| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f7f68db4-c4ff-e06b-86ff-a07c47f3fa80@huawei.com>
Date: Thu, 25 May 2023 14:13:49 +0800
From: Kefeng Wang <wangkefeng.wang@...wei.com>
To: Tu Jinjiang <tujinjiang@...wei.com>, <hughd@...gle.com>,
<akpm@...ux-foundation.org>, <linux-mm@...ck.org>,
<linux-kernel@...r.kernel.org>
CC: <sunnanyong@...wei.com>
Subject: Re: [PATCH] mm: shmem: Fix UAF bug in shmem_show_options()
On 2023/5/25 11:16, Tu Jinjiang wrote:
> shmem_show_options() uses sbinfo->mpol without adding it's refcnt. This
> may lead to race with replacement of the mpol by remount. The execution
> sequence is as follows.
>
> CPU0 CPU1
> shmem_show_options() shmem_reconfigure()
> shmem_show_mpol(seq, sbinfo->mpol) mpol = sbinfo->mpol
> mpol_put(mpol)
> mpol->mode
>
> The KASAN report is as follows.
>
> BUG: KASAN: slab-use-after-free in shmem_show_options+0x21b/0x340
> Read of size 2 at addr ffff888124324004 by task mount/2388
>
> CPU: 2 PID: 2388 Comm: mount Not tainted 6.4.0-rc3-00017-g9d646009f65d-dirty #8
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x37/0x50
> print_report+0xd0/0x620
> ? shmem_show_options+0x21b/0x340
> ? __virt_addr_valid+0xf4/0x180
> ? shmem_show_options+0x21b/0x340
> kasan_report+0xb8/0xe0
> ? shmem_show_options+0x21b/0x340
> shmem_show_options+0x21b/0x340
> ? __pfx_shmem_show_options+0x10/0x10
> ? strchr+0x2c/0x50
> ? strlen+0x23/0x40
> ? seq_puts+0x7d/0x90
> show_vfsmnt+0x1e6/0x260
> ? __pfx_show_vfsmnt+0x10/0x10
> ? __kasan_kmalloc+0x7f/0x90
> seq_read_iter+0x57a/0x740
> vfs_read+0x2e2/0x4a0
> ? __pfx_vfs_read+0x10/0x10
> ? down_write_killable+0xb8/0x140
> ? __pfx_down_write_killable+0x10/0x10
> ? __fget_light+0xa9/0x1e0
> ? up_write+0x3f/0x80
> ksys_read+0xb8/0x150
> ? __pfx_ksys_read+0x10/0x10
> ? fpregs_assert_state_consistent+0x55/0x60
> ? exit_to_user_mode_prepare+0x2d/0x120
> do_syscall_64+0x3c/0x90
> entry_SYSCALL_64_after_hwframe+0x72/0xdc
>
> </TASK>
>
Maybe drop the unreliable stack, not mandatory, the patch is look good
to me,
[snip]
>
> To fix the bug, shmem_get_sbmpol() / mpol_put() needs to be called
> before / after shmem_show_mpol() call.
>
> Signed-off-by: Tu Jinjiang <tujinjiang@...wei.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@...wei.com>
> ---
> mm/shmem.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index e40a08c5c6d7..5e54ab5f61f2 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -3726,6 +3726,7 @@ static int shmem_reconfigure(struct fs_context *fc)
> static int shmem_show_options(struct seq_file *seq, struct dentry *root)
> {
> struct shmem_sb_info *sbinfo = SHMEM_SB(root->d_sb);
> + struct mempolicy *mpol;
>
> if (sbinfo->max_blocks != shmem_default_max_blocks())
> seq_printf(seq, ",size=%luk",
> @@ -3768,7 +3769,9 @@ static int shmem_show_options(struct seq_file *seq, struct dentry *root)
> if (sbinfo->huge)
> seq_printf(seq, ",huge=%s", shmem_format_huge(sbinfo->huge));
> #endif
> - shmem_show_mpol(seq, sbinfo->mpol);
> + mpol = shmem_get_sbmpol(sbinfo);
> + shmem_show_mpol(seq, mpol);
> + mpol_put(mpol);
> if (sbinfo->noswap)
> seq_printf(seq, ",noswap");
> return 0;
Powered by blists - more mailing lists