lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170825104941.GC3127@leverpostej>
Date:   Fri, 25 Aug 2017 11:49:42 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     Eric Biggers <ebiggers3@...il.com>
Cc:     linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, Dmitry Vyukov <dvyukov@...gle.com>,
        Ingo Molnar <mingo@...nel.org>,
        Konstantin Khlebnikov <koct9i@...il.com>,
        Michal Hocko <mhocko@...e.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Vlastimil Babka <vbabka@...e.cz>, stable@...r.kernel.org,
        Eric Biggers <ebiggers@...gle.com>
Subject: Re: [PATCH] fork: fix incorrect fput of ->exe_file causing
 use-after-free

On Thu, Aug 24, 2017 at 04:02:49PM +0100, Mark Rutland wrote:
> On Wed, Aug 23, 2017 at 02:14:08PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@...gle.com>
> > 
> > Commit 7c051267931a ("mm, fork: make dup_mmap wait for mmap_sem for
> > write killable") made it possible to kill a forking task while it is
> > waiting to acquire its ->mmap_sem for write, in dup_mmap().  However, it
> > was overlooked that this introduced an new error path before a reference
> > is taken on the mm_struct's ->exe_file.  Since the ->exe_file of the new
> > mm_struct was already set to the old ->exe_file by the memcpy() in
> > dup_mm(), it was possible for the mmput() in the error path of dup_mm()
> > to drop a reference to ->exe_file which was never taken.  This caused
> > the struct file to later be freed prematurely.
> > 
> > Fix it by updating mm_init() to NULL out the ->exe_file, in the same
> > place it clears other things like the list of mmaps.
> 
> > diff --git a/kernel/fork.c b/kernel/fork.c
> > index e075b7780421..cbbea277b3fb 100644
> > --- a/kernel/fork.c
> > +++ b/kernel/fork.c
> > @@ -806,6 +806,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> >  	mm_init_cpumask(mm);
> >  	mm_init_aio(mm);
> >  	mm_init_owner(mm, p);
> > +	RCU_INIT_POINTER(mm->exe_file, NULL);
> >  	mmu_notifier_mm_init(mm);
> >  	init_tlb_flush_pending(mm);
> >  #if defined(CONFIG_TRANSPARENT_HUGEPAGE) && !USE_SPLIT_PMD_PTLOCKS
> 
> I've been seeing similar issues on arm64 with use-after-free of a file
> and other memory corruption [1].
> 
> This patch seems to fix that; a test that normally fired in a few
> minutes has been happily running for hours with this applied.

Those haven't triggered after 24 hours, and in 16+ hours of fuzzing with
this applied, I haven't seen new issues. FWIW:

Tested-by: Mark Rutland <mark.rutland@....com>

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ