix) with ESMTP id 0525A100002 for ; Thu, 10 Feb 2022 04:34:15 +0000 (UTC) Received: by mail-yb1-f179.google.com with SMTP id p19so11917866ybc.6 for ; Wed, 09 Feb 2022 20:34:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ryDKThHN6BTfx9fVY3HhK+VlRsnDOx/cOUGhFzNCQRY=; b=R3J8uCx2CqPQCwic/BPAzF4M57tLlCNEnbmeIUAdMFDGQAFqb+La1TjZg7GPfNHQ/K wDYF93VG/ruWS9juEFdzuMcugaWGXQKFb+0nHF4rgiY+6f1/eYWQ7VBI15YklGkUOTzn 8GEzgYxhIYN/bgxgEThYSV+b7mKegCRnstSVRGxenVtDkY+1f4LYJbnMmHFxz/sJUQcs ZNY7vVjZJPLPC5YNGF+tpmy08K9uf2gsS39WTQmIiXdwnErpo9OoCtjxj5zVGKmUfEaq ne5CzDLOrheqdEiPZwFzsgg4ksVoHAY6WpKuIBHwfFY1pC4HmTbWjtmbwv7WNSqYnlTe 1sZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ryDKThHN6BTfx9fVY3HhK+VlRsnDOx/cOUGhFzNCQRY=; b=QklrzcsEIS3fiWbOvwxYNglV9mxMQo8I7QEciC7i/DS361Uz91W2yudZANu0QOTOE2 G/4ysH1SSQAOkc4daH1sW1rpDbJBH9MjhnRUnet0lMUt+Mv900WOFlLHVugpC9jUEDtg +FobTpXqPhEUm0qWNbwxOj/g5tRsHfjAlCSJNtr/3Ip+pK+MHAmgbpdKYc6Uoj8ULDa/ 5wGGFIFZSXATDio9bR4ghtKp+yriY24YMp0hwUQ6d/Te5d6ATOj8Xs7QbdsBaSudhNeF FdHf3LNti9X0aEHg1WILhWUgOhXzIbWwQm+x7eKAN4Vv4AXWuChMlYFoKrinOOHawWlD tTrw== X-Gm-Message-State: AOAM533IahUj9ATa6FcJ2U12P/2ABSuUXei3t/WNb1Mh3C0416HywPDU tf13CbOfa1o8PIBN6d3YahxtwHQbYqDIMSj4mOFljw== X-Google-Smtp-Source: ABdhPJyDrshRyFwELB75Wv3E7//vvDgU29qI80fLa1FL4XcQnBx7KOLyf5YgcqrPBsU9AA/MTnf1PBb9jTCzD7Kjh+Q= X-Received: by 2002:a25:609:: with SMTP id 9mr5247607ybg.602.1644467655026; Wed, 09 Feb 2022 20:34:15 -0800 (PST) MIME-Version: 1.0 References: <20220210001801.15413-1-surenb@google.com> <20220209163324.bbf26e7462b217d453c5a34f@linux-foundation.org> In-Reply-To: From: Suren Baghdasaryan Date: Wed, 9 Feb 2022 20:34:04 -0800 Message-ID: Subject: Re: [PATCH 1/1] mm: Fix UAF when anon vma name is used after vma is freed To: Andrew Morton Cc: Colin Cross , Sumit Semwal , Michal Hocko , Dave Hansen , Kees Cook , Matthew Wilcox , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , "Eric W. Biederman" , brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, Chris Hyser , Davidlohr Bueso , Peter Collingbourne , caoxiaofeng@yulong.com, David Hildenbrand , Cyrill Gorcunov , linux-mm , LKML , kernel-team , syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam11 X-Rspam-User: X-Stat-Signature: e7kdjtyfc6c74ijqakeofeb8dh3xeg6z Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=R3J8uCx2; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of surenb@google.com designates 209.85.219.179 as permitted sender) smtp.mailfrom=surenb@google.com X-Rspamd-Queue-Id: 0525A100002 X-HE-Tag: 1644467655-269729 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Feb 9, 2022 at 7:48 PM Suren Baghdasaryan wrote: > > . . > > On Wed, Feb 9, 2022 at 5:02 PM Suren Baghdasaryan wrote: > > > > On Wed, Feb 9, 2022 at 4:33 PM Andrew Morton wrote: > > > > > > On Wed, 9 Feb 2022 16:18:01 -0800 Suren Baghdasaryan wrote: > > > > > > > When adjacent vmas are being merged it can result in the vma that was > > > > originally passed to madvise_update_vma being destroyed. In the current > > > > implementation, the name parameter passed to madvise_update_vma points > > > > directly to vma->anon_name->name and it is used after the call to > > > > vma_merge. In the cases when vma_merge merges the original vma and > > > > destroys it, this will result in use-after-free bug as shown below: > > > > > > > > madvise_vma_behavior << passes vma->anon_name->name as name param > > > > madvise_update_vma(name) > > > > vma_merge > > > > __vma_adjust > > > > vm_area_free <-- frees the vma > > > > replace_vma_anon_name(name) <-- UAF > > > > > > > > Fix this by passing madvise_update_vma a copy of the name. > > > > > > > > ... > > > > > > > > --- a/kernel/sys.c > > > > +++ b/kernel/sys.c > > > > @@ -2263,7 +2263,6 @@ int __weak arch_prctl_spec_ctrl_set(struct task_struct *t, unsigned long which, > > > > > > > > #ifdef CONFIG_ANON_VMA_NAME > > > > > > > > -#define ANON_VMA_NAME_MAX_LEN 80 > > > > #define ANON_VMA_NAME_INVALID_CHARS "\\`$[]" > > > > > > > > static inline bool is_valid_name_char(char ch) > > > > diff --git a/mm/madvise.c b/mm/madvise.c > > > > index 5604064df464..f36a5a9942d8 100644 > > > > --- a/mm/madvise.c > > > > +++ b/mm/madvise.c > > > > @@ -976,6 +976,8 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, > > > > { > > > > int error; > > > > unsigned long new_flags = vma->vm_flags; > > > > + char name_buf[ANON_VMA_NAME_MAX_LEN]; > > > > + const char *anon_name; > > > > > > > > switch (behavior) { > > > > case MADV_REMOVE: > > > > @@ -1040,8 +1042,18 @@ static int madvise_vma_behavior(struct vm_area_struct *vma, > > > > break; > > > > } > > > > > > > > + anon_name = vma_anon_name(vma); > > > > + if (anon_name) { > > > > + /* > > > > + * Make a copy of the name because vma might be destroyed when > > > > + * merged with another one and the name parameter might be used > > > > + * after that. > > > > + */ > > > > + strcpy(name_buf, anon_name); > > > > + anon_name = name_buf; > > > > + } > > > > error = madvise_update_vma(vma, prev, start, end, new_flags, > > > > - vma_anon_name(vma)); > > > > + anon_name); > > > > > > anon_name is refcounted. Why not use kref_get()/kref_put() instead of > > > taking a copy? > > > > Yes, I considered that. It would require new get/put APIs for > > anon_name and I thought I better keep it simple. This path is used > > only by madvise() syscall, so the copy overhead should not be > > critical. But if you think refcounting is more appropriate here I'll > > happily rework it. It should still be quite simple. Please let me > > know. > > On second thought, we might have more places in the future we need to > stabilize anon_name, so put/get API can be useful. After prototyping > the refcounting approach it looks simple enough to use instead of > copying. Let me test it a bit and I'll post a replacement patch for > this one tomorrow. Had some time to test and the patch seems stable. The refcounting version is posted at: https://lore.kernel.org/all/20220210043215.42794-1-surenb@google.com/ Thanks! > Thanks, > Suren. > > > > > >