lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Feb 2022 21:48:00 -0800 From: Suren Baghdasaryan <surenb@...gle.com> To: Michal Hocko <mhocko@...e.com> Cc: Andrew Morton <akpm@...ux-foundation.org>, Colin Cross <ccross@...gle.com>, Sumit Semwal <sumit.semwal@...aro.org>, Dave Hansen <dave.hansen@...el.com>, Kees Cook <keescook@...omium.org>, Matthew Wilcox <willy@...radead.org>, "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Vlastimil Babka <vbabka@...e.cz>, Johannes Weiner <hannes@...xchg.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Christian Brauner <brauner@...nel.org>, legion@...nel.org, ran.xiaokai@....com.cn, sashal@...nel.org, Chris Hyser <chris.hyser@...cle.com>, Davidlohr Bueso <dave@...olabs.net>, Peter Collingbourne <pcc@...gle.com>, caoxiaofeng@...ong.com, David Hildenbrand <david@...hat.com>, Cyrill Gorcunov <gorcunov@...il.com>, linux-mm <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>, kernel-team <kernel-team@...roid.com>, syzbot+aa7b3d4b35f9dc46a366@...kaller.appspotmail.com Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used after vma is freed On Thu, Feb 17, 2022 at 11:54 AM Suren Baghdasaryan <surenb@...gle.com> wrote: > > On Wed, Feb 16, 2022 at 12:06 AM Michal Hocko <mhocko@...e.com> wrote: > > > > On Tue 15-02-22 15:02:54, Suren Baghdasaryan wrote: > > > On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@...e.com> wrote: > > > > > > > > One thing I was considering is to check agains ref counte overflo (a > > > > deep process chain with many vmas could grow really high. ref_count > > > > interface doesn't provide any easy way to check for overflows as far as > > > > I could see from a quick glance so I gave up there but the logic would > > > > be really straightforward. We just create a new anon_vma_name with the same > > > > content and use it when duplicating if the usage grow really > > > > (arbitrarily) high. > > > > > > I went over proposed changes. I see a couple small required fixes > > > (resetting the name to NULL seems to be missing and I think > > > dup_vma_anon_name needs some tweaking) but overall quite > > > straight-forward. > > > > OK, great that this makes sense to you. As I've said I didn't really go > > into details, not even dared to boot that to test. So it will very > > likely need some more work but I do not expect this to grow much. > > > > > I'll post a separate patch to do this refactoring. > > > The original patch is fixing the UAF issue, so I don't want to mix it > > > with refactoring. Please let me know if you see an issue with > > > separating it that way. > > > > Well, I am not sure TBH. Look at diffstats. Your fix > > 2 files changed, 63 insertions(+), 17 deletions(-) > > the refactoring which should fix this and potentially others that might > > be still lurking there (because mixing shared pointers and their internal > > objects just begs for problems) is > > 7 files changed, 63 insertions(+), 86 deletions(-) > > > > more files touched for sure but the net result is much more clear and a > > much more code removed. > > The overflow logic would make it bigger but I guess the existing scheme > > needs it as well. > > Ok, I'll see how to slice it after it's complete and tested. > Thanks for the input! I posted the new patchset that includes: 1. refactoring of the code suggested by Michal: https://lore.kernel.org/all/20220222054025.3412898-1-surenb@google.com 2. refcount overflow protection suggested by Michal: https://lore.kernel.org/all/20220222054025.3412898-2-surenb@google.com 3. UAF fix (originally implemented by this patch) reimplemented after the first two changes: https://lore.kernel.org/all/20220222054025.3412898-3-surenb@google.com Hopefully this sequence makes sense. Thanks, Suren. > > > > > I would also claim that both approaches are really painful to review > > because the existing model spreads into several areas and it is not > > really clear you caught them all just by staring into the diff so both > > will be rather painful to backport to older kernels. Fortunately this > > would be only 5.17. > > -- > > Michal Hocko > > SUSE Labs
Powered by blists - more mailing lists