| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Apr 2012 00:44:15 +0200
From: Robert Święcki <robert@...ecki.net>
To: linux-kernel@...r.kernel.org
Subject: NULL-ptr deref in mmput via sys_migrate_pages in 3.4-rc4 (proly
missing mm==NULL check)
mm/mempolicy.c
1362 mm = get_task_mm(task);
1363 put_task_struct(task);
1364 if (mm)
1365 err = do_migrate_pages(mm, old, new,
1366 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL
: MPOL_MF_MOVE);
1367 else
1368 err = -EINVAL;
1369
1370 mmput(mm);
Where mmput doesn't check for mm
kernel/fork.c
567 void mmput(struct mm_struct *mm)
568 {
569 might_sleep();
570
571 if (atomic_dec_and_test(&mm->mm_users)) {
causes NULL-ptr deref
(gdb) target remote /dev/ttyS0
Remote debugging using /dev/ttyS0
mmput (mm=0x0) at kernel/fork.c:571
571 if (atomic_dec_and_test(&mm->mm_users)) {
(gdb) bt
#0 mmput (mm=0x0) at kernel/fork.c:571
#1 0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
#2 0xffffffff820726c9 in ?? () at arch/x86/ia32/ia32entry.S:425
(gdb) up
#1 0xffffffff8116a1e0 in sys_migrate_pages (pid=<optimized out>,
maxnode=<optimized out>, old_nodes=<optimized out>,
new_nodes=<optimized out>) at mm/mempolicy.c:1370
1370 mmput(mm);
(gdb) p mm
$1 = (struct mm_struct *) 0x0
(gdb) p task->mm
$2 = (struct mm_struct *) 0x0
--
Robert Święcki
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists