| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Oct 2023 09:39:10 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Tina Zhang <tina.zhang@...el.com>,
Nicolin Chen <nicolinc@...dia.com>
Cc: Kevin Tian <kevin.tian@...el.com>,
Lu Baolu <baolu.lu@...ux.intel.com>, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org, Vasant Hegde <vasant.hegde@....com>
Subject: Re: [v6 PATCH 4/5] iommu: Support mm PASID 1:n with sva domains
On Wed, Oct 11, 2023 at 02:51:31PM +0800, Tina Zhang wrote:
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 3b6d20dfb9a8..985403a7a747 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1277,7 +1277,6 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
> mm_init_cpumask(mm);
> mm_init_aio(mm);
> mm_init_owner(mm, p);
> - mm_pasid_init(mm);
> RCU_INIT_POINTER(mm->exe_file, NULL);
> mmu_notifier_subscriptions_init(mm);
> init_tlb_flush_pending(mm);
Nicolin debugged his crash report last night and sent me the details.
This hunk is the cause of the bug that Nicolin reported.
The dup_mm() flow does:
static struct mm_struct *dup_mm(struct task_struct *tsk,
struct mm_struct *oldmm)
{
struct mm_struct *mm;
int err;
mm = allocate_mm();
if (!mm)
goto fail_nomem;
memcpy(mm, oldmm, sizeof(*mm));
if (!mm_init(mm, tsk, mm->user_ns))
goto fail_nomem;
It is essential that mm_pasid_init() zero the new pointer otherwise,
due to the memcpy, after a fork two mm structs will point to the same
thing and one will UAF/doube free.
Keep mm_pasid_init() and add zeroing the new pointer to it.
Jason
Powered by blists - more mailing lists