lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230511040508.GF3390869@ZenIV>
Date:   Thu, 11 May 2023 05:05:08 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Zhangfei Gao <zhangfei.gao@...aro.org>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Arnd Bergmann <arnd@...db.de>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        jean-philippe <jean-philippe@...aro.org>,
        Wangzhou <wangzhou1@...ilicon.com>,
        Jonathan Cameron <Jonathan.Cameron@...wei.com>,
        linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
        iommu@...ts.linux.dev, acc@...ts.linaro.org,
        Weili Qian <qianweili@...wei.com>
Subject: Re: [PATCH] uacce: use filep->f_mapping to replace inode->i_mapping

On Thu, May 11, 2023 at 10:15:53AM +0800, Zhangfei Gao wrote:
> The inode can be different in a container, for example, a docker and host
> both open the same uacce parent device, which uses the same uacce struct
> but different inode, so uacce->inode is not enough.
> 
> What's worse, when docker stops, the inode will be destroyed as well,
> causing use-after-free in uacce_remove.
> 
> So use q->filep->f_mapping to replace uacce->inode->i_mapping.

> @@ -574,12 +574,6 @@ void uacce_remove(struct uacce_device *uacce)
>  
>  	if (!uacce)
>  		return;
> -	/*
> -	 * unmap remaining mapping from user space, preventing user still
> -	 * access the mmaped area while parent device is already removed
> -	 */
> -	if (uacce->inode)
> -		unmap_mapping_range(uacce->inode->i_mapping, 0, 0, 1);
>  
>  	/*
>  	 * uacce_fops_open() may be running concurrently, even after we remove
> @@ -589,6 +583,8 @@ void uacce_remove(struct uacce_device *uacce)
>  	mutex_lock(&uacce->mutex);
>  	/* ensure no open queue remains */
>  	list_for_each_entry_safe(q, next_q, &uacce->queues, list) {
> +		struct file *filep = q->private_data;
> +
>  		/*
>  		 * Taking q->mutex ensures that fops do not use the defunct
>  		 * uacce->ops after the queue is disabled.
> @@ -597,6 +593,12 @@ void uacce_remove(struct uacce_device *uacce)
>  		uacce_put_queue(q);
>  		mutex_unlock(&q->mutex);
>  		uacce_unbind_queue(q);
> +
> +		/*
> +		 * unmap remaining mapping from user space, preventing user still
> +		 * access the mmaped area while parent device is already removed
> +		 */
> +		unmap_mapping_range(filep->f_mapping, 0, 0, 1);

IDGI.  Going through uacce_queue instead of uacce_device is fine, but why
bother with file *or* inode?  Just store a reference to struct address_space in
your uacce_queue and be done with that...

Another problem in that driver is uacce_vma_close(); this
        if (vma->vm_pgoff < UACCE_MAX_REGION)
                qfr = q->qfrs[vma->vm_pgoff];

        kfree(qfr);
can't be right - you have q->qfrs left pointing to freed object.  If nothing
else, subsequent mmap() will fail with -EEXIST, won't it?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ