Message-ID: <CAP145pgsaAN7uvj29Di6Qwtgrr54WvGL6X4rqU-fre8z_zJh4Q@mail.gmail.com>
Date:	Tue, 24 Apr 2012 00:44:15 +0200
From:	Robert Święcki <robert@...ecki.net>
To:	linux-kernel@...r.kernel.org
Subject: NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly
 missing mm==NULL check)

mm/mempolicy.c
1362         mm = get_task_mm(task);
1363         put_task_struct(task);
1364         if (mm)
1365                 err = do_migrate_pages(mm, old, new,
1366                         capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL
: MPOL_MF_MOVE);
1367         else
1368                 err = -EINVAL;
1369
1370         mmput(mm);

Where mmput doesn't check for mm

kernel/fork.c
567 void mmput(struct mm_struct *mm)
568 {
569         might_sleep();
570
571         if (atomic_dec_and_test(&mm->mm_users)) {


causes NULL-ptr deref

(gdb) target remote /dev/ttyS0
Remote debugging using /dev/ttyS0
mmput (mm=0x0) at kernel/fork.c:571
571		if (atomic_dec_and_test(&mm->mm_users)) {

(gdb) bt
#0  mmput (mm=0x0) at kernel/fork.c:571
#1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
#2  0xffffffff820726c9 in ?? () at arch/x86/ia32/ia32entry.S:425


(gdb) up
#1  0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
1370		mmput(mm);
(gdb) p mm
$1 = (struct mm_struct *) 0x0
(gdb) p task->mm
$2 = (struct mm_struct *) 0x0


-- 
Robert Święcki
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists