From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F1DCC77B7E for ; Thu, 25 May 2023 06:14:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 47A5C900003; Thu, 25 May 2023 02:14:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 42A12900002; Thu, 25 May 2023 02:14:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2F20E900003; Thu, 25 May 2023 02:14:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 1BA84900002 for ; Thu, 25 May 2023 02:14:00 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id C91381603F8 for ; Thu, 25 May 2023 06:13:59 +0000 (UTC) X-FDA: 80827761798.05.24CBFA1 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf08.hostedemail.com (Postfix) with ESMTP id A85BE160021 for ; Thu, 25 May 2023 06:13:55 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf08.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684995236; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=R6ij80Z62JkkAwjxMztjxsPPnATIh4smGRdeqH+2WUk=; b=qu4ax5TJaI7sCWlBHKUgAiMAmgkvr8Dm/lIIQvpnjIrBLBxL5I24AjUTOXLY8Di9GWapgh jeCPMmMkr6lfAcwED/3sNondW36cjmSWoLJQ/sGjOVLSzciy/IVZLYbQlrZp7v2smJBqiI ni4aq+VPVfpV158laFbXtAIGJEkvEuM= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf08.hostedemail.com: domain of wangkefeng.wang@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=wangkefeng.wang@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684995236; a=rsa-sha256; cv=none; b=gl7tM2wms0NH1kPTvrmnpzsoMJLFOqo2S4NltUt4P7BSmD+jqCIis+WDaUKp+bMKlop22m xDnw4gpzQjbBvV4xvmhCWQKZpyOiU7so3HlkxrKrqHvD/ccARCDxogcaU7IWFrN+KM+rSV Rj52KxyzP6T3C9Y0qHMj4ArMXf4YOxk= Received: from dggpemm500001.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4QRd313JLtzLq2L; Thu, 25 May 2023 14:10:53 +0800 (CST) Received: from [10.174.177.243] (10.174.177.243) by dggpemm500001.china.huawei.com (7.185.36.107) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 25 May 2023 14:13:49 +0800 Message-ID: Date: Thu, 25 May 2023 14:13:49 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: [PATCH] mm: shmem: Fix UAF bug in shmem_show_options() Content-Language: en-US To: Tu Jinjiang , , , , CC: References: <20230525031640.593733-1-tujinjiang@huawei.com> From: Kefeng Wang In-Reply-To: <20230525031640.593733-1-tujinjiang@huawei.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.243] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpemm500001.china.huawei.com (7.185.36.107) X-CFilter-Loop: Reflected X-Rspam-User: X-Stat-Signature: qu588mh7fyyipx5u5p1fq8cq5bcdjtqt X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: A85BE160021 X-HE-Tag: 1684995235-242877 X-HE-Meta: U2FsdGVkX19LXs9lnoliic0ps/LlJk38T42aVIGCqMVNA1PngE03BSBLcGN0p/zAEBNXXAYzWSqEuJ3iiG0FXWeEuueJsZ55y5/TTXbzMJpNhrPcyMAiWmFU9lG8azhaCCmGllwiXn/lesV1S2qSS1E4cVlbaIqTC6goQALk75HuLEEZIwdz5xJMJEbusxs18kMZFTeTh5cWjkWToOyNAk22CTyVr/4eH1xPDpTeSqHXr7nhZYVh4QT98CPJGJqdFrFTW5Qr38i/uFmZuuBxTvH7xqtlPNUFshiPl0kAAiEAddX3BigYWUNRGTXTmegQl4m1mwMw9mgJevA5M/q4mM/+ROCgaW0vOGc3riN93cjPe92iJOklEQUFYMQ4e7CA4330g/DpaF5wmTUQxxkWvKM95WYDV/WhKXI6jmrwjNiDOz5EL68f/gETlz3wI9nIRHUl9T7Etf7cMCy09smZTIRKNZ7o2H+KXR0o/Ub9DdXbToO4pxgxlpNRIDT7p7IAGwNkrnOUtTntJt+yGzi084EakV1CMIcoW5TgqJKOQJMa57emT/b1Ql499CXzGrWe0l9yh2LEty50ezJKjt/NviuRCC5AaDnQqjirRCqYhCwu90xfHg9BOtozaAV7VV37qY4NYsg7gx9NXtlfhPnqCGpNzwmtmO/x/Ek52jaOrM3SXDGpB7sFxQxdQr18vh0q7MzIjK4F8wtdoWkugeTFt4fPADjxaecvchW9iIe5zNfwq9CuztVJT0NLqF+HO8HcZE96zqgYOVwK7V46T42w+PzWJgNdCQ6pn+LTv1Yc3mZ3QJTDdQPo9JJy6JNFKwPh7hNNA7qfQV4xbAh2iQ9UWytdLyG7rGGY+M/8MIQ+9YolKYKF14pBnBFe4uc0z2mjD+7HpjcnmYy1BFyzakxO1ZnPpSB7izLS+9d/Qyz2vzA5lNfDJ95QCxgQDxbVzs9JSE1tFyjoM0P1vSMr0FO Ov+jvD0I EE9WgNM65o7lP9qKtToXNN38zcBw1n8KbacV0GDwXr5a3e2Sn+f8JTIfPb59RSc2CfOjBqMuexGkQNrLz+VYJjYezw+0uFxmDddgwZy54DHB+UfhAeFphVO+eoatxgDl9liATiYoS080H7X78g73GzZrz18cTfNP+I+rR4nbVvae1akPwbu79FwLEsEjqoLadRKXL3Pj5FtsvUbw= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2023/5/25 11:16, Tu Jinjiang wrote: > shmem_show_options() uses sbinfo->mpol without adding it's refcnt. This > may lead to race with replacement of the mpol by remount. The execution > sequence is as follows. > > CPU0 CPU1 > shmem_show_options() shmem_reconfigure() > shmem_show_mpol(seq, sbinfo->mpol) mpol = sbinfo->mpol > mpol_put(mpol) > mpol->mode > > The KASAN report is as follows. > > BUG: KASAN: slab-use-after-free in shmem_show_options+0x21b/0x340 > Read of size 2 at addr ffff888124324004 by task mount/2388 > > CPU: 2 PID: 2388 Comm: mount Not tainted 6.4.0-rc3-00017-g9d646009f65d-dirty #8 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > Call Trace: > > dump_stack_lvl+0x37/0x50 > print_report+0xd0/0x620 > ? shmem_show_options+0x21b/0x340 > ? __virt_addr_valid+0xf4/0x180 > ? shmem_show_options+0x21b/0x340 > kasan_report+0xb8/0xe0 > ? shmem_show_options+0x21b/0x340 > shmem_show_options+0x21b/0x340 > ? __pfx_shmem_show_options+0x10/0x10 > ? strchr+0x2c/0x50 > ? strlen+0x23/0x40 > ? seq_puts+0x7d/0x90 > show_vfsmnt+0x1e6/0x260 > ? __pfx_show_vfsmnt+0x10/0x10 > ? __kasan_kmalloc+0x7f/0x90 > seq_read_iter+0x57a/0x740 > vfs_read+0x2e2/0x4a0 > ? __pfx_vfs_read+0x10/0x10 > ? down_write_killable+0xb8/0x140 > ? __pfx_down_write_killable+0x10/0x10 > ? __fget_light+0xa9/0x1e0 > ? up_write+0x3f/0x80 > ksys_read+0xb8/0x150 > ? __pfx_ksys_read+0x10/0x10 > ? fpregs_assert_state_consistent+0x55/0x60 > ? exit_to_user_mode_prepare+0x2d/0x120 > do_syscall_64+0x3c/0x90 > entry_SYSCALL_64_after_hwframe+0x72/0xdc > > > Maybe drop the unreliable stack, not mandatory, the patch is look good to me, [snip] > > To fix the bug, shmem_get_sbmpol() / mpol_put() needs to be called > before / after shmem_show_mpol() call. > > Signed-off-by: Tu Jinjiang Reviewed-by: Kefeng Wang > --- > mm/shmem.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/mm/shmem.c b/mm/shmem.c > index e40a08c5c6d7..5e54ab5f61f2 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -3726,6 +3726,7 @@ static int shmem_reconfigure(struct fs_context *fc) > static int shmem_show_options(struct seq_file *seq, struct dentry *root) > { > struct shmem_sb_info *sbinfo = SHMEM_SB(root->d_sb); > + struct mempolicy *mpol; > > if (sbinfo->max_blocks != shmem_default_max_blocks()) > seq_printf(seq, ",size=%luk", > @@ -3768,7 +3769,9 @@ static int shmem_show_options(struct seq_file *seq, struct dentry *root) > if (sbinfo->huge) > seq_printf(seq, ",huge=%s", shmem_format_huge(sbinfo->huge)); > #endif > - shmem_show_mpol(seq, sbinfo->mpol); > + mpol = shmem_get_sbmpol(sbinfo); > + shmem_show_mpol(seq, mpol); > + mpol_put(mpol); > if (sbinfo->noswap) > seq_printf(seq, ",noswap"); > return 0;