From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39E0EC433EF for ; Fri, 11 Feb 2022 01:33:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5D4EE6B0071; Thu, 10 Feb 2022 20:33:13 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 5834A6B0074; Thu, 10 Feb 2022 20:33:13 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4596E6B0078; Thu, 10 Feb 2022 20:33:13 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0226.hostedemail.com [216.40.44.226]) by kanga.kvack.org (Postfix) with ESMTP id 35F7F6B0071 for ; Thu, 10 Feb 2022 20:33:13 -0500 (EST) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id DCA6C93D99 for ; Fri, 11 Feb 2022 01:33:12 +0000 (UTC) X-FDA: 79128775824.28.094C65D Received: from mail-yb1-f176.google.com (mail-yb1-f176.google.com [209.85.219.176]) by imf07.hostedemail.com (Postfix) with ESMTP id 74E874000B for ; Fri, 11 Feb 2022 01:33:12 +0000 (UTC) Received: by mail-yb1-f176.google.com with SMTP id v186so20729894ybg.1 for ; Thu, 10 Feb 2022 17:33:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9GxQrdaGBPDuxmmmn6awLxXmdKGbQSbctZ4L8eSniqE=; b=XVBbuIogdAtT2RcD3LdyEwqn+DMMAVTKAlHtjcPSagoYO2bQpF5/3Pwt9jSh7iDEpq CG3ZUDgCxDMTbYEn+Mx3k0qmo3HtAqy1U0BuzGA7qH5XGbiq6StWARdccws83om0fnqR OVE9zuCt5OMNnNWm5czlswjzSkQgsPkbPCc7lVzDj/9hKoJ9axlyEy7HmkRhd+dsVK5I Z3sCjcEsr91KtepWjHP2hGyEHJrQ6wWXJnC4UQGsm8ITDmgQaSz1BpnB1NC/3DXTw3lw 1mybzWR8ABWJ+mWbrBQz15V5H5U0rWlG+dyE42fXAerDaIUJ+8C5sXUkXGBlzHx72EMB Iiug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9GxQrdaGBPDuxmmmn6awLxXmdKGbQSbctZ4L8eSniqE=; b=lHlhgH3XVYYYS7Nf5GZK3zkExfLAwaY8t+S/OPweqV5dzlafBooFI9Rekyh8JMAnV4 dOduNB7mskR61lGEAN8kRyaaFRXtQaW2WI1xUhhjCV/XkvE9thcN4AH/CrEBwmQjy1Tu lOUYr+NbcqfmVVqF5Gw3JvURWPYZ0S0KDuVRYwC1mV6H5/EweShalCOdFckXJIMBvWfh A8CgLHfnmpohUQsiczMVJbpp4UZ/xoDTpW3htqGKrUKI6Z/c9gs2r6iVAZKd5XDW5q7x 8bScLNRGfPGvPv2qAg79VJG7W6JsA20YEPrWIrpM/E/U0gHP6nlEl3XtQCFFOCHDI2Qr rU3A== X-Gm-Message-State: AOAM5306XZQnDz4Dnmw6mxF5uicyKuj9pQDniHHd5/DcObbqnKevJslu XemzIDBfim3sPhkRhQo7W2SgHG4jcxD4EBV/7ms6cw== X-Google-Smtp-Source: ABdhPJwjq+GwW3DeD2qB1rO02A6XTTi8Mv9CAwCoEolQhjbTPfAnZ6ISJx8L8JI/dPtRihoxgfO9gb/FtAhfeKf0xcQ= X-Received: by 2002:a25:6a55:: with SMTP id f82mr9393142ybc.1.1644543191406; Thu, 10 Feb 2022 17:33:11 -0800 (PST) MIME-Version: 1.0 References: <20220210043215.42794-1-surenb@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 10 Feb 2022 17:33:00 -0800 Message-ID: Subject: Re: [PATCH v2 1/1] mm: fix use-after-free when anon vma name is used after vma is freed To: Matthew Wilcox Cc: Michal Hocko , Andrew Morton , Colin Cross , Sumit Semwal , Dave Hansen , Kees Cook , "Kirill A . Shutemov" , Vlastimil Babka , Johannes Weiner , "Eric W. Biederman" , brauner@kernel.org, legion@kernel.org, ran.xiaokai@zte.com.cn, sashal@kernel.org, Chris Hyser , Davidlohr Bueso , Peter Collingbourne , caoxiaofeng@yulong.com, David Hildenbrand , Cyrill Gorcunov , linux-mm , LKML , kernel-team , syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 74E874000B X-Stat-Signature: 5uij4sdwto4hddp8tt8ztyudm7zi5fzh Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=XVBbuIog; spf=pass (imf07.hostedemail.com: domain of surenb@google.com designates 209.85.219.176 as permitted sender) smtp.mailfrom=surenb@google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1644543192-726922 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Feb 10, 2022 at 11:52 AM Suren Baghdasaryan wrote: > > On Thu, Feb 10, 2022 at 11:35 AM Matthew Wilcox wrote: > > > > On Thu, Feb 10, 2022 at 08:00:15AM -0800, Suren Baghdasaryan wrote: > > > On Thu, Feb 10, 2022 at 7:27 AM Matthew Wilcox wrote: > > > > > > > > On Thu, Feb 10, 2022 at 07:18:24AM -0800, Suren Baghdasaryan wrote: > > > > > On Thu, Feb 10, 2022 at 4:40 AM 'Michal Hocko' via kernel-team > > > > > wrote: > > > > > > > > > > > > On Wed 09-02-22 20:32:15, Suren Baghdasaryan wrote: > > > > > > > When adjacent vmas are being merged it can result in the vma that was > > > > > > > originally passed to madvise_update_vma being destroyed. In the current > > > > > > > implementation, the name parameter passed to madvise_update_vma points > > > > > > > directly to vma->anon_name->name and it is used after the call to > > > > > > > vma_merge. In the cases when vma_merge merges the original vma and > > > > > > > destroys it, this will result in use-after-free bug as shown below: > > > > > > > > > > > > > > madvise_vma_behavior << passes vma->anon_name->name as name param > > > > > > > madvise_update_vma(name) > > > > > > > vma_merge > > > > > > > __vma_adjust > > > > > > > vm_area_free <-- frees the vma > > > > > > > replace_vma_anon_name(name) <-- UAF > > > > > > > > > > > > > > Fix this by raising the name refcount and stabilizing it. Introduce > > > > > > > vma_anon_name_{get/put} API for this purpose. > > > > > > > > > > > > What is the reason that madvise_update_vma uses the naked name rather > > > > > > than the encapsulated anon_vma_name? This really just begs for problems. > > > > > > > > > > The reason for that is the second place it's being used from the prctl syscall: > > > > > > > > > > prctl_set_vma > > > > > madvise_set_anon_name > > > > > madvise_vma_anon_name > > > > > madvise_update_vma > > > > > > > > > > In that case the name parameter is not part of any anon_vma_name > > > > > struct and therefore is stable. I can add a comment to > > > > > madvise_update_vma indicating that the name parameter has to be stable > > > > > if that helps. > > > > > > > > Seems to me it'd simplify things if replace_vma_anon_name() and > > > > madvise_vma_anon_name() took a struct anon_vma_name instead of > > > > a bare char *. You could construct it in madvise_set_anon_name(). > > > > > > Ok, this can be done. However I don't think changing > > > replace_vma_anon_name() to accept a struct anon_vma_name would be a > > > good idea. Reader might think that the object being passed will become > > > the vma->anon_name of the vma, while in reality that's not the case. > > > > Why woud we not want that to be the case? It's a refcounted name. > > I don't see why it shouldn't be shared between multiple VMAs that > > have the same name? > > You are right. After I reworked the code it became apparent that > replace_vma_anon_name() should use anon_vma_name. I have made that > change and am testing it now. Hopefully no new surprises pop up. v3 is posted at https://lore.kernel.org/all/20220211013032.623763-1-surenb@google.com/ > Thanks, > Suren. > > >