lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 11 May 2023 17:56:22 +0800
From:   Zhangfei Gao <zhangfei.gao@...aro.org>
To:     Al Viro <viro@...iv.linux.org.uk>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Arnd Bergmann <arnd@...db.de>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        jean-philippe <jean-philippe@...aro.org>,
        Wangzhou <wangzhou1@...ilicon.com>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
        iommu@...ts.linux.dev, acc@...ts.linaro.org,
        Weili Qian <qianweili@...wei.com>
Subject: Re: [PATCH] uacce: use filep->f_mapping to replace inode->i_mapping

On Thu, 11 May 2023 at 12:05, Al Viro <viro@...iv.linux.org.uk> wrote:
>
> On Thu, May 11, 2023 at 10:15:53AM +0800, Zhangfei Gao wrote:
> > The inode can be different in a container, for example, a docker and host
> > both open the same uacce parent device, which uses the same uacce struct
> > but different inode, so uacce->inode is not enough.
> >
> > What's worse, when docker stops, the inode will be destroyed as well,
> > causing use-after-free in uacce_remove.
> >
> > So use q->filep->f_mapping to replace uacce->inode->i_mapping.
>
> > @@ -574,12 +574,6 @@ void uacce_remove(struct uacce_device *uacce)
> >
> >       if (!uacce)
> >               return;
> > -     /*
> > -      * unmap remaining mapping from user space, preventing user still
> > -      * access the mmaped area while parent device is already removed
> > -      */
> > -     if (uacce->inode)
> > -             unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1);
> >
> >       /*
> >        * uacce_fops_open() may be running concurrently, even after we remove
> > @@ -589,6 +583,8 @@ void uacce_remove(struct uacce_device *uacce)
> >       mutex_lock(&uacce->mutex);
> >       /* ensure no open queue remains */
> >       list_for_each_entry_safe(q, next_q, &uacce->queues, list) {
> > +             struct file *filep = q->private_data;
> > +
> >               /*
> >                * Taking q->mutex ensures that fops do not use the defunct
> >                * uacce->ops after the queue is disabled.
> > @@ -597,6 +593,12 @@ void uacce_remove(struct uacce_device *uacce)
> >               uacce_put_queue(q);
> >               mutex_unlock(&q->mutex);
> >               uacce_unbind_queue(q);
> > +
> > +             /*
> > +              * unmap remaining mapping from user space, preventing user still
> > +              * access the mmaped area while parent device is already removed
> > +              */
> > +             unmap_mapping_range(filep->f_mapping, 0, 0, 1);
>
> IDGI.  Going through uacce_queue instead of uacce_device is fine, but why
> bother with file *or* inode?  Just store a reference to struct address_space in
> your uacce_queue and be done with that...

Yes, a struct address_space is enough.

>
> Another problem in that driver is uacce_vma_close(); this
>         if (vma->vm_pgoff < UACCE_MAX_REGION)
>                 qfr = q->qfrs[vma->vm_pgoff];
>
>         kfree(qfr);
> can't be right - you have q->qfrs left pointing to freed object.  If nothing
> else, subsequent mmap() will fail with -EEXIST, won't it?

Good catch, will fix it.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ