lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJuCfpGG9zwbvfH5UZkt6cG=woeO0RGE7QxjEpXn=gFhiaDdmQ@mail.gmail.com>
Date:   Tue, 15 Feb 2022 15:02:54 -0800
From:   Suren Baghdasaryan <surenb@...gle.com>
To:     Michal Hocko <mhocko@...e.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Colin Cross <ccross@...gle.com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Kees Cook <keescook@...omium.org>,
        Matthew Wilcox <willy@...radead.org>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Johannes Weiner <hannes@...xchg.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Christian Brauner <brauner@...nel.org>, legion@...nel.org,
        ran.xiaokai@....com.cn, sashal@...nel.org,
        Chris Hyser <chris.hyser@...cle.com>,
        Davidlohr Bueso <dave@...olabs.net>,
        Peter Collingbourne <pcc@...gle.com>, caoxiaofeng@...ong.com,
        David Hildenbrand <david@...hat.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        linux-mm <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>,
        kernel-team <kernel-team@...roid.com>,
        syzbot+aa7b3d4b35f9dc46a366@...kaller.appspotmail.com
Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used
 after vma is freed

On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@...e.com> wrote:
>
> One thing I was considering is to check agains ref counte overflo (a
> deep process chain with many vmas could grow really high. ref_count
> interface doesn't provide any easy way to check for overflows as far as
> I could see from a quick glance so I gave up there but the logic would
> be really straightforward. We just create a new anon_vma_name with the same
> content and use it when duplicating if the usage grow really
> (arbitrarily) high.

I went over proposed changes. I see a couple small required fixes
(resetting the name to NULL seems to be missing and I think
dup_vma_anon_name needs some tweaking) but overall quite
straight-forward. I'll post a separate patch to do this refactoring.
The original patch is fixing the UAF issue, so I don't want to mix it
with refactoring. Please let me know if you see an issue with
separating it that way.
Thanks,
Suren.


> --
> Michal Hocko
> SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ