lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <57522051-0376-b746-3969-bd43daff51bf@virtuozzo.com>
Date:   Tue, 20 Sep 2016 16:04:21 +0300
From:   Andrey Ryabinin <aryabinin@...tuozzo.com>
To:     Andrew Morton <akpm@...ux-foundation.org>,
        David Rientjes <rientjes@...gle.com>
CC:     <linux-kernel@...r.kernel.org>, <vegard.nossum@...cle.com>,
        <dvyukov@...gle.com>, <glider@...gle.com>
Subject: Re: + stackdepot-fix-mempolicy-use-after-free.patch added to -mm tree



On 09/19/2016 09:55 PM, Andrew Morton wrote:
> On Wed, 24 Aug 2016 18:08:08 -0700 (PDT) David Rientjes <rientjes@...gle.com> wrote:
> 
>>> diff -puN lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free lib/stackdepot.c
>>> --- a/lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free
>>> +++ a/lib/stackdepot.c
>>> @@ -243,6 +243,12 @@ depot_stack_handle_t depot_save_stack(st
>>>  		alloc_flags &= ~GFP_ZONEMASK;
>>>  		alloc_flags &= (GFP_ATOMIC | GFP_KERNEL);
>>>  		alloc_flags |= __GFP_NOWARN;
>>> +		/*
>>> +		 * Avoid using current->mempolicy which may already have
>>> +		 * been freed -- we may be in the process of saving the
>>> +		 * stack for exactly that __mpol_put() call.
>>> +		 */
>>> +		alloc_flags |= __GFP_THISNODE;
>>>  		page = alloc_pages(alloc_flags, STACK_ALLOC_ORDER);
>>>  		if (page)
>>>  			prealloc = page_address(page);
>>
>> This is wrong, it unnecessarily restricts the allocation to a local node 
>> and has a greater chance to fail.  Passing __GFP_THISNODE here is only an 
>> implementation detail of mempolicies to avoid reference to freed policy.  
>> It is easy to fix by using alloc_pages_node(NUMA_NO_NODE, alloc_flags, 
>> STACK_ALLOC_ORDER) instead of alloc_pages() directly.
> 
> Any volunteers to test and send the patch?
> 

This already fixed in c11600e4fed67ae4cd6 ("mm, mempolicy: task->mempolicy must be NULL before dropping final reference")

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ