| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Dec 2020 18:22:00 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Oscar Salvador <osalvador@...e.de>
Cc: n-horiguchi@...jp.nec.com, vbabka@...e.cz,
dan.j.williams@...el.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm,memory_failure: Always pin the page in
madvise_inject_error
On Mon, 7 Dec 2020 10:48:18 +0100 Oscar Salvador <osalvador@...e.de> wrote:
> madvise_inject_error() uses get_user_pages_fast to translate the
> address we specified to a page.
> After [1], we drop the extra reference count for memory_failure() path.
> That commit says that memory_failure wanted to keep the pin in order
> to take the page out of circulation.
>
> The truth is that we need to keep the page pinned, otherwise the
> page might be re-used after the put_page() and we can end up messing
> with someone else's memory.
>
> E.g:
>
> CPU0
> process X CPU1
> madvise_inject_error
> get_user_pages
> put_page
> page gets reclaimed
> process Y allocates the page
> memory_failure
> // We mess with process Y memory
>
> madvise() is meant to operate on a self address space, so messing with
> pages that do not belong to us seems the wrong thing to do.
> To avoid that, let us keep the page pinned for memory_failure as well.
>
> Pages for DAX mappings will release this extra refcount in
> memory_failure_dev_pagemap.
Does the bug have any known user-visible effects? Is a deliberate
exploit conceivable?
IOW, cc:stable and if so, why?
Powered by blists - more mailing lists