lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 9 Jan 2018 13:59:39 -0800
From:   Eric Biggers <ebiggers3@...il.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot 
        <bot+998c483ca801a50e3ce5b63a845216588ada5e2a@...kaller.appspotmail.com>,
        linux-fsdevel@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com, Al Viro <viro@...iv.linux.org.uk>,
        Andrea Arcangeli <aarcange@...hat.com>,
        Pavel Emelyanov <xemul@...allels.com>, linux-mm@...ck.org
Subject: Re: KASAN: use-after-free Read in handle_userfault

On Sun, Nov 26, 2017 at 10:15:17PM -0800, Eric Biggers wrote:
> +Cc aarcange@...hat.com, xemul@...allels.com, linux-mm@...ck.org
> 
> On Fri, Oct 27, 2017 at 11:46:13AM +0200, Dmitry Vyukov wrote:
> > On Fri, Oct 27, 2017 at 11:44 AM, syzbot
> > <bot+998c483ca801a50e3ce5b63a845216588ada5e2a@...kaller.appspotmail.com>
> > wrote:
> > > Hello,
> > >
> > > syzkaller hit the following crash on
> > > a31cc455c512f3f1dd5f79cac8e29a7c8a617af8
> > > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> > > compiler: gcc (GCC) 7.1.1 20170620
> > > .config is attached
> > > Raw console output is attached.
> > > C reproducer is attached
> > > syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> > > for information about syzkaller reproducers
> > 
> 
> Andrea or Pavel, can one of you please fix this?  It's another use-after-free
> related to userfaultfd "fork events", and it can easily be triggered by an
> unprivileged user.  It was reported a month ago already; the original report is
> here: https://groups.google.com/forum/#!topic/syzkaller-bugs/sS99S-Z-9No.
> (Please consider adding yourself and/or linux-mm to the MAINTAINERS file for
> fs/userfaultfd.c, so that you are Cc'ed on userfaultfd bug reports.)  In
> userfaultfd_event_wait_completion(), called from dup_fctx(), the kernel is
> freeing the the new userfaultfd_ctx because the old one had all its fd's closed,
> but actually the new one is still in use by the new mm_struct.
> 

Fixed now:

#syz fix: userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ