lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 23 Dec 2008 19:38:21 +0900
From:	Akinobu Mita <akinobu.mita@...il.com>
To:	linux-kernel@...r.kernel.org
Cc:	linux-mm@...ck.org, akpm@...ux-foundation.org
Subject: [PATCH] fix unmap_vmas() with NULL vma

unmap_vmas() with NULL vma causes kernel NULL pointer dereference by
vma->mm.

It is happend the following scenario:

1. dup_mm() duplicates mm_struct and ->mmap is NULL
2. dup_mm() calls dup_mmap() to duplicate vmas

3. If dup_mmap() cannot duplicate any vmas due to no enough memory,
it returns error and ->mmap is still NULL

4. dup_mm() calls mmput() with the incompletely duplicated mm_struct to
deallocate it

5. mmput calls exit_mmap with the mm_struct
6. exit_mmap calls unmap_vmas with NULL vma

Cc: linux-mm@...ck.org
Signed-off-by: Akinobu Mita <akinobu.mita@...il.com>
---
 mm/memory.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: 2.6-rc/mm/memory.c
===================================================================
--- 2.6-rc.orig/mm/memory.c
+++ 2.6-rc/mm/memory.c
@@ -899,8 +899,12 @@ unsigned long unmap_vmas(struct mmu_gath
 	unsigned long start = start_addr;
 	spinlock_t *i_mmap_lock = details? details->i_mmap_lock: NULL;
 	int fullmm = (*tlbp)->fullmm;
-	struct mm_struct *mm = vma->vm_mm;
+	struct mm_struct *mm;
+
+	if (!vma)
+		return start;
 
+	mm = vma->vm_mm;
 	mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);
 	for ( ; vma && vma->vm_start < end_addr; vma = vma->vm_next) {
 		unsigned long end;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ