From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14EC7C433F5 for ; Thu, 10 Feb 2022 15:18:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4DEC06B0071; Thu, 10 Feb 2022 10:18:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 48D546B0073; Thu, 10 Feb 2022 10:18:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 32E976B0074; Thu, 10 Feb 2022 10:18:37 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0131.hostedemail.com [216.40.44.131]) by kanga.kvack.org (Postfix) with ESMTP id 234836B0071 for ; Thu, 10 Feb 2022 10:18:37 -0500 (EST) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id D73608E575 for ; Thu, 10 Feb 2022 15:18:36 +0000 (UTC) X-FDA: 79127227032.15.BA5218B Received: from mail-yb1-f182.google.com (mail-yb1-f182.google.com [209.85.219.182]) by imf13.hostedemail.com (Postfix) with ESMTP id 90F1820004 for ; Thu, 10 Feb 2022 15:18:36 +0000 (UTC) Received: by mail-yb1-f182.google.com with SMTP id v186so16480603ybg.1 for ; Thu, 10 Feb 2022 07:18:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WSJt8CAQGYy8+Qr3AHVnbVBwslNc59d9Xks8fwy34k4=; b=FnBkguaVd+krz0Rmqf9XinS18oXA5REL/KikbJTnfijjYxkKuz3GpqE5OEsEiUpEeO 3Gszr4f8RsYKtHT86TEo0oXjtCM4KbijQg/JLQM/G3os8sCR6yl9LheQ6HDGYg2M8OOT PnB7JKNy4lY16c2ttZArEOhFLXsAvTNjm8oDZ/ubC4f6StCJeqsvcsMBMztW3rb5/4Nn vYxuPC+iFrN7VP2ckjfwNIEBG4s8GlwUNfBvoAqtiCx5BQw9gZl2gfVqp4QmwzZ5TKnf zVE7TYIkXokjXNZwt8cG2uFtb8ac9Zb0vRr1aMiki2ZXn1gAs20GikT+NwCHDvb5w8ro M3lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WSJt8CAQGYy8+Qr3AHVnbVBwslNc59d9Xks8fwy34k4=; b=6eLQqNM0k9PpWFFAdlSOFwEa+RFQZV3E97vC3nloLNYyixoiV0SpbtzY25H2klSo8e cIhwgHdlZWipLZnHlCIP2fjGmajA/i9N6tRILqvj/GBGqz4u0Siyq1nEk1fQatuasjvf 4VD7nF7tm8TwqUVCsQCyaWcOoIZ3n/HquFX2Z+YbZbqi5RrprFmg3/bZCV8LYfaQFTxx ubrEiQmoPyZqOd+xDYN7e2xW7osKLC+2tUDn8wkMtEherl3UVSKkNjKQ0TdlN3V9MTS7 uJqkWSyhWe1VemVH6LKPwF0e15i8K1G08BwUr+qkrKB64YZhlchDrHd5QgH4J41YhtkY UZaQ== X-Gm-Message-State: AOAM5305CW8OdsyqQ31bzFq+Ruk91wMm7JdHWa4RIDqOH89kGObKgGzY lurcmEmlXApCwNTjeinB5MPX9zWb6whN+dv0ap3f8g== X-Google-Smtp-Source: ABdhPJz2b1gN5kCrvKQtWO5ov0VVk5Qmgz0rZFVdfy820O8pdCfysTPmN7H0fwfgqmMeUddkGJPYN0vUDyWr5r951C4= X-Received: by 2002:a81:7e4f:: with SMTP id p15mr7600216ywn.180.1644506315505; Thu, 10 Feb 2022 07:18:35 -0800 (PST) MIME-Version: 1.0 References: <20220210043215.42794-1-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 10 Feb 2022 07:18:24 -0800 Message-ID: Subject: Re: [PATCH v2 1/1] mm: fix use-after-free when anon vma name is used after vma is freed To: Michal Hocko Cc: Andrew Morton , Colin Cross , Sumit Semwal , Dave Hansen , Kees Cook , Matthew Wilcox , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , "Eric W. Biederman" , brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, Chris Hyser , Davidlohr Bueso , Peter Collingbourne , caoxiaofeng@yulong.com, David Hildenbrand , Cyrill Gorcunov , linux-mm , LKML , kernel-team , syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=FnBkguaV; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf13.hostedemail.com: domain of surenb@google.com designates 209.85.219.182 as permitted sender) smtp.mailfrom=surenb@google.com X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 90F1820004 X-Stat-Signature: 15ourptmdzamo5wpuh3rfzxjw4hzhb1a X-HE-Tag: 1644506316-174698 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 10, 2022 at 4:40 AM 'Michal Hocko' via kernel-team wrote: > > On Wed 09-02-22 20:32:15, Suren Baghdasaryan wrote: > > When adjacent vmas are being merged it can result in the vma that was > > originally passed to madvise_update_vma being destroyed. In the current > > implementation, the name parameter passed to madvise_update_vma points > > directly to vma->anon_name->name and it is used after the call to > > vma_merge. In the cases when vma_merge merges the original vma and > > destroys it, this will result in use-after-free bug as shown below: > > > > madvise_vma_behavior << passes vma->anon_name->name as name param > > madvise_update_vma(name) > > vma_merge > > __vma_adjust > > vm_area_free <-- frees the vma > > replace_vma_anon_name(name) <-- UAF > > > > Fix this by raising the name refcount and stabilizing it. Introduce > > vma_anon_name_{get/put} API for this purpose. > > What is the reason that madvise_update_vma uses the naked name rather > than the encapsulated anon_vma_name? This really just begs for problems. The reason for that is the second place it's being used from the prctl syscall: prctl_set_vma madvise_set_anon_name madvise_vma_anon_name madvise_update_vma In that case the name parameter is not part of any anon_vma_name struct and therefore is stable. I can add a comment to madvise_update_vma indicating that the name parameter has to be stable if that helps. > -- > Michal Hocko > SUSE Labs > > -- > To unsubscribe from this group and stop receiving emails from it, send an email to kernel-team+unsubscribe@android.com. >