| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220215201922.1908156-1-surenb@google.com>
Date: Tue, 15 Feb 2022 12:19:22 -0800
From: Suren Baghdasaryan <surenb@...gle.com>
To: akpm@...ux-foundation.org
Cc: mhocko@...nel.org, mhocko@...e.com, shy828301@...il.com,
rientjes@...gle.com, willy@...radead.org, hannes@...xchg.org,
guro@...com, riel@...riel.com, minchan@...nel.org,
kirill@...temov.name, aarcange@...hat.com, brauner@...nel.org,
christian@...uner.io, hch@...radead.org, oleg@...hat.com,
david@...hat.com, jannh@...gle.com, shakeelb@...gle.com,
luto@...nel.org, christian.brauner@...ntu.com, fweimer@...hat.com,
jengelh@...i.de, timmurray@...gle.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, kernel-team@...roid.com,
surenb@...gle.com,
syzbot+2ccf63a4bd07cf39cab0@...kaller.appspotmail.com
Subject: [PATCH 1/1] mm: fix use-after-free bug when mm->mmap is reused after
being freed
After exit_mmap frees all vmas in the mm, mm->mmap needs to be reset,
otherwise it points to a vma that was freed and when reused leads to
a use-after-free bug.
Reported-by: syzbot+2ccf63a4bd07cf39cab0@...kaller.appspotmail.com
Suggested-by: Michal Hocko <mhocko@...e.com>
Signed-off-by: Suren Baghdasaryan <surenb@...gle.com>
---
mm/mmap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index 1e8fdb0b51ed..d445c1b9d606 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -3186,6 +3186,7 @@ void exit_mmap(struct mm_struct *mm)
vma = remove_vma(vma);
cond_resched();
}
+ mm->mmap = NULL;
mmap_write_unlock(mm);
vm_unacct_memory(nr_accounted);
}
--
2.35.1.265.g69c8d7142f-goog
Powered by blists - more mailing lists