lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 6 Jun 2014 13:56:20 +0200
From:	Peter Zijlstra <peterz@...radead.org>
To:	Andrey Ryabinin <a.ryabinin@...sung.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-mm@...ck.org, linux-kernel@...r.kernel.org,
	dvyukov@...gle.com, koct9i@...il.com, v3.0+@...sung.com
Subject: Re: [PATCH] mm: rmap: fix use-after-free in __put_anon_vma

On Fri, Jun 06, 2014 at 03:30:55PM +0400, Andrey Ryabinin wrote:
> While working address sanitizer for kernel I've discovered use-after-free
> bug in __put_anon_vma.
> For the last anon_vma, anon_vma->root freed before child anon_vma.
> Later in anon_vma_free(anon_vma) we are referencing to already freed anon_vma->root
> to check rwsem.
> This patch puts freeing of child anon_vma before freeing of anon_vma->root.

Yes, I think that is right indeed.

Very hard to hit, but valid since not all callers hold rcu_read_lock().

> 
> Cc: stable@...r.kernel.org # v3.0+
> Signed-off-by: Andrey Ryabinin <a.ryabinin@...sung.com>
> ---
>  mm/rmap.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/mm/rmap.c b/mm/rmap.c
> index 9c3e773..161bffc7 100644
> --- a/mm/rmap.c
> +++ b/mm/rmap.c
> @@ -1564,10 +1564,11 @@ void __put_anon_vma(struct anon_vma *anon_vma)
>  {
>  	struct anon_vma *root = anon_vma->root;
>  
> -	if (root != anon_vma && atomic_dec_and_test(&root->refcount))
> +	if (root != anon_vma && atomic_dec_and_test(&root->refcount)) {
> +		anon_vma_free(anon_vma);
>  		anon_vma_free(root);
> -
> -	anon_vma_free(anon_vma);
> +	} else
> +		anon_vma_free(anon_vma);
>  }

Why not simply move the freeing of anon_vma before the root, like:

	anon_vma_free(anon_vma);
	if (root != anon_vma && atomic_dec_and_test(&root->refcount))
		anon_vma_free(root);

?

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ