lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJuCfpFOy_oRp=WWqtzE7bJR7p51FzzBPtbKhWeTGOKC-n41Cg@mail.gmail.com>
Date:   Thu, 17 Feb 2022 11:54:00 -0800
From:   Suren Baghdasaryan <surenb@...gle.com>
To:     Michal Hocko <mhocko@...e.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Colin Cross <ccross@...gle.com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Kees Cook <keescook@...omium.org>,
        Matthew Wilcox <willy@...radead.org>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Johannes Weiner <hannes@...xchg.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Christian Brauner <brauner@...nel.org>, legion@...nel.org,
        ran.xiaokai@....com.cn, sashal@...nel.org,
        Chris Hyser <chris.hyser@...cle.com>,
        Davidlohr Bueso <dave@...olabs.net>,
        Peter Collingbourne <pcc@...gle.com>, caoxiaofeng@...ong.com,
        David Hildenbrand <david@...hat.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        linux-mm <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>,
        kernel-team <kernel-team@...roid.com>,
        syzbot+aa7b3d4b35f9dc46a366@...kaller.appspotmail.com
Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used
 after vma is freed

On Wed, Feb 16, 2022 at 12:06 AM Michal Hocko <mhocko@...e.com> wrote:
>
> On Tue 15-02-22 15:02:54, Suren Baghdasaryan wrote:
> > On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@...e.com> wrote:
> > >
> > > One thing I was considering is to check agains ref counte overflo (a
> > > deep process chain with many vmas could grow really high. ref_count
> > > interface doesn't provide any easy way to check for overflows as far as
> > > I could see from a quick glance so I gave up there but the logic would
> > > be really straightforward. We just create a new anon_vma_name with the same
> > > content and use it when duplicating if the usage grow really
> > > (arbitrarily) high.
> >
> > I went over proposed changes. I see a couple small required fixes
> > (resetting the name to NULL seems to be missing and I think
> > dup_vma_anon_name needs some tweaking) but overall quite
> > straight-forward.
>
> OK, great that this makes sense to you. As I've said I didn't really go
> into details, not even dared to boot that to test. So it will very
> likely need some more work but I do not expect this to grow much.
>
> > I'll post a separate patch to do this refactoring.
> > The original patch is fixing the UAF issue, so I don't want to mix it
> > with refactoring. Please let me know if you see an issue with
> > separating it that way.
>
> Well, I am not sure TBH. Look at diffstats. Your fix
> 2 files changed, 63 insertions(+), 17 deletions(-)
> the refactoring which should fix this and potentially others that might
> be still lurking there (because mixing shared pointers and their internal
> objects just begs for problems) is
> 7 files changed, 63 insertions(+), 86 deletions(-)
>
> more files touched for sure but the net result is much more clear and a
> much more code removed.
> The overflow logic would make it bigger but I guess the existing scheme
> needs it as well.

Ok, I'll see how to slice it after it's complete and tested.
Thanks for the input!

>
> I would also claim that both approaches are really painful to review
> because the existing model spreads into several areas and it is not
> really clear you caught them all just by staring into the diff so both
> will be rather painful to backport to older kernels. Fortunately this
> would be only 5.17.
> --
> Michal Hocko
> SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ