lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 02 Feb 2022 08:46:22 -0600
From:   "Eric W. Biederman" <ebiederm@...ssion.com>
To:     Jann Horn <jannh@...gle.com>
Cc:     Matthew Wilcox <willy@...radead.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Denys Vlasenko <vda.linux@...glemail.com>,
        Kees Cook <keescook@...omium.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        "Liam R . Howlett" <liam.howlett@...cle.com>
Subject: Re: [PATCH 5/5] coredump: Use the vma snapshot in fill_files_note

Jann Horn <jannh@...gle.com> writes:

> On Mon, Jan 31, 2022 at 7:47 PM Eric W. Biederman <ebiederm@...ssion.com> wrote:
>> Matthew Wilcox reported that there is a missing mmap_lock in
>> file_files_note that could possibly lead to a user after free.
>>
>> Solve this by using the existing vma snapshot for consistency
>> and to avoid the need to take the mmap_lock anywhere in the
>> coredump code except for dump_vma_snapshot.
>>
>> Update the dump_vma_snapshot to capture vm_pgoff and vm_file
>> that are neeeded by fill_files_note.
>>
>> Add free_vma_snapshot to free the captured values of vm_file.
>>
>> Reported-by: Matthew Wilcox <willy@...radead.org>
>> Link: https://lkml.kernel.org/r/20220131153740.2396974-1-willy@infradead.org
>> Cc: stable@...r.kernel.org
>> Fixes: a07279c9a8cd ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot")
>> Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files")
>> Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
> [...]
>> +static int fill_files_note(struct memelfnote *note, struct coredump_params *cprm)
>>  {
>>         struct mm_struct *mm = current->mm;
>> -       struct vm_area_struct *vma;
>>         unsigned count, size, names_ofs, remaining, n;
>>         user_long_t *data;
>>         user_long_t *start_end_ofs;
>>         char *name_base, *name_curpos;
>> +       int i;
>>
>>         /* *Estimated* file count and total data size needed */
>>         count = mm->map_count;
>
> This function is still looking at mm->map_count in two spots, please
> change those spots to also look at cprm->vma_count. In particular the
> second one looks like it can cause memory corruption if the map_count
> changed since we created the snapshot.

Could catch I will fix that.  Correcting it not to use mm->map_count
looks like a fundamental part of the fix, and I missed it.  Oops!

> [...]
>> +static void free_vma_snapshot(struct coredump_params *cprm)
>> +{
>> +       if (cprm->vma_meta) {
>> +               int i;
>> +               for (i = 0; i < cprm->vma_count; i++) {
>> +                       struct file *file = cprm->vma_meta[i].file;
>> +                       if (file)
>> +                               fput(file);
>> +               }
>> +               kvfree(cprm->vma_meta);
>> +               cprm->vma_meta = NULL;
>
> (this NULL write is superfluous, but it also doesn't hurt)

Agreed.  It just makes the possible failure modes nicer.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ