lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 7 Apr 2010 08:46:16 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Peter Zijlstra <peterz@...radead.org>
cc:	Rik van Riel <riel@...hat.com>,
	Minchan Kim <minchan.kim@...il.com>,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Borislav Petkov <bp@...en8.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Lee Schermerhorn <Lee.Schermerhorn@...com>,
	Nick Piggin <npiggin@...e.de>,
	Andrea Arcangeli <aarcange@...hat.com>,
	Hugh Dickins <hugh.dickins@...cali.co.uk>
Subject: Re: Ugly rmap NULL ptr deref oopsie on hibernate (was Linux
 2.6.34-rc3)



On Wed, 7 Apr 2010, Peter Zijlstra wrote:

> On Tue, 2010-04-06 at 11:28 -0700, Linus Torvalds wrote:
> > Just as an example of the kind of code that makes me worry:
> > 
> >         void unlink_anon_vmas(struct vm_area_struct *vma)
> >         {
> >                 struct anon_vma_chain *avc, *next;
> >                         
> >                 /* Unlink each anon_vma chained to the VMA. */
> >                 list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) {
> >                         anon_vma_unlink(avc);
> >                         list_del(&avc->same_vma);
> >                         anon_vma_chain_free(avc);
> >                 }
> >         }
> > 
> > Now, think about what happens for the *last* entry in that avc chain. It 
> > will call that "anon_vma_unlink()" thing, which will delete perhaps the 
> > last entry in the "same_anon_vma" one, and then it does
> > 
> >         if (empty)
> >                 anon_vma_free(anon_vma);
> > 
> > *before* unlink_anon_vma's has actually does that
> > 
> >         list_del(&avc->same_vma);
> > 
> > and what we essentially have is a stale anon_vma_chain entry that still 
> > exists on that same_vma list, and points to an anon_vma that already got 
> > deleted.
> > 
> > Does it matter? I really can't see that it does. 
> 
> I think it does, the anon_vma thing has an RCU destroyed slab, but that
> doesn't mean the anon_vma object itself is rcu delayed. The moment we
> free it it can be re-used. So the above use after free is a bug.

Well, it's not really a "use after free" - it's just that a stale pointer 
still exists in a live data structure that is linked into the list. I 
don't think there is a real bug there, simply because I don't think 
anybody will be accessing that list (we should hopefully have all the 
sufficient mutual exclusion in place).

So I just think it is bad form to potentially free something before we get 
rid of all pointers to it. So to me it's a cleanliness issue: good code 
shouldn't do things like that, and it would be much cleaner to remove the 
AVC entry that has a pointer to the anon_vma _before_ we might be freeing 
the anon_vma.

Maybe I'm just anal.

		Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ