lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 21 Feb 2022 21:48:00 -0800
From:   Suren Baghdasaryan <surenb@...gle.com>
To:     Michal Hocko <mhocko@...e.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Colin Cross <ccross@...gle.com>,
        Sumit Semwal <sumit.semwal@...aro.org>,
        Dave Hansen <dave.hansen@...el.com>,
        Kees Cook <keescook@...omium.org>,
        Matthew Wilcox <willy@...radead.org>,
        "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>,
        Vlastimil Babka <vbabka@...e.cz>,
        Johannes Weiner <hannes@...xchg.org>,
        "Eric W. Biederman" <ebiederm@...ssion.com>,
        Christian Brauner <brauner@...nel.org>, legion@...nel.org,
        ran.xiaokai@....com.cn, sashal@...nel.org,
        Chris Hyser <chris.hyser@...cle.com>,
        Davidlohr Bueso <dave@...olabs.net>,
        Peter Collingbourne <pcc@...gle.com>, caoxiaofeng@...ong.com,
        David Hildenbrand <david@...hat.com>,
        Cyrill Gorcunov <gorcunov@...il.com>,
        linux-mm <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>,
        kernel-team <kernel-team@...roid.com>,
        syzbot+aa7b3d4b35f9dc46a366@...kaller.appspotmail.com
Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used
 after vma is freed

On Thu, Feb 17, 2022 at 11:54 AM Suren Baghdasaryan <surenb@...gle.com> wrote:
>
> On Wed, Feb 16, 2022 at 12:06 AM Michal Hocko <mhocko@...e.com> wrote:
> >
> > On Tue 15-02-22 15:02:54, Suren Baghdasaryan wrote:
> > > On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@...e.com> wrote:
> > > >
> > > > One thing I was considering is to check agains ref counte overflo (a
> > > > deep process chain with many vmas could grow really high. ref_count
> > > > interface doesn't provide any easy way to check for overflows as far as
> > > > I could see from a quick glance so I gave up there but the logic would
> > > > be really straightforward. We just create a new anon_vma_name with the same
> > > > content and use it when duplicating if the usage grow really
> > > > (arbitrarily) high.
> > >
> > > I went over proposed changes. I see a couple small required fixes
> > > (resetting the name to NULL seems to be missing and I think
> > > dup_vma_anon_name needs some tweaking) but overall quite
> > > straight-forward.
> >
> > OK, great that this makes sense to you. As I've said I didn't really go
> > into details, not even dared to boot that to test. So it will very
> > likely need some more work but I do not expect this to grow much.
> >
> > > I'll post a separate patch to do this refactoring.
> > > The original patch is fixing the UAF issue, so I don't want to mix it
> > > with refactoring. Please let me know if you see an issue with
> > > separating it that way.
> >
> > Well, I am not sure TBH. Look at diffstats. Your fix
> > 2 files changed, 63 insertions(+), 17 deletions(-)
> > the refactoring which should fix this and potentially others that might
> > be still lurking there (because mixing shared pointers and their internal
> > objects just begs for problems) is
> > 7 files changed, 63 insertions(+), 86 deletions(-)
> >
> > more files touched for sure but the net result is much more clear and a
> > much more code removed.
> > The overflow logic would make it bigger but I guess the existing scheme
> > needs it as well.
>
> Ok, I'll see how to slice it after it's complete and tested.
> Thanks for the input!

I posted the new patchset that includes:
1. refactoring of the code suggested by Michal:
https://lore.kernel.org/all/20220222054025.3412898-1-surenb@google.com
2. refcount overflow protection suggested by Michal:
https://lore.kernel.org/all/20220222054025.3412898-2-surenb@google.com
3. UAF fix (originally implemented by this patch) reimplemented after
the first two changes:
https://lore.kernel.org/all/20220222054025.3412898-3-surenb@google.com
Hopefully this sequence makes sense.
Thanks,
Suren.

>
> >
> > I would also claim that both approaches are really painful to review
> > because the existing model spreads into several areas and it is not
> > really clear you caught them all just by staring into the diff so both
> > will be rather painful to backport to older kernels. Fortunately this
> > would be only 5.17.
> > --
> > Michal Hocko
> > SUSE Labs

Powered by blists - more mailing lists